Role-Based Computer Access

Those responsible for IT security in the government need to be aware of who is accessing their systems, from where, for how long, and for what purpose. Role-based access control (RBAC) provides a practical and effective way to accomplish the task.

Built on secure data repositories, the RBAC model grants user access according to roles within the organization and the attributes attached to those roles. While challenging to design and implement, RBAC systems can be tailored to each agency’s business model and level of risk tolerance relative to data security.

Here are eight steps to a successful RBAC technology solution:

1. Identify the organizational challenges driving the need for an access control solution.

2. Articulate the goals and value proposition of implementing an RBAC system.

3. Design the system’s framework to extract maximum value and ROI.

4. Formulate an implementation methodology, including project management, timeline and budget, and a set of benchmarks and milestones against which to measure progress.

5. Compile information on existing information systems (hardware, operating systems and applications) and determine the level of security needed to protect them. This decision should be based on the degree of confidentiality and security required by the agency’s core mission, business and customer service needs, and statutory and/or regulatory requirements.

6. Define all roles across the organization and determine the level of access required by each role to enable effective job performance.

7. Formulate an automated workflow strategy detailing how roles will be changed or updated, how new users will be registered under their appropriate roles, and how accounts will be terminated when employees depart.

8. Plan for education and organizational change. Ideally, this should originate at the executive and managerial levels to ensure compliance and speed-to-value.

In addition to providing an appropriate level of information security for government agencies, RBAC has proven helpful in streamlining and automating a multitude of transactions and business processes, resulting in higher efficiency and productivity for employees across the organization.

Trey Guerin is CEO and Richard Lord is vice president of Network Security Consulting, L.L.C., Columbia, Md.