A Marketing Survey of Civil Federal Government Organizations to Determine the Need for a Role-Based Access Control (RBAC) Security Product

This material is based upon work supported by the Department of Commerce under contract number 50-DKNB-5-00188. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the Department of Commerce. There is a recognized need for a more robust method of performing security controls in computer network systems [Ferraiolo et al. 1992]. One promising method is called role-based access control (RBAC). Although the basic ideas for RBAC have existed for over 20 years, there has been a recent resurgence of interest in RBAC, largely because of the disenchantment with traditional mandatory and discretionary access controls by many users. The essence of RBAC is that rights and permissions are assigned to roles rather than to individual users. Users acquire these rights and permissions by virtue of being assigned membership in appropriate roles. This method makes the administration of security access much simpler than with current approaches. Although RBAC is receiving much attention among potential users and vendors, it is not known what the consumer demand will be for RBAC products. Consequently, this marketing survey was conducted. This study is essentially a marketing survey to identify customer requirements regarding their security needs for information processing systems and to determine whether an RBAC product can meet these requirements. Information system requirements must originate from the system users, that is, from the organizational stakeholders who are concerned about the performance of their system and whose jobs are affected by the system's capabilities. Regarding security aspects of a system, these stakeholders are generally called security managers, security officers, security administrators, or some similar name. There are existing packages that sometimes purport to be role-based security implementations, but these packages are greatly limited in their capabilities to emulate the robustness of an RBAC product as manifested in the reference material. It should be understood that RBAC is not a replacement for the existing mandatory access control (MAC) and discretionary access control (DAC) products, it is an adjunct to them. Moreover, RBAC adds security capabilities that are not resident in the current security products. Some stakeholders understand that security needs represent a set of complex issues, yet their purchased security packages are often a response to "we need a security product" without understanding what the actual security issues are nor having an appreciation for the need of a capable security system. The complexity …