NIST’s Role Based Access Control research saves industry $295 million - General Developments
Categories: Access Control SystemsA new independent economic impact study conducted by the Research Triangle Institute (RTI) conservatively estimates that NIST’s Role Based Access Control (RBAC) research has saved U.S. industry $295 million and accelerated industrys adoption of this advanced access control method by a year. NIST’s research cost taxpayers only $2.3 million. The RTI study quantifies the benefits of RBAC and estimates NIST’s impact on the development and adoption of RBAC by industry and the user community. RTI estimated that RBAC technology has saved U.S. industry a total of $671 million, and that NIST’s work was responsible for 44 % of this savings.
According to one major software company official, “This is probably one of the best examples of how an organization like NIST can help the private sector. The existence of a widely visible prototype advanced the concrete understanding of corporate IT architects so significantly that we were able to get unusually good early feedback validating and influencing our design choices. Getting educated feedback early undoubtedly saved us a significant amount of money.”
A representative from another company said, “The NIST implementation was a groundbreaking and significant contribution to software technology.”
Computer access control systems are designed to control which users or groups of users can invoke programs and access system resources such as databases and files. Typically, every system and application for which access control is enforced has its own proprietary access methods and system-specific meanings for operations and objects. For many organizations, the number of systems can be in the hundreds or even thousands; the number of users can range from the hundreds to the hundreds of thousands, and the number of resources that must be protected can easily exceed a million. The problem becomes even more complex with organizational hierarchies and special constraints such as conflict-of-interest rules. As a result, the management of access control data becomes a difficult, expensive, and error-prone process.
NIST’s RBAC controls access to computer system networks based on the users role in an organization, automatically handling complexities introduced by organizational hierarchies and separation-of-duty requirements. Under RBAC, users are granted membership into roles based on their responsibilities in the organization. The operations that a user may perform are based on the users role. User membership into roles can be revoked easily, and new memberships can be established as job assignments dictate. This mechanism demonstrates the potential for enormous cost savings and better security over current methods. The website is http://hissa.nist.gov.