Cover image for Role engineering for enterprise security management
Title:
Role engineering for enterprise security management
Personal Author:
Series:
Artech House information security and privacy series
Publication Information:
London : Artech House, 2008
Physical Description:
xvii, 224 p. : ill. ; 24 cm.
ISBN:
9781596932180

Available:*

Library
Item Barcode
Call Number
Material Type
Item Category 1
Status
Searching...
30000010183212 T58.64 C69 2008 Open Access Book Book
Searching...
Searching...
30000010219375 T58.64 C69 2008 Open Access Book Book
Searching...

On Order

Summary

Summary

Role engineering secures information systems. It ensures that every user has the right permission to access just the right information, computers, and networks. This book illustrates the entire role engineering process, from project planning to deployment and verification. It also shows how to verify that roles comply with security policies.


Author Notes

Edward J. Coyne is a senior security engineer at Science Applications International Corporation in Vienna, Virginia
John M. Davis is a security architect for the Veterans Health Administration


Table of Contents

Prefacep. xv
1 Introductionp. 1
Background for the Bookp. 1
Role-Based Access Controlp. 3
Role Engineeringp. 4
Aims of the Bookp. 5
How the Book Can Be Usedp. 5
Referencesp. 8
2 The Business Case far Role-Based Access Controlp. 9
Evaluating the RBAC Business Casep. 10
Security Requirementsp. 10
Return on Investmentp. 11
The Economic Casep. 17
The Security Casep. 17
The Compliance Casep. 18
Referencesp. 20
3 Role Engineering in the Phases of the System Development Life Cyclep. 21
Conducting a Role Engineering Effort as an Independent Activityp. 22
Conducting a Role Engineering Effort in Conjunction with a System Development Effortp. 23
Initiation Phasep. 24
Acquisition/Development Phasep. 26
Implementation Phasep. 26
Operations and Maintenance Phasep. 29
Disposition Phasep. 30
Referencesp. 32
4 Role Engineering and Why We Need Itp. 33
What Is Role Engineering?p. 33
An Example of Incorrect Engineeringp. 35
Sources of Rolesp. 38
Access Control Policyp. 40
Role Names and Permissionsp. 41
Non-RBAC Support of the Access Control Policyp. 43
Resources Subject to RBACp. 45
Constraintsp. 46
Use of Hierarchiesp. 47
Realization of Roles in IT Systemsp. 48
Structural Roles and Functional Rolesp. 51
Role Engineering as Requirements Engineeringp. 51
Role Engineering as Systems Engineeringp. 53
Referencesp. 57
5 Defining Good Rolesp. 59
Types of Rolesp. 60
Role Engineering Guidelinesp. 61
Access Control Policyp. 63
Objects to Be Protectedp. 63
Identifying Protected Objectsp. 65
Role Namesp. 66
Supporting the Access Control Policyp. 67
Business Rules and Security Rulesp. 69
Permissionsp. 71
More on Role Namesp. 71
More on Permissionsp. 72
When Are We Done?p. 73
6 The Role Engineering Processp. 75
Approaches to Defining Rolesp. 75
Advantages and Disadvantagesp. 80
The Scenario Hurdlep. 80
A Recommendationp. 87
Referencesp. 87
7 Designing the Rolesp. 89
How Do We Go About Engineering Roles?p. 91
A Strategy for Preserving Role Understandabilityp. 93
Structural Role Names Should Mirror Functional Role Namesp. 93
When to Use Hierarchiesp. 94
Defining Role Hierarchiesp. 97
Alternatives to Hierarchiesp. 100
Constraintsp. 100
Referencesp. 101
8 Engineering the Permissionsp. 103
Objectsp. 104
Operationsp. 105
Operations on Objectsp. 105
Levels of Abstractionp. 105
Permissions Are Independent Building Blocksp. 106
Overcoming the Paradoxp. 108
Two Schools of Thoughtp. 108
Translating High-Level Permissions into IT Permissionsp. 110
The Engineering Partp. 110
Relating High-Level Permissions to Permissions in an IT Systemp. 112
Referencep. 120
9 Tools That Can Be Used to Assist the Role Engineering Processp. 121
Potential Benefits of Role Engineering Toolsp. 121
What Tools Can Dop. 122
Deciding Whether Tools Are Neededp. 123
What Tools Cannot Dop. 125
Tool Selection Criteriap. 125
Cost-Benefit Analysisp. 125
Some Available Toolsp. 126
Tools Summaryp. 126
10 Putting It All Together: The Role Formation Processp. 131
Combining the Ingredientsp. 131
Workflowsp. 131
Relating Permissions to Rolesp. 133
Role Hierarchiesp. 134
Reflecting Constraintsp. 136
Process for Role Formationp. 136
Testing Roles Against Access Control Policyp. 139
Organizing Role Definitions in a Repositoryp. 142
Referencesp. 145
11 What Others Have Been Doingp. 14
Role Definition Projectsp. 148
Permission Definition Projectsp. 148
Healthcare Scenario Roadmapp. 153
Healthcare Scenariosp. 153
Task Force Makeupp. 154
Communication Mechanismsp. 154
Exit Criteriap. 155
Work Method of the Task Forcep. 155
Scenario Identificationp. 155
Facilitated Sessionsp. 156
Outreach Within and External to the Organizationp. 156
Existing and Emerging Standardsp. 157
Health Level 7p. 157
RBAC Standardp. 157
RBAC Implementation Standard (Interoperability of Role Definitions)p. 157
ASTM Role Names and Privilege Management Infrastructurep. 157
Role Engineering Standard (HL7, Possibly INCITS)p. 158
OASIS XACML RBAC Profilep. 158
RBAC Research Activitiesp. 158
Context-Sensitive Permissionsp. 160
Automatic Assignment of Roles to Usersp. 160
Multihierarchy Role Relationshipsp. 162
Economic Analysis of RBACp. 164
Dynamic Role Definitionsp. 164
Testing and Assurance of RBAC Policy Definitionsp. 164
SACMAT and ACSACp. 164
Referencesp. 165
12 Planning a Role Engineering Effortp. 167
The Importance of Good Planningp. 167
Justifying the Projectp. 169
Planning the Projectp. 169
Communications Planp. 170
The Planning Processp. 171
Discussion of the Six Questionsp. 172
Level of Effortp. 173
Key Milestonesp. 174
Measuring Progressp. 174
Additional Trackingp. 176
Summarizing the Planp. 176
Summaryp. 176
Referencesp. 177
13 Staffing for Role Engineeringp. 179
Effectiveness Considerationsp. 180
Cost Considerationsp. 181
Risk Considerationsp. 182
Stability Considerationsp. 182
Team Management Functionsp. 184
Team Buildingp. 184
Staff Selectionp. 186
Types of Individuals Neededp. 187
Leadershipp. 188
Communicationsp. 188
Motivationp. 190
Staff Developmentp. 190
Staff Evaluationp. 191
Staff Retentionp. 192
Referencesp. 192
14 What Can Go Wrong and Why?p. 193
Quality of Role Definitionsp. 193
Access Control Policyp. 193
Inadequately Engineered Rolesp. 194
Role Namesp. 195
Permissionsp. 195
Constraintsp. 196
Hierarchiesp. 196
Number of Rolesp. 196
Problems in Execution of the Role Engineering Processp. 196
Efficiency in the Use of Role Engineering Resourcesp. 197
Innate Conflictsp. 197
Maintenance Planningp. 198
Backtrackingp. 198
Other Limitations of Role Engineeringp. 199
Overcoming Obstaclesp. 200
Practical Guidance from Eurekify, Ltd.p. 200
Referencep. 203
15 Summary and Conclusionp. 205
Making the Business Casep. 205
Integrating Role Engineering into the System Development Life Cyclep. 206
Defining Good Rolesp. 206
The Process of Defining Rolesp. 207
Tools That Can Assist in the Role Engineering Processp. 207
Activities of Organizations Relevant to Role Engineeringp. 208
Planning and Staffing a Role Engineering Effortp. 208
Potential Pitfalls and How to Avoid Themp. 209
Reminders of Key Recommendationsp. 210
What We Can Expect in the Futurep. 210
Final Recommendationsp. 212
Referencesp. 212
Bibliographyp. 213
About the Authorsp. 217
Indexp. 221