Economic Impact of NIST Role Based Access Control Research - report available
From: Rick Kuhn (kuhn@nist.gov)Date: 02/28/02
- Previous message: Wojtek Walczak: "Re: ntp-4.1.0 any security problems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: kuhn@nist.gov (Rick Kuhn) Date: 28 Feb 2002 08:01:08 -0800
A new independent economic impact study conducted by the Research
Triangle Institute (RTI) conservatively estimates that NIST's Role
Based Access Control (RBAC) research has saved U.S. industry $295
million and accelerated industry's adoption of this advanced access
control method by a year. According to one major software company
official, "This is probably one of the best examples of how an
organization like NIST can help the private sector. The existence of a
widely visible prototype advanced the concrete understanding of
corporate IT architects so significantly that we were able to get
unusually good early feedback validating and influencing our design
choices. Getting educated feedback early undoubtedly saved us a
significant amount of money." A representative from another company
said, "The NIST implementation was a groundbreaking and significant
contribution to software technology."
NIST's research cost taxpayers only $2.3 million. The RTI study
quantifies the benefits of RBAC and estimates NIST's impact on the
development and adoption of RBAC by industry and the user community.
RTI estimated that RBAC technology has saved U.S. industry a total of
$671 million, and that NIST's work was responsible for 44 percent of
this savings. The RTI study is available at
http://www.nist.gov/director/prog-ofc/report02-1.pdf
Computer access control systems are designed to control which users
(or groups of users) can invoke programs and access system resources
such as databases and files. Typically, every system and application
for which access control is enforced has its own proprietary access
methods and system-specific meanings for operations and objects. For
many organizations, the number of systems can be in the hundreds or
even thousands; the number of users can range from the hundreds to the
hundreds of thousands, and the number of resources that must be
protected can easily exceed a million. The problem becomes even more
complex with organizational hierarchies and special constraints such
as conflict-of-interest rules. As a result, the management of access
control data becomes a difficult, expensive, and error-prone process.
RBAC controls access to computer system networks based on the user's
role in an organization, automatically handling complexities
introduced by organizational hierarchies and separation-of-duty
requirements. Under RBAC, users are granted membership into roles
based on their responsibilities in the organization. The operations
that a user may perform are based on the user's role. User membership
into roles can be revoked easily, and new memberships can be
established as job assignments dictate. This mechanism demonstrates
the potential for enormous cost savings and better security over
current methods.
NIST is now working with a large industry group, the Network
Applications Consortium (NAC), to introduce NAC members to RBAC and
demonstrate its benefits. The NAC, made up of major corporate users of
information technology, conducts requirements analyses of new
technology, focusing on interoperability standards. The consortium
highlighted NIST's Role Control Center (RCC)-- as a "Breakthrough
Technology Demonstration"; in July 2001, after selecting RBAC as a
technology that can help its members reduce costs and gain better
control of business processes. RCC centrally manages privileges by
providing layers of abstractions that are mapped one-to-many to real
users, real operations, and real resources. Managing permissions in
terms of the abstractions reduces complexity and provides
visualization and a context for implementing complex access control
policies. Today, ITL is working with the NAC to provide its members
with the comprehensive background information on RBAC and the latest
RBAC research.
NIST is also working closely with the NAC, the vendor community, and
other research organizations in the development and widespread
adoption of an RBAC standard.
The website is http://csrc.nist.gov/rbac.
For questions, contact David Ferraiolo (david.ferraiolo@nist.gov)
or Rick Kuhn (kuhn@nist.gov)
- Previous message: Wojtek Walczak: "Re: ntp-4.1.0 any security problems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
