Role Engineering for Enterprise Security Management
1st Edition
Published on 1. January 2007
256 pages
978-1-59693-219-7 (ISBN)
Description
Whether you are a manager, engineer, or IT security specialist, this authoritative resource shows you how to define and deploy roles for securing enterprise systems.
More details
Other editions
Additional editions
Edward Coyne | John Davis
Role Engineering for Enterprise Security Management
Book
01/2008
Artech House Publishers
€91.92
Shipment within 10-20 days
Content
- Role Engineering forEnterprise Security Management
- Contents v
- 1 Introduction 1
- Background for the Book
- Role-Based Access Control
- Role Engineering
- Aims of the Book
- How the Book Can Be Used
- References
- 2 The Business Case for Role-Based Access Control 9
- Evaluating the RBAC Business Case
- Security Requirements
- Return on Investment
- The Economic Case
- The Security Case
- The Compliance Case
- References
- 3 Role Engineering in the Phases of the System Development Life Cycle 21
- Conducting a Role Engineering Effort as an Independent Activity
- Conducting a Role Engineering Effort in Conjunction with a System Development Effort
- References
- 4 Role Engineering and Why We Need It 33
- What Is Role Engineering?
- An Example of Incorrect Engineering
- Sources of Roles
- Access Control Policy
- Role Names and Permissions
- Non-RBAC Support of the Access Control Policy
- Resources Subject to RBAC
- Constraints
- Use of Hierarchies
- Realization of Roles in IT Systems
- Structural Roles and Functional Roles
- Role Engineering as Requirements Engineering
- Role Engineering as Systems Engineering
- References
- 5 Defining Good Roles 59
- Types of Roles
- Role Engineering Guidelines
- Objects to Be Protected
- Identifying Protected Objects
- Role Names
- Supporting the Access Control Policy
- Business Rules and Security Rules
- Permissions
- More on Role Names
- More on Permissions
- When Are We Done?
- 6 The Role Engineering Process 75
- Approaches to Defining Roles
- Advantages and Disadvantages
- The Scenario Hurdle
- A Recommendation
- References
- 7 Designing the Roles 89
- How Do We Go About Engineering Roles?
- A Strategy for Preserving Role Understandability
- Structural Role Names Should Mirror Functional Role Names
- When to Use Hierarchies
- Defining Role Hierarchies
- Alternatives to Hierarchies
- Constraints
- References
- 8 Engineering the Permissions 103
- Objects
- Operations
- Operations on Objects
- Levels of Abstraction
- Permissions Are Independent Building Blocks
- Overcoming the Paradox
- Two Schools of Thought
- Translating High-Level Permissions into IT Permissions
- Reference
- 9 Tools That Can Be Used to Assist theRole Engineering Process 121
- Potential Benefits of Role Engineering Tools
- What Tools Can Do
- Deciding Whether Tools Are Needed
- What Tools Cannot Do
- Tool Selection Criteria
- Cost-Benefit Analysis
- Some Available Tools
- Tools Summary
- 10 Putting It All Together: The Role Formation Process 131
- Combining the Ingredients
- Workflows
- Relating Permissions to Roles
- Role Hierarchies
- Reflecting Constraints
- Process for Role Formation
- Testing Roles Against Access Control Policy
- Organizing Role Definitions in a Repository
- References
- 11 What Others Have Been Doing 147
- Role Definition Projects
- Permission Definition Projects
- Healthcare Scenario Roadmap
- Healthcare Scenarios
- Task Force Makeup
- Communication Mechanisms
- Exit Criteria
- Work Method of the Task Force
- Existing and Emerging Standards
- RBAC Research Activities
- Context-Sensitive Permissions
- Automatic Assignment of Roles to Users
- Multihierarchy Role Relationships
- Economic Analysis of RBAC
- Dynamic Role Definitions
- Testing and Assurance of RBAC Policy Definitions
- SACMAT and ACSAC
- References
- 12 Planning a Role Engineering Effort 167
- The Importance of Good Planning
- Justifying the Project
- Planning the Project
- Communications Plan
- The Planning Process
- Discussion of the Six Questions
- Level of Effort
- Key Milestones
- Measuring Progress
- Additional Tracking
- Summarizing the Plan
- Summary
- References
- 13 Staffing for Role Engineering 179
- Effectiveness Considerations
- Cost Considerations
- Risk Considerations
- Stability Considerations
- Team Management Functions
- Team Building
- Staff Selection
- Types of Individuals Needed
- Leadership
- Communications
- Motivation
- Staff Development
- Staff Evaluation
- Staff Retention
- References
- 14 What Can Go Wrong and Why? 193
- Quality of Role Definitions
- Problems in Execution of the Role Engineering Process
- Efficiency in the Use of Role Engineering Resources
- Maintenance Planning
- Backtracking
- Other Limitations of Role Engineering
- Overcoming Obstacles
- Practical Guidance from Eurekify, Ltd.
- Reference
- 15 Summary and Conclusion 205
- Making the Business Case
- Integrating Role Engineering into the System Development Life Cycle
- Defining Good Roles
- The Process of Defining Roles
- Tools That Can Assist in the Role Engineering Process
- Activities of Organizations Relevant to Role Engineering
- Planning and Staffing a Role Engineering Effort
- Potential Pitfalls and How to Avoid Them
- Reminders of Key Recommendations
- What We Can Expect in the Future
- Final Recommendations
- References
- Bibliography 213
- About the Authors 217
- Index 221
