Whether you are a manager, engineer, or IT security specialist, this authoritative resource shows you how to define and deploy roles for securing enterprise systems. Written by leading authorities in the field, the book explains how you can build a business case, identify risks, determine project costs, and fully plan and staff a role engineering effort. You find practical techniques that meaningfully define roles and ensure proper assignment of permissions and roles to users. The book presents tools that enable you to capture permissions and user assignments from existing systems, and analyze user and permission data in scenarios simulating actual system use. Moreover, this practical reference helps you evaluate these tools and decide which ones are right for your own role engineering program. The book also shows how to verify that role structures comply with security policies. You find tips and insights from real-world projects that guarantee you engineer roles strategically and securely.
Table Of Contents
Introduction Aims of the Book. What the Book Covers. How the Book Can Be Used.; The Business Case for Role-Based Access Control Economic Case. Security Case. Case Studies.; Role Engineering in the Phases of the System Development Life Cycle Initiation. Acquisition/Development. Implementation. Operations and Management. Disposition.; Role Engineering and Why We Need It Working Assumptions. What Do We Mean by Roles? How Can Roles Be Used for Access Control in Information Systems? What Can Happen if Roles Are Not Engineered Properly? What Are the Basic Approaches to Role Engineering? What Other Activities Are Similar to Role Engineering?; Staffing for Role Engineering Scoping the Role Engineering Effort. What Types of Individuals Are Needed and What Will They Be Doing? What Additional Training May Be Necessary? What Types of Planning Must Be Done? What Corporate Commitments Will Be Required? ; Defining Good Roles Types of Roles to Be Defined (Business, Administration, and Security. Number of Roles to Be Defined. Security Permissions and Business Rules. Building Block Approach. Considerations of Selecting Role Names. Considerations of Selecting Role Names. Considerations for Defining Permissions to Be Attached to Roles. How Do We Know When We Are Done? ; Two Approaches to Defining Roles Top-Down. Bottom-Up, Combining the Two Approaches.; Designing the Roles Selecting Role Names. Constraints on Roles and Permissions. Role Hierarchies.; Engineering Permissions What Is a Permission? How Do Permissions Relate to Roles? How to Define High-Level Permissions. How to Define Low-Level Permissions. Additional Staffing Needs for Defining and Implementing Low-Level Permissions. How Can Permissions Be Implemented in Actual Systems?; Tools that Can Be Used to Assist the Role Engineering Process Generic Tools. Special-Purpose Tools. Leading Tool Vendors. Tool Selection Criteria. Integration with Related Tools.; Putting It All Together Relating Permissions to Roles. Designing the Role Structure. Testing the Role Definitions.; What Others Have Been Doing Role Definition Projects. Permission Definition Projects. Existing and Emerging Standards. RBAC Research Activities.; What Can Go Wrong and Why? Pitfalls and Common Mistakes. Limitations of Role Engineering. Overcoming Obstacles.; Planning a Role Engineering Effort Scope Definition. Establishing a Process. Staffing the Effort. Establishing Key Milestones. Measuring Progress. Assessing Results. ; Conclusion Summary of a Role Engineering Processes. Guidance for Obtaining Additional Information on RBAC. Suggested Next Steps.; References.
Edward J. Coyne
Edward J. Coyne is a senior security engineer at Science Applications International Corporation in Vienna, Virginia. Among his many professional activities, he is a member of Health Level 7's Security and CCOW Technical committees, chair of the Role-Based Access Control Task Group of the International Committee for Information Technology Standards, and a senior member of the IEEE. He earned a Ph.D. degree in theoretical linguistics from Georgetown University and an M.A. in linguistics from the American University.
John M. Davis
John M. Davis is a security architect for the US Department of Veterans Affairs in Encintas, California. He is a voting member of the International Committee for Information Technology Standards and co-chairs both Health Level 7's Security Technical Committee and Privilege Management Infrastructure Subcommittee for the ASTM Committee E31 on Healthcare Informatics. He holds an M.S. in physics and electronics engineering.