- ISBN: 9781596932180 | 159693218X
- Cover: Hardcover
- Copyright: 11/30/2007
Whether you are a manager, engineer, or IT security specialist, this authoritative resource shows you how to define and deploy roles for securing enterprise systems.
Edward J. Coyne is a senior security engineer at Science Applications International Corporation in Vienna, Virginia John M. Davis is a security architect for the Veterans Health Administration
| Preface | p. xv |
| Introduction | p. 1 |
| Background for the Book | p. 1 |
| Role-Based Access Control | p. 3 |
| Role Engineering | p. 4 |
| Aims of the Book | p. 5 |
| How the Book Can Be Used | p. 5 |
| References | p. 8 |
| The Business Case far Role-Based Access Control | p. 9 |
| Evaluating the RBAC Business Case | p. 10 |
| Security Requirements | p. 10 |
| Return on Investment | p. 11 |
| The Economic Case | p. 17 |
| The Security Case | p. 17 |
| The Compliance Case | p. 18 |
| References | p. 20 |
| Role Engineering in the Phases of the System Development Life Cycle | p. 21 |
| Conducting a Role Engineering Effort as an Independent Activity | p. 22 |
| Conducting a Role Engineering Effort in Conjunction with a System Development Effort | p. 23 |
| Initiation Phase | p. 24 |
| Acquisition/Development Phase | p. 26 |
| Implementation Phase | p. 26 |
| Operations and Maintenance Phase | p. 29 |
| Disposition Phase | p. 30 |
| References | p. 32 |
| Role Engineering and Why We Need It | p. 33 |
| What Is Role Engineering? | p. 33 |
| An Example of Incorrect Engineering | p. 35 |
| Sources of Roles | p. 38 |
| Access Control Policy | p. 40 |
| Role Names and Permissions | p. 41 |
| Non-RBAC Support of the Access Control Policy | p. 43 |
| Resources Subject to RBAC | p. 45 |
| Constraints | p. 46 |
| Use of Hierarchies | p. 47 |
| Realization of Roles in IT Systems | p. 48 |
| Structural Roles and Functional Roles | p. 51 |
| Role Engineering as Requirements Engineering | p. 51 |
| Role Engineering as Systems Engineering | p. 53 |
| References | p. 57 |
| Defining Good Roles | p. 59 |
| Types of Roles | p. 60 |
| Role Engineering Guidelines | p. 61 |
| Access Control Policy | p. 63 |
| Objects to Be Protected | p. 63 |
| Identifying Protected Objects | p. 65 |
| Role Names | p. 66 |
| Supporting the Access Control Policy | p. 67 |
| Business Rules and Security Rules | p. 69 |
| Permissions | p. 71 |
| More on Role Names | p. 71 |
| More on Permissions | p. 72 |
| When Are We Done? | p. 73 |
| The Role Engineering Process | p. 75 |
| Approaches to Defining Roles | p. 75 |
| Advantages and Disadvantages | p. 80 |
| The Scenario Hurdle | p. 80 |
| A Recommendation | p. 87 |
| References | p. 87 |
| Designing the Roles | p. 89 |
| How Do We Go About Engineering Roles? | p. 91 |
| A Strategy for Preserving Role Understandability | p. 93 |
| Structural Role Names Should Mirror Functional Role Names | p. 93 |
| When to Use Hierarchies | p. 94 |
| Defining Role Hierarchies | p. 97 |
| Alternatives to Hierarchies | p. 100 |
| Constraints | p. 100 |
| References | p. 101 |
| Engineering the Permissions | p. 103 |
| Objects | p. 104 |
| Operations | p. 105 |
| Operations on Objects | p. 105 |
| Levels of Abstraction | p. 105 |
| Permissions Are Independent Building Blocks | p. 106 |
| Overcoming the Paradox | p. 108 |
| Two Schools of Thought | p. 108 |
| Translating High-Level Permissions into IT Permissions | p. 110 |
| The Engineering Part | p. 110 |
| Relating High-Level Permissions to Permissions in an IT System | p. 112 |
| Reference | p. 120 |
| Tools That Can Be Used to Assist the Role Engineering Process | p. 121 |
| Potential Benefits of Role Engineering Tools | p. 121 |
| What Tools Can Do | p. 122 |
| Deciding Whether Tools Are Needed | p. 123 |
| What Tools Cannot Do | p. 125 |
| Tool Selection Criteria | p. 125 |
| Cost-Benefit Analysis | p. 125 |
| Some Available Tools | p. 126 |
| Tools Summary | p. 126 |
| Putting It All Together: The Role Formation Process | p. 131 |
| Combining the Ingredients | p. 131 |
| Workflows | p. 131 |
| Relating Permissions to Roles | p. 133 |
| Role Hierarchies | p. 134 |
| Reflecting Constraints | p. 136 |
| Process for Role Formation | p. 136 |
| Testing Roles Against Access Control Policy | p. 139 |
| Organizing Role Definitions in a Repository | p. 142 |
| References | p. 145 |
| What Others Have Been Doing | p. 14 |
| Role Definition Projects | p. 148 |
| Permission Definition Projects | p. 148 |
| Healthcare Scenario Roadmap | p. 153 |
| Healthcare Scenarios | p. 153 |
| Task Force Makeup | p. 154 |
| Communication Mechanisms | p. 154 |
| Exit Criteria | p. 155 |
| Work Method of the Task Force | p. 155 |
| Scenario Identification | p. 155 |
| Facilitated Sessions | p. 156 |
| Outreach Within and External to the Organization | p. 156 |
| Existing and Emerging Standards | p. 157 |
| Health Level 7 | p. 157 |
| RBAC Standard | p. 157 |
| RBAC Implementation Standard (Interoperability of Role Definitions) | p. 157 |
| ASTM Role Names and Privilege Management Infrastructure | p. 157 |
| Role Engineering Standard (HL7, Possibly INCITS) | p. 158 |
| OASIS XACML RBAC Profile | p. 158 |
| RBAC Research Activities | p. 158 |
| Context-Sensitive Permissions | p. 160 |
| Automatic Assignment of Roles to Users | p. 160 |
| Multihierarchy Role Relationships | p. 162 |
| Economic Analysis of RBAC | p. 164 |
| Dynamic Role Definitions | p. 164 |
| Testing and Assurance of RBAC Policy Definitions | p. 164 |
| SACMAT and ACSAC | p. 164 |
| References | p. 165 |
| Planning a Role Engineering Effort | p. 167 |
| The Importance of Good Planning | p. 167 |
| Justifying the Project | p. 169 |
| Planning the Project | p. 169 |
| Communications Plan | p. 170 |
| The Planning Process | p. 171 |
| Discussion of the Six Questions | p. 172 |
| Level of Effort | p. 173 |
| Key Milestones | p. 174 |
| Measuring Progress | p. 174 |
| Additional Tracking | p. 176 |
| Summarizing the Plan | p. 176 |
| Summary | p. 176 |
| References | p. 177 |
| Staffing for Role Engineering | p. 179 |
| Effectiveness Considerations | p. 180 |
| Cost Considerations | p. 181 |
| Risk Considerations | p. 182 |
| Stability Considerations | p. 182 |
| Team Management Functions | p. 184 |
| Team Building | p. 184 |
| Staff Selection | p. 186 |
| Types of Individuals Needed | p. 187 |
| Leadership | p. 188 |
| Communications | p. 188 |
| Motivation | p. 190 |
| Staff Development | p. 190 |
| Staff Evaluation | p. 191 |
| Staff Retention | p. 192 |
| References | p. 192 |
| What Can Go Wrong and Why? | p. 193 |
| Quality of Role Definitions | p. 193 |
| Access Control Policy | p. 193 |
| Inadequately Engineered Roles | p. 194 |
| Role Names | p. 195 |
| Permissions | p. 195 |
| Constraints | p. 196 |
| Hierarchies | p. 196 |
| Number of Roles | p. 196 |
| Problems in Execution of the Role Engineering Process | p. 196 |
| Efficiency in the Use of Role Engineering Resources | p. 197 |
| Innate Conflicts | p. 197 |
| Maintenance Planning | p. 198 |
| Backtracking | p. 198 |
| Other Limitations of Role Engineering | p. 199 |
| Overcoming Obstacles | p. 200 |
| Practical Guidance from Eurekify, Ltd. | p. 200 |
| Reference | p. 203 |
| Summary and Conclusion | p. 205 |
| Making the Business Case | p. 205 |
| Integrating Role Engineering into the System Development Life Cycle | p. 206 |
| Defining Good Roles | p. 206 |
| The Process of Defining Roles | p. 207 |
| Tools That Can Assist in the Role Engineering Process | p. 207 |
| Activities of Organizations Relevant to Role Engineering | p. 208 |
| Planning and Staffing a Role Engineering Effort | p. 208 |
| Potential Pitfalls and How to Avoid Them | p. 209 |
| Reminders of Key Recommendations | p. 210 |
| What We Can Expect in the Future | p. 210 |
| Final Recommendations | p. 212 |
| References | p. 212 |
| Bibliography | p. 213 |
| About the Authors | p. 217 |
| Index | p. 221 |
| Table of Contents provided by Ingram. All Rights Reserved. |
What is included with this book?
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.
Please wait while the item is added to your bag...
