How to implement the NIST role based access control model

Role based access control was first proposed by the National Institute of Standards and Technology (NIST) in 2000. With further refinements the model was adopted by the American National Standards Institute, International Committee for Information Technology Standards as ANSI INCITS 359-2004. In May 2008, a draft was created based on INCITS RBAC CS1.1 Implementation Standard to address the complexity of managing security administration in large networks.

Implementation steps
When implementing role based access control, the ultimate goal is to easily add, review, update and delete permissions. To achieve this, financial firms should use the standard NIST model to build the role based access control system. This model consists of four levels in which each higher level includes the functional capabilities from the levels below it.

Flat RBAC provides few requirements, including roles, user-role assignment and role-privilege assignment. The number of roles for each user and the privileges for each role is kept to a minimum.

Hierarchical RBAC requires support for defining roles in a hierarchy. A role can be senior (e.g. supervisory cashier) on down, with the senior roles inheriting all the privileges of the junior roles. Security administrators can use role hierarchy to map between two RBAC-based domains.

Constrained RBAC requires separation of duties primarily to avoid fraud. It allows administrators to enforce dynamic separation of duty to prevent a user assigned two roles to act simultaneously in a single session. For example, the role as a cashier must be closed before the rol...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices Compliance best practices Regulators issue standardized privacy notice form for GLBA compliance Seven GRC best practices for information security Keeping up with state data protection laws Five mistakes banks make in pandemic planning Get ready for remote deposit capture risk management scrutiny Google ordered to deactivate Gmail account after bank email error Vendor risk management: process and documentation How to manage security risks in vendor contracts How to streamline role-based access control Five considerations for choosing network access control products

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary corporate governance  (SearchFinancialSecurity.com) subpoena  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

e as a supervisor can be open to access an account, although the user is allowed perform each role in a different session.

Symmetric RBAC adds a permission-role review requirement, similar to the user-role review requirement in the flat RBAC. Symmetric RBAC allows identification of the permissions assigned to existing roles and vice versa. For example, by identifying permissions of a user leaving the company, the administrator revokes all of that user's permissions, and then reassigns the role to another user with same or different set of permissions.

This four-step sequence for large networks of diverse platforms, multiple applications and location separation may not always be applied in practice. Firms may opt for the alternate model in which the features of later steps may be adopted prior to adopting features of earlier steps.

Patents and products
To reduce time, cost and complexity of implementing role based access control systems, financial services firms can choose to develop role based access control system products. In product development, the firms can apply their own role based access control patents. Financial firms in compliance with Sarbanes-Oxley may opt to buy a role based access control-based product and a license that comes with it. Organizations wishing to develop or buy a product of Web applications that use role based access control services should ensure the product vendor is using OASIS XAMCL (eXtensible Access Control Markup Language) v2.0 standard.

Implementing the standard NIST role based access control model in a four-step sequence can be a challenge for a financial services firm. Developing your own role based access control patents or getting a license to use a role based access control patent can make the job easier.

About the author:
Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide system, database technologies, application development, network management, computer security, information assurance, financial, RFID technologies and project management.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.