Featured Research

from universities, journals, and other organizations

Computer security: Role-based control may have saved billions

Date:
February 17, 2011
Source:
National Institute of Standards and Technology (NIST)
Summary:
A new economics study argues that the development of "role-based access control," a computer-security technology fostered and championed by the National Institute of Standards and Technology in the 1990s, may have saved US industry as much as $6.1 billion over the past two decades.

What NIST-led innovation is estimated to have saved U.S. industry $6.1 billion over the past 20 years? Well, probably several, but, perhaps surprisingly, a new economics study points to the development of "role-based access control," a computer-security technology fostered and championed by the National Institute of Standards and Technology (NIST) in the 1990s.

Role-based access control (RBAC) is the idea of establishing standard levels of access -- "permissions" -- to the various computing resources and networks of an organization that are tailored to specific employee roles, or job functions rather than individuals. In a large, information-intensive organization, it is generally far easier and more reliable for system security managers to assign a new hire to one or more "roles" and have all the appropriate permissions set automatically than to do each manually.

RBAC is now a common security tool. Facebook users employ it when they assign privileges on their pages to roles like "Friends," "Friends of Friends" and "Everyone." But in the early 1990s, it was a new -- and difficult to implement -- strategy. Organizations tended to rely on the more primitive "access control lists" that had to be set individually for each system for each employee. NIST has been at the center of RBAC development for nearly 20 years. The agency published a comprehensive RBAC model and the first technical specifications and formal description for RBAC in 1992. This was followed by both theoretical research and prototypes demonstrating the scalability and efficiency of RBAC. By 2000, in cooperation with George Mason University, NIST had developed a proposed RBAC standard. NIST led the ANSI/INCITS effort to establish a formal industry standard in 2004.

In a study prepared for NIST, RTI International used a combination of surveys of industry IT security managers in 2002 and 2010 and published industry data to estimate the impact of the NIST activities on the development and adoption of RBAC. The analysts estimate that by the end of 2010, over 50 percent of IT users at organizations with more than 500 employees have at least some of their system permissions managed by RBAC. NIST's work, they report, probably accelerated the introduction of RBAC by a year and also reduced development costs for firms adopting the strategy. The economic benefits flowed from more efficient management of system access, lower unproductive employee time due to more efficient access management, and more efficient maintenance and documentation of system access. The importance of the last item has been heightened by regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act of 2002, which mandated much more careful documentation and accountability for access to data in the regulated industries.

Assigning dollars to their model, the RTI researchers estimate that RBAC technology itself has generated $6.1 billion in net economic benefits to industry (values adjusted to 2009 dollars), of which $1.1 billion is attributable to NIST's work. Reckoning in the cost to the public of the NIST work, this translates to about $249 in benefit for every dollar spent.

The RTI study, 2010 Economic Analysis of Role-Based Access Control Final Report. is available on-line at http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf. NIST continues to work with industry to improve RBAC and will host a meeting of the INCITS CS1.1 committee on March 15, 2011, to discuss a proposal for a Role Based Access Control Next Generation Standard. Interested parties should contact D. Richard Kuhn at kuhn@nist.gov for details. More information on NIST's RBAC program is available at http://csrc.nist.gov/groups/SNS/rbac/index.html.


Story Source:

The above story is based on materials provided by National Institute of Standards and Technology (NIST). Note: Materials may be edited for content and length.


Cite This Page:

National Institute of Standards and Technology (NIST). "Computer security: Role-based control may have saved billions." ScienceDaily. ScienceDaily, 17 February 2011. <www.sciencedaily.com/releases/2011/02/110217151449.htm>.
National Institute of Standards and Technology (NIST). (2011, February 17). Computer security: Role-based control may have saved billions. ScienceDaily. Retrieved October 1, 2014 from www.sciencedaily.com/releases/2011/02/110217151449.htm
National Institute of Standards and Technology (NIST). "Computer security: Role-based control may have saved billions." ScienceDaily. www.sciencedaily.com/releases/2011/02/110217151449.htm (accessed October 1, 2014).

Share This



More Computers & Math News

Wednesday, October 1, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Mozilla Bets On Software To Sell Its Chromecast Competitor

Mozilla Bets On Software To Sell Its Chromecast Competitor

Newsy (Oct. 1, 2014) Mozilla's Matchstick streaming device is entering a crowded market. The company is banking on open-source software to rise above the competition. Video provided by Newsy
Powered by NewsLook.com
App Teaches Kindergarteners to Code

App Teaches Kindergarteners to Code

AP (Oct. 1, 2014) They can't all read yet, but soon kindergarteners may be able to create basic computer code. Researchers in Massachusetts developed an app that teaches young kids a simple computer programming language. (Oct. 1) Video provided by AP
Powered by NewsLook.com
Microsoft Goes For Familiarity Over Novelty In Windows 10

Microsoft Goes For Familiarity Over Novelty In Windows 10

Newsy (Sep. 30, 2014) At a special event in San Francisco, Microsoft introduced its latest operating system, Windows 10, which combines key features from earlier versions. Video provided by Newsy
Powered by NewsLook.com
French Apple Fans Discover the Apple Watch

French Apple Fans Discover the Apple Watch

AFP (Sep. 30, 2014) Apple fans in France discover the latest toy, the Apple Watch. The watch comes in two sizes and an array of interchangeable, fashionable wrist straps. Duration: 00:42 Video provided by AFP
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins