Role-Based Access Offers Security For e-Business
As insurance companies continue to expand their e-business initiatives, information technology issues surrounding the security of personal data increase.
Not only are insurance providers aware that security breaches can lead to a loss of reputation, customer trust and market share, but they are also faced with the need to comply with new privacy regulations such as the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the 1999 Gramm-Leach-Bliley Financial Modernization Act.
In the face of these concerns, securing a companys e-business infrastructure can often appear to be a daunting, complex and costly project. However, a security platform that is based on role-based access control (RBAC) can help insurance providers maintain the basic tenets of customer privacy and data security, ensure the protection of business interests and enable compliance with government regulations.
Heres how it works. To guarantee the greatest level of privacy protection, companies need to manage their networks in a way that allows users to view and access only those records they need in order to accomplish their jobs. For example, a billing clerk may need to access and update a customers payment status, but does not need to know a customers claims status. An insurance broker may need to access and modify policy information, but need not review billing data. Using an RBAC model, a company can control which individuals are able to access what information based on the roles they perform within an organization.
RBAC allows companies to manage entire groups of users by defining access privileges and administrative capabilities based on job responsibilities. When a new user is added to the system, he or she is assigned to the appropriate role that corresponds to his or her job and access privileges. When the system is accessed, he or she is provided a menu of applications and services assigned to that group.
If a company introduces a new Web service or needs to change the privileges of a particular user group, an administrator assigned to the group can simply modify the role, and the privileges of all those within the group will be automatically updated.
Using delegated administration allows a company to delegate user management out to the lowest logical level within an organization. When it is used internally, managers of internal departments become responsible for assigning, creating and modifying roles for their groups. Marketing managers manage their groups. Accounting managers manage their groups, and so on.
Externally, business partners, suppliers and customers can manage access as far out as they desire within their own organizations.
Non-RBAC methods of administering Web access and authorization as a company evolves can be overwhelming and burdensome to IT staff. The business benefits of RBAC include increased security, reduced complexity of user management and minimized costs of administering Web access.