How role-based access control can provide security and business benefits

Computerworld - Protecting the network and ensuring the integrity of intellectual property rate high on the priority lists of most large organizations. In addition, more stringent privacy laws have imposed new levels of confidentiality on health care and insurance companies and financial institutions. As a result, identity management has become a critical component in ensuring information security and access control.
Many organizations still rely on individual, user-based identity management mechanisms built into the operating system and individual software applications. However, as the number of users and applications increase, supporting such a system becomes time-consuming, unwieldy and expensive. Users quickly become frustrated by the need to remember multiple passwords. Customer service and help desk personnel get bogged down by the sheer volume of requests for lost or forgotten passwords, new registrations and account terminations. A recent analyst study indicates that call center expenses have increased 39% in the past year alone, a trend that cost-conscious organizations cannot afford to ignore.
What's needed is a low-maintenance system that automates routine administration and controls access across the network so that data security is ensured. One option is role-based access control (RBAC). While RBAC can be challenging to design and implement, it can be tailored to a company's business model and security risk tolerance. Once implemented, it scales for growth and requires minimal maintenance, which goes a long way toward stemming the rising tide of IT costs.

Solid security, high business value
Low maintenance costs and increased efficiency are among the key benefits of RBAC as a security strategy for midsize and large organizations. Here's how it works: Once all of the employee roles are populated into the database, role-based rules are formulated and workflow engine modules are implemented. Through these elements, role-based privileges can be entered and updated quickly across multiple systems, platforms, applications and geographic locations -- right from the HR or IT manager's desktop. By controlling users' access according to their roles and the attributes attached to those roles, the RBAC model provides a companywide control process for managing IT assets while maintaining the desired level of security.
However, RBAC systems also can be designed to maximize operational performance and strategic business value. They can streamline and automate many transactions and business processes and provide users with the resources to perform their jobs better, faster and with greater personal responsibility. With an RBAC system in place, organizations are better positioned to meet their own statutory and regulatory requirements for privacy and confidentiality, which is crucial for health care organizations and financial institutions, as