Featured Research

from universities, journals, and other organizations

Computer security: Role-based control may have saved billions

Date:
February 17, 2011
Source:
National Institute of Standards and Technology (NIST)
Summary:
A new economics study argues that the development of "role-based access control," a computer-security technology fostered and championed by the National Institute of Standards and Technology in the 1990s, may have saved US industry as much as $6.1 billion over the past two decades.

What NIST-led innovation is estimated to have saved U.S. industry $6.1 billion over the past 20 years? Well, probably several, but, perhaps surprisingly, a new economics study points to the development of "role-based access control," a computer-security technology fostered and championed by the National Institute of Standards and Technology (NIST) in the 1990s.

Related Articles


Role-based access control (RBAC) is the idea of establishing standard levels of access -- "permissions" -- to the various computing resources and networks of an organization that are tailored to specific employee roles, or job functions rather than individuals. In a large, information-intensive organization, it is generally far easier and more reliable for system security managers to assign a new hire to one or more "roles" and have all the appropriate permissions set automatically than to do each manually.

RBAC is now a common security tool. Facebook users employ it when they assign privileges on their pages to roles like "Friends," "Friends of Friends" and "Everyone." But in the early 1990s, it was a new -- and difficult to implement -- strategy. Organizations tended to rely on the more primitive "access control lists" that had to be set individually for each system for each employee. NIST has been at the center of RBAC development for nearly 20 years. The agency published a comprehensive RBAC model and the first technical specifications and formal description for RBAC in 1992. This was followed by both theoretical research and prototypes demonstrating the scalability and efficiency of RBAC. By 2000, in cooperation with George Mason University, NIST had developed a proposed RBAC standard. NIST led the ANSI/INCITS effort to establish a formal industry standard in 2004.

In a study prepared for NIST, RTI International used a combination of surveys of industry IT security managers in 2002 and 2010 and published industry data to estimate the impact of the NIST activities on the development and adoption of RBAC. The analysts estimate that by the end of 2010, over 50 percent of IT users at organizations with more than 500 employees have at least some of their system permissions managed by RBAC. NIST's work, they report, probably accelerated the introduction of RBAC by a year and also reduced development costs for firms adopting the strategy. The economic benefits flowed from more efficient management of system access, lower unproductive employee time due to more efficient access management, and more efficient maintenance and documentation of system access. The importance of the last item has been heightened by regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act of 2002, which mandated much more careful documentation and accountability for access to data in the regulated industries.

Assigning dollars to their model, the RTI researchers estimate that RBAC technology itself has generated $6.1 billion in net economic benefits to industry (values adjusted to 2009 dollars), of which $1.1 billion is attributable to NIST's work. Reckoning in the cost to the public of the NIST work, this translates to about $249 in benefit for every dollar spent.

The RTI study, 2010 Economic Analysis of Role-Based Access Control Final Report. is available on-line at http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf. NIST continues to work with industry to improve RBAC and will host a meeting of the INCITS CS1.1 committee on March 15, 2011, to discuss a proposal for a Role Based Access Control Next Generation Standard. Interested parties should contact D. Richard Kuhn at kuhn@nist.gov for details. More information on NIST's RBAC program is available at http://csrc.nist.gov/groups/SNS/rbac/index.html.


Story Source:

The above story is based on materials provided by National Institute of Standards and Technology (NIST). Note: Materials may be edited for content and length.


Cite This Page:

National Institute of Standards and Technology (NIST). "Computer security: Role-based control may have saved billions." ScienceDaily. ScienceDaily, 17 February 2011. <www.sciencedaily.com/releases/2011/02/110217151449.htm>.
National Institute of Standards and Technology (NIST). (2011, February 17). Computer security: Role-based control may have saved billions. ScienceDaily. Retrieved October 30, 2014 from www.sciencedaily.com/releases/2011/02/110217151449.htm
National Institute of Standards and Technology (NIST). "Computer security: Role-based control may have saved billions." ScienceDaily. www.sciencedaily.com/releases/2011/02/110217151449.htm (accessed October 30, 2014).

Share This



More Computers & Math News

Thursday, October 30, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Mind-Controlled Prosthetic Arm Restores Amputee Dexterity

Mind-Controlled Prosthetic Arm Restores Amputee Dexterity

Reuters - Innovations Video Online (Oct. 29, 2014) A Swedish amputee who became the first person to ever receive a brain controlled prosthetic arm is able to manipulate and handle delicate objects with an unprecedented level of dexterity. The device is connected directly to his bone, nerves and muscles, giving him the ability to control it with his thoughts. Matthew Stock reports. Video provided by Reuters
Powered by NewsLook.com
Robots Get Funky on the Dance Floor

Robots Get Funky on the Dance Floor

AP (Oct. 29, 2014) Dancing, spinning and fighting robots are showing off their agility at "Robocomp" in Krakow. (Oct. 29) Video provided by AP
Powered by NewsLook.com
IBM Taps Into Twitter's Data With New Partnership

IBM Taps Into Twitter's Data With New Partnership

Newsy (Oct. 29, 2014) The new partnership will allow IBM to access Twitter’s data and analytics to help IBM clients better understand their consumers. Video provided by Newsy
Powered by NewsLook.com
Google To Use Nanoparticles, Wearables To Detect Disease

Google To Use Nanoparticles, Wearables To Detect Disease

Newsy (Oct. 29, 2014) Google X wants to improve modern medicine with nanoparticles and a wearable device. It's all an attempt to tackle disease detection and prevention. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

    Environment News

    Technology News



    Save/Print:
    Share:

    Free Subscriptions


    Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

    Get Social & Mobile


    Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

    Have Feedback?


    Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
    Mobile: iPhone Android Web
    Follow: Facebook Twitter Google+
    Subscribe: RSS Feeds Email Newsletters
    Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins