Computer security: Role-based control may have saved billions

Role-based access control (RBAC) is the idea of establishing standard levels of access -- "permissions" -- to the various computing resources and networks of an organization that are tailored to specific employee roles, or job functions rather than individuals. In a large, information-intensive organization, it is generally far easier and more reliable for system security managers to assign a new hire to one or more "roles" and have all the appropriate permissions set automatically than to do each manually.

RBAC is now a common security tool. Facebook users employ it when they assign privileges on their pages to roles like "Friends," "Friends of Friends" and "Everyone." But in the early 1990s, it was a new -- and difficult to implement -- strategy. Organizations tended to rely on the more primitive "access control lists" that had to be set individually for each system for each employee. NIST has been at the center of RBAC development for nearly 20 years. The agency published a comprehensive RBAC model and the first technical specifications and formal description for RBAC in 1992. This was followed by both theoretical research and prototypes demonstrating the scalability and efficiency of RBAC. By 2000, in cooperation with George Mason University, NIST had developed a proposed RBAC standard. NIST led the ANSI/INCITS effort to establish a formal industry standard in 2004.

In a study prepared for NIST, RTI International used a combination of surveys of industry IT security managers in 2002 and 2010 and published industry data to estimate the impact of the NIST activities on the development and adoption of RBAC. The analysts estimate that by the end of 2010, over 50 percent of IT users at organizations with more than 500 employees have at least some of their system permissions managed by RBAC. NIST's work, they report, probably accelerated the introduction of RBAC by a year and also reduced development costs for firms adopting the strategy. The economic benefits flowed from more efficient management of system access, lower unproductive employee time due to more efficient access management, and more efficient maintenance and documentation of system access. The importance of the last item has been heightened by regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act of 2002, which mandated much more careful documentation and accountability for access to data in the regulated industries.

Assigning dollars to their model, the RTI researchers estimate that RBAC technology itself has generated $6.1 billion in net economic benefits to industry (values adjusted to 2009 dollars), of which $1.1 billion is attributable to NIST's work. Reckoning in the cost to the public of the NIST work, this translates to about $249 in benefit for every dollar spent.

The RTI study, 2010 Economic Analysis of Role-Based Access Control Final Report. is available on-line at http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf. NIST continues to work with industry to improve RBAC and will host a meeting of the INCITS CS1.1 committee on March 15, 2011, to discuss a proposal for a Role Based Access Control Next Generation Standard. Interested parties should contact D. Richard Kuhn at kuhn@nist.gov for details. More information on NIST's RBAC program is available at http://csrc.nist.gov/groups/SNS/rbac/index.html.