The cost of role explosion

Matt Luckett   ·   Wednesday, May 31st, 2023

Often, when vendors in our market talk about the necessity of an external authorization solution, we cite its purchase as a way to avoid or contain the cost of role explosion.

But..what is role explosion, and how do so many customers inevitably find themselves drowning in these roles?

And…what are “roles” in the first place?

Understanding roles and their complexities

A role is simply a way to distinguish which users should have authorization to access certain information.

For example, a role could simply be “Engineer” and only users with this role can have access to engineering data. Though this sounds fairly straightforward, questions and challenges emerge as your organization grows.

Consider the following questions:

Should all engineers have access to the same engineering data?

What if the whole team of engineers aren’t all on a specific project?

What if the information an engineer wants to access is export controlled?

What if said information is also highly sensitive and could be devastating to a business in the wrong hands like the Coca-Cola recipe?

The list of questions could go on and on.

This is the point where organizations should define more roles as a means to ensure proper access control.

Sample use case

Let’s say someone is an engineer, but they’re working on “Project Omega” based in Canada.

In this case, IT would have a few different roles associated with that engineer’s account, which could be as follows:

Engineer, Canada, Project Omega

While a colleague in the United States is also an engineer, but is working on Project Delta. This necessitates the creation of additional roles, which might look like:

Engineer, United States, Project Delta

Though this example seems easy to follow, the reality is a lot more complicated.

Roles can be tailored by job type, location, skills, compliance, etc. Looking at the example above, let’s assume there are 100 engineers in 20 locations, working on 15 different projects.

This alone would result in at least 35 different roles.

This doesn’t take into consideration variables such as manager/employee, security clearance, type of engineer (Project Manager, Quality Assurance, Team Lead, etc.) which adds to the complexity.

As companies expand in size and are looking to refine who can access what information, the number of roles grows exponentially to the point where they have more roles than they have employees.

This is where role explosion comes in, and while it may not seem like a problem, let’s look at the costs associated.

The issue of maintaining accuracy

The first challenge to accurate roles is that a user may have dozens of roles assigned to them – a problem that starts as they join the organization.

In most cases, the teams assigning roles simply copy the roles of a coworker and assign them to the new employee.

The problem here is that all employees aren’t all equal and just because they are in the same department, doesn’t mean they should all have access to the same information.

Referring back to our engineer in Canada, they shouldn’t have the same access to content as the engineer based in the United States, especially for export control scenarios.

This challenge doesn’t just apply to the new employees. As employees gain more skills, certifications, responsibilities, change departments, etc., their role requirements also need to change.

This usually means adding new roles. The problem is that in most cases, old roles aren’t removed.

A perfect example of this is a situation where a user may be temporarily given a “Manager” role as the original manager is out for a period. This grants the acting manager additional privileges such as approving orders, vacations or other managerial tasks.

What happens when the manager comes back? Unfortunately, the acting manager rarely has their privileges removed.

As a result, users are given too much access to information beyond that which they need to effectively do their job. This lack of accuracy leads to the next two costs.

The issue of time and required resources

As the number of roles in the system increases, the administrative overhead associated with managing and maintaining them can grow significantly.

This is because each role must be created, updated, and deleted as needed to accurately reflect the access requirements of users and resources.

Creating new roles can be a time-consuming process that requires careful consideration of the access requirements of each user or resource.

This can involve working with stakeholders to understand their needs and translating those needs into specific access permissions and restrictions. As the number of roles increases, this process becomes more complex and requires more time and resources to complete.

Updating roles is also a challenging task, particularly if there are many users or resources with overlapping access requirements. Changes to one role may need to be reflected in other roles as well, which can require careful coordination and communication among administrators.

As the number of roles increases, this process becomes more complicated and error-prone, increasing the risk of misconfigurations or other security issues.

Finally, deleting roles is another time-consuming and complex process.

If a role is no longer needed, it may be necessary to carefully review the access permissions associated with that role and determine how to redistribute them among other roles or users.

This requires significant time and effort, particularly if there are many users or resources involved.

Being susceptible to data breaches

A report from Firewall Times says “98% of cyber attacks involve some form of social engineering”.

The interesting fact here is that no matter how much security you’ve invested in, a human with access to information is by far the most likely culprit to cause a data breach. Users with too much access to information can inadvertently share that information with the wrong people.

This is especially true in situations where users don’t understand the value of information they have access to.

Meeting regulatory compliance requirements

Along the same lines as being susceptible to attack, the user is also susceptible to compliance violations.

Government and regulatory bodies around the world recognize the implications of losing data and are setting up more costly penalties for organizations who fail to comply. These fines are no longer measured in tens or hundreds or thousands of dollars, but in the millions of dollars.

How much does role explosion cost?

While there’s no definitive fixed cost, the issue is that any cost balloons as the organization grows, making this an excessive financial issue for large enterprises. Looking at General Data Protection Regulation (GDPR) on its own, organizations such as Meta have paid more than 700 million Euros in compliance violations in 2022 alone.

Learn more about role explosions by downloading our our white paper on evolving your role-based access control strategy to an attribute-based access control strategy.