Need a way to control network access? Government already has it.

Connect with state & local government leaders
Join Our Community
Featured eBooks
A New Era of Social Media Regulation
Strengthening State and Local Cyber Defenses
Making AI Work for Government
Insights & Reports
Get to know Bedlock Safety
Presented By BedLock Safety
Download Now
Using AI-powered location intelligence, state and local governments can build a sustainable future
Presented By Nearmap
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Role-based access control, first formally proposed by NIST scientists in 1992, has become the standard for managing access to IT resources and has saved the U.S. economy billions of dollars.

Role-based access control has saved the U.S. economy more than $6 billion during the past 16 years, according to a study sponsored by the National Institute of Standards and Technology, and RBAC has become the standard for managing access to IT resources in industry and government.

RBAC was formally proposed by NIST scientists in 1992 and adopted as an industry consensus standard in 2004. A study conducted by RTI International estimated that NIST’s work hastened the adoption of the access control scheme and cut development costs, accounting for about $1 billion of the savings.

“We had no idea where it was going to go,” said NIST computer scientist David Ferraiolo, who, along with Rick Kuhn, authored the first formal RBAC model. Now, more than half of all organizations that have more than 500 employees use RBAC for at least some access control, and government agencies routinely use it. “There is no mandate for it,” Ferraiolo said. “It is all market driven.”

The initial $2.6 million that NIST spent on RBAC turned out to be a good investment, producing a return of 249 to 1.

Access management is an essential element of cybersecurity because access to resources opens them to intentional or accidental misuse or exposure. To protect those resources, many systems authenticate a user's identity with some form of ID management before granting access to certain resources. RBAC is one scheme for describing what a user is authorized to do.

Related stories:

Keys to access control: visibility, granularity, 'set it and forget it'

The value of access control is easy to demonstrate

“Although RBAC is not the perfect solution, it enables greater shared responsibility and more effective and efficient permissions management for IT and business operations,” the RTI study states.

The RBAC work evolved from a 1991 NIST study that found agencies were not getting all the security solutions they needed. In the early 1990s, the standard of care for access or privilege control was Access Control Lists, which are specific for each system or application. They are high maintenance because rapid turnover in large organizations means someone must constantly update them.

“The Access Control List is a very low-level control,” Ferraiolo said.

RBAC is intuitive

Instead, a scheme for assigning access privileges based on a person’s role in an organization seems intuitive, and Kuhn and Ferraiolo say the idea was not original. “The concept of role has been around for a very long time,” Ferraiolo said. “What was lacking was any kind of formal description.”

“What we wanted to do was define a comprehensive access control model that was formally specified and could be used more as a layer separate from large applications instead of being hard-coded into them,” Kuhn said.

Unlike other schemes, in which permissions or access is tied to an individual, group or application, RBAC permissions are tied to the role, and users are then associated with different roles. The role links multiple users with multiple permissions. That can simplify management because the roles in an organization tend to remain stable, while personnel and permissions can change quickly.

The initial challenge in RBAC — and one that almost proved fatal — is the task of defining roles, a process called role engineering. Early in its adoption, a common complaint was that organizations could end up with as many roles as employees, if not more.

“There were some miserable results early on,” Ferraiolo said. “But as experience was gained, there were better practices” in role engineering.

The RBAC model was refined, and well before the American National Standards Institute and International Committee for IT Standards adopted it in 2004, the industry was incorporating it in products. In 1997 and 1998, Sybase, Secure Computing and Siemens announced RBAC products based on the model, and Secure Computing incorporated it into the Defense Department’s Global Command and Control System in 1997.

RBAC adoption continued slowly from 1995 until 2004, when about 12 percent of users' permissions were managed by RBAC in IT-intensive industries. Usage spiked after the adoption of the ANSI/INCITS standard and has continued to climb through 2010, when the percentage topped 50 percent, according to the RTI study.

The principal economic benefit from the adoption of RBAC came from efficiency in maintaining and certifying access control policies. More than 80 percent of the respondents in the RTI study reported greater efficiencies in managing their access policies by using RBAC. Other areas of savings include more efficient provisioning and reduced employee downtime.

All told, an estimated 18 million employees were being managed through RBAC by 2009, and organizations saw a net savings of $1.1 billion that year. Total savings since 1994 total $11 billion, which, when offset by the $5 billion cost of implementation, produces a net savings of about $6.1 billion.

Best fit for government

“RBAC is not necessarily for every enterprise,” Ferraiolo said. For smaller organizations, groups or Access Control Lists might be just as effective. It is best suited for large, transaction-based organizations, such as those in the financial services industry, where roles are likely to be well defined.

“We think it works very well for government organizations,” said Kuhn, because they also tend to be larger and have well-defined roles.

Although RBAC is not required, it has been valuable in meeting demands for security controls in regulations under legislation such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. Among federal agencies, it can help to streamline compliance with requirements for security controls in the Federal Information Security Management Act.

RBAC takes up little of developers’ time these days. “We’re doing a little bit, a few hours a month,” Kuhn said.

But it is by no means complete, Ferraiolo said. “RBAC has made a major contribution in this space, but there is a lot of work remaining to be done,” he said. “RBAC is very good at provisioning users,” but it is not so strong in adding new resources and applications to privileges lists.

It also needs to be more agile in reviewing and changing permissions for people assigned to roles. Toward that end, ANSI/INCITS is considering a draft revision of the 2004 standard that would add some elements of rule- and attribute-based access control management to the scheme. RBAC would specify the maximum set of privileges available in a role, but those could be further refined, depending on individual specifics.

NEXT STORY: 'Minority Report' technology is just a game -- for now

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.