New RBAC feature offers granularity and flexibility for Outpost24’s EASM customers

A new role-based access control (RBAC) feature has been added to Outpost24’s external attack surface management (EASM) solution. This opens up new possibilities for Outpost24 customers, allowing them to be more granular when it comes to configuring permissions for different roles. New benefits for day-to-day users of our EASM solution will include:  

  1. Being able to restrict the levels of access to user and teams across an organization
  2. Meeting compliance requirements for the principle of least privilege
  3. Mapping roles and permissions between different teams with varied geographies and competencies

We’ll explore why these benefits underscore how RBAC can be a critical component in enhancing security, ensuring compliance, and managing access control in a complex organizational environment.

How does RBAC work?

With role-based access management (RBAC), Outpost24 EASM customers will be able to manage access and permissions for specific users from the attack surface overview in the platform. This lets you set up limitations on actions and access to specific modules. For example, if your organization is divided into different subsidiaries, you may want to limit access to the attack surface of a subsidiary to a single team.

The complete overview of the organization’s attack surface can be limited to admin users only. From there, the role-based access can be easily set up and managed by admin users in the settings of the EASM platform. Admins will still have a global scope which contains all assets of the organization, but you may want to further divide up access per subscope. If your attack surface has been divided into subscopes (e.g. per IT team or per brand), each subscope will include the subsidiary’s assets (domains, IPs, SSLs, ports, etc) and exclude the assets belonging to other subsidiaries.

There will be three built-in roles with the new feature:

  • Viewer (Read only)
  • Analyst (All access without admin features)
  • Administrator (Full access)

Additionally, you can create custom roles and determine detailed access levels. It’s also possible to place limitations on actions, like making some users read-only. Access to specific modules can also be limited.  

RBAC dashboard view

Why should you be using RBAC?

RBAC improves security by allowing you to give different levels of access to different users and teams. This is especially true for larger enterprises with many different teams and roles, where only having two levels of access can be limiting. RBAC makes it more granular and flexible to define and change permissions in a granular way – mapping the organization structure and teams with permissions associated allows customers to organize work in a more efficient way. 

This is fundamental to implementing a least privilege policy. It gives increased focus when each user or team can be configured to only have access to the assets and observations they should work on.

Let’s look at three key ways RBAC can improve your EASM working process:

1. Restricting access levels across users and teams

One of the primary advantages of RBAC is its ability to restrict access levels for users and teams across an organization. By defining roles that correspond to specific job functions, RBAC ensures that individuals only have access to the resources and data they need to perform their tasks. This granular control helps prevent unauthorized access and reduces the risk of data breaches.

For example, a marketing team might have access to customer data for campaign purposes, while the finance team has access to financial records but not customer data. Or you may want to split access within a security team geographically, so for example the UK security team only has access to UK assets. This segmentation enhances security and maintains the integrity of sensitive information.

2. Meeting least privilege compliance requirements

RBAC is instrumental in meeting compliance requirements, particularly the principle of least privilege. This principle dictates that users should only be given the minimum levels of access necessary to perform their job functions. By implementing RBAC, organizations can easily assign roles that adhere to this principle, ensuring that no user has more access than they need.

This not only helps in complying with regulations like GDPR, HIPAA, and SOX but also provides a clear audit trail. In the event of an audit, organizations can demonstrate that they have robust access controls in place, thereby simplifying the compliance process.

3. Mapping permissions across diverse teams

In large organizations with teams spread across different geographies and possessing varied competencies, RBAC offers a streamlined way to map roles and permissions. By defining roles that are applicable across different regions and departments, RBAC ensures consistency in access control policies. For instance, a project manager in the U.S. and a project manager in Europe can have the same role with identical permissions, despite being in different locations.

This uniformity simplifies management and ensures that all team members have the access they need, regardless of their geographical location or specific competencies. Additionally, it facilitates collaboration and information sharing without compromising security.

Not using EASM yet? Get started here

RBAC is just one of the useful features you’ll find in Outpost24’s EASM solution. If you’re interested to learn how EASM could fit in with your organization, book a free attack surface mapping here.