February 22, 2011

Managing Access to IT Saved American Businesses $6 Billion, Report Finds

Media Contacts

  • News@rti.org
  • Lisa Bistreich-Wolfe
    919-316-3596
  • Kami Spangenberg
    919-485-5606
Alan C. O'Connor
Alan C. O'Connor

SAN FRANCISCO—Role-based access control, which manages user's access to information technology resources, is estimated to have saved American business $6.1 billion during the past 20 years, according to a new study by researchers at RTI International.

Role-based access control (RBAC), championed by the National Institute of Standards and Technology (NIST) since the 1990s, is the idea of establishing standard levels of access—"permissions"— to the various computing resources and networks of an organization that are tailored to specific employee roles or job functions rather than individuals.

In a large, information-intensive organization, it is generally far easier and more reliable for system security managers to assign a new hire to one or more "roles" and have all the appropriate permissions set automatically than to do each manually.

To compile the report, the RTI research team used a combination of surveys of industry IT security managers in 2002 and 2010 and published industry data to estimate the impact of the NIST activities on the development and adoption of RBAC.

"The research showed that by using roles, businesses do save money in IT department labor and reduced employee down time," said Alan O'Connor, a senior economist at RTI and the report's lead author. "But the real costs savings is in how organizations take steps towards aligning their IT policies to their organizational structure, which in turn allows them greater insight into who has access to what when."

Aligning IT policies with organizational structure is important for information security and internal controls provisions of major pieces of U.S. legislation. According to the report, this method for managing IT policies saved $1.8 billion in 2009 for more efficient policy management and regulatory compliance.

More than 80 percent of participants reported that using roles improved the efficiency of maintaining their organization's access control policy.

The analysts estimate that by the end of 2010 more than 50 percent of IT users at organizations with more than 500 employees have at least some of their system permissions managed by RBAC.

According to the report, a hypothetical financial services firm with 10,000 employees would save annually about $24,000 in IT department labor by using RBAC, nearly $300,000 in reduced employee downtime and $1.1 million in maintenance of the organization's access control policy.

According to findings from a 2002 RTI study, NIST's efforts accelerated the introduction of RBAC by a year and reduced developmental costs. The new report attributes $1.1 billion of the $6.1 billion in net economic benefits to industry to NIST's work.

"It is important to note that RBAC is not a cure-all solution," O'Connor said. "The approach works really well when there are large numbers of users that fall within well-defined categories, but it doesn't work well in project-based settings, for example, where users' dynamic permission changes can't be scaled into roles."