Role-Based Access Offers Security For e-Business

By

As insurance companies continue to expand their e-business initiatives, information technology issues surrounding the security of personal data increase.

Not only are insurance providers aware that security breaches can lead to a loss of reputation, customer trust and market share, but they are also faced with the need to comply with new privacy regulations such as the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the 1999 Gramm-Leach-Bliley Financial Modernization Act.

In the face of these concerns, securing a companys e-business infrastructure can often appear to be a daunting, complex and costly project. However, a security platform that is based on role-based access control (RBAC) can help insurance providers maintain the basic tenets of customer privacy and data security, ensure the protection of business interests and enable compliance with government regulations.

Heres how it works. To guarantee the greatest level of privacy protection, companies need to manage their networks in a way that allows users to view and access only those records they need in order to accomplish their jobs. For example, a billing clerk may need to access and update a customers payment status, but does not need to know a customers claims status. An insurance broker may need to access and modify policy information, but need not review billing data. Using an RBAC model, a company can control which individuals are able to access what information based on the roles they perform within an organization.

RBAC allows companies to manage entire groups of users by defining access privileges and administrative capabilities based on job responsibilities. When a new user is added to the system, he or she is assigned to the appropriate role that corresponds to his or her job and access privileges. When the system is accessed, he or she is provided a menu of applications and services assigned to that group.

If a company introduces a new Web service or needs to change the privileges of a particular user group, an administrator assigned to the group can simply modify the role, and the privileges of all those within the group will be automatically updated.

Using delegated administration allows a company to delegate user management out to the lowest logical level within an organization. When it is used internally, managers of internal departments become responsible for assigning, creating and modifying roles for their groups. Marketing managers manage their groups. Accounting managers manage their groups, and so on.

Externally, business partners, suppliers and customers can manage access as far out as they desire within their own organizations.

Non-RBAC methods of administering Web access and authorization as a company evolves can be overwhelming and burdensome to IT staff. The business benefits of RBAC include increased security, reduced complexity of user management and minimized costs of administering Web access.

RBAC provides the ability to model complex organizations through the creation of roles and the delegation of their administration. It also enables organizations to make changes to large groups as quickly as an organization and its security policies evolve. Security increases because rapid modifications to user profiles and privileges can be made by local administrators within the company or partner organizations.

RBAC also enables secure self-registration, a key to rapid e-business growth. Using self-registration and self-service, customers who enjoy the convenience of conducting transactions via the Web can securely administer their own accounts.

Companies can implement a Web application that initially identifies users by verifying information that only the individual user would know. Once verified, users can set their own passwords and begin utilizing the service without having to contact customer service representatives or wait for passwords to be sent via the mail. Self-registration increases the rate of adoption of Web services, saves costs within the customer-service operation, and eliminates the costs and security risks associated with mailing preset passwords to users.

Finally, RBAC-based security platforms offer compatibility with key security and privacy requirements outlined in both HIPAA and Gramm-Leach-Bliley.

HIPAA describes the use of RBAC as a privacy solution, because providers, patients, and employees are only allowed to access the specific information necessary to perform their jobs.

RBAC also helps financial institutions meet the requirements of the Gramm-Leach-Bliley Act, which specify that companies in the industry demonstrate they can ensure the security and confidentiality of customer information.

Insurance companies benefit from conducting business via the Web, but they must also ensure that customer privacy is protected. An RBAC-based system can provide this security, offer business benefits and enable companies to comply with government regulations. Managing users via roles enables organizations to scale their e-businesses rapidly, streamline authorization methods and ultimately reduce the administrative time and costs required to manage access, compared to management on a user-by-user basis.

With the right security infrastructure, companies can increase efficiencies and cost savings. As initiatives increase in scale, businesses can save on labor needed to manage growth and avoid unnecessary IT expenditures.

is strategic marketing manager of OpenNetwork Technologies, based in Clearwater, Fla.


Reproduced from National Underwriter Life & Health/Financial Services Edition, August 20, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.


Copyright 2001 by The National Underwriter Company. All rights reserved. Contact Webmaster