Featured Research

from universities, journals, and other organizations

Computer security: Role-based control may have saved billions

Date:
February 17, 2011
Source:
National Institute of Standards and Technology (NIST)
Summary:
A new economics study argues that the development of "role-based access control," a computer-security technology fostered and championed by the National Institute of Standards and Technology in the 1990s, may have saved US industry as much as $6.1 billion over the past two decades.

What NIST-led innovation is estimated to have saved U.S. industry $6.1 billion over the past 20 years? Well, probably several, but, perhaps surprisingly, a new economics study points to the development of "role-based access control," a computer-security technology fostered and championed by the National Institute of Standards and Technology (NIST) in the 1990s.

Related Articles


Role-based access control (RBAC) is the idea of establishing standard levels of access -- "permissions" -- to the various computing resources and networks of an organization that are tailored to specific employee roles, or job functions rather than individuals. In a large, information-intensive organization, it is generally far easier and more reliable for system security managers to assign a new hire to one or more "roles" and have all the appropriate permissions set automatically than to do each manually.

RBAC is now a common security tool. Facebook users employ it when they assign privileges on their pages to roles like "Friends," "Friends of Friends" and "Everyone." But in the early 1990s, it was a new -- and difficult to implement -- strategy. Organizations tended to rely on the more primitive "access control lists" that had to be set individually for each system for each employee. NIST has been at the center of RBAC development for nearly 20 years. The agency published a comprehensive RBAC model and the first technical specifications and formal description for RBAC in 1992. This was followed by both theoretical research and prototypes demonstrating the scalability and efficiency of RBAC. By 2000, in cooperation with George Mason University, NIST had developed a proposed RBAC standard. NIST led the ANSI/INCITS effort to establish a formal industry standard in 2004.

In a study prepared for NIST, RTI International used a combination of surveys of industry IT security managers in 2002 and 2010 and published industry data to estimate the impact of the NIST activities on the development and adoption of RBAC. The analysts estimate that by the end of 2010, over 50 percent of IT users at organizations with more than 500 employees have at least some of their system permissions managed by RBAC. NIST's work, they report, probably accelerated the introduction of RBAC by a year and also reduced development costs for firms adopting the strategy. The economic benefits flowed from more efficient management of system access, lower unproductive employee time due to more efficient access management, and more efficient maintenance and documentation of system access. The importance of the last item has been heightened by regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act of 2002, which mandated much more careful documentation and accountability for access to data in the regulated industries.

Assigning dollars to their model, the RTI researchers estimate that RBAC technology itself has generated $6.1 billion in net economic benefits to industry (values adjusted to 2009 dollars), of which $1.1 billion is attributable to NIST's work. Reckoning in the cost to the public of the NIST work, this translates to about $249 in benefit for every dollar spent.

The RTI study, 2010 Economic Analysis of Role-Based Access Control Final Report. is available on-line at http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf. NIST continues to work with industry to improve RBAC and will host a meeting of the INCITS CS1.1 committee on March 15, 2011, to discuss a proposal for a Role Based Access Control Next Generation Standard. Interested parties should contact D. Richard Kuhn at [email protected] for details. More information on NIST's RBAC program is available at http://csrc.nist.gov/groups/SNS/rbac/index.html.


Story Source:

The above story is based on materials provided by National Institute of Standards and Technology (NIST). Note: Materials may be edited for content and length.


Cite This Page:

National Institute of Standards and Technology (NIST). "Computer security: Role-based control may have saved billions." ScienceDaily. ScienceDaily, 17 February 2011. <www.sciencedaily.com/releases/2011/02/110217151449.htm>.
National Institute of Standards and Technology (NIST). (2011, February 17). Computer security: Role-based control may have saved billions. ScienceDaily. Retrieved November 23, 2014 from www.sciencedaily.com/releases/2011/02/110217151449.htm
National Institute of Standards and Technology (NIST). "Computer security: Role-based control may have saved billions." ScienceDaily. www.sciencedaily.com/releases/2011/02/110217151449.htm (accessed November 23, 2014).

Share This


More From ScienceDaily



More Computers & Math News

Sunday, November 23, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Microsoft Adds Robot Guards, Ushers In Sci-Fi Apocalypse

Microsoft Adds Robot Guards, Ushers In Sci-Fi Apocalypse

Newsy (Nov. 23, 2014) Microsoft has robotic security guards working at its Silicon Valley Campus. Video provided by Newsy
Powered by NewsLook.com
European Parliament Might Call For Google's Break-Up

European Parliament Might Call For Google's Break-Up

Newsy (Nov. 22, 2014) This is the latest development in an antitrust investigation accusing Google of unfairly prioritizing own products and services in search results. Video provided by Newsy
Powered by NewsLook.com
Google Announces Improvements To Balloon-Borne Wi-Fi Project

Google Announces Improvements To Balloon-Borne Wi-Fi Project

Newsy (Nov. 21, 2014) In a blog post, Google said its balloons have traveled 3 million kilometers since the start of Project Loon. Video provided by Newsy
Powered by NewsLook.com
Is Nintendo Making A Comeback With 'Super Smash Bros.'?

Is Nintendo Making A Comeback With 'Super Smash Bros.'?

Newsy (Nov. 21, 2014) Nintendo released new "Super Smash Bros." Friday, and it's getting great reviews. Could this mean a comeback for the gaming company? Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins