Role Engineering for Enterprise Security Management.
Material type: TextSeries: Information Security & PrivacyPublisher: Norwood : Artech House, 2007Copyright date: ©2008Description: 1 online resource (242 pages)Content type: text Media type: computer Carrier type: online resourceISBN: 9781596932197Subject(s): Computer network architectures | Computer networks -- Access control | Information resources management | Management information systemsGenre/Form: Electronic books.Additional physical formats: Print version:: Role Engineering for Enterprise Security ManagementDDC classification: 005.8 LOC classification: T58.64 -- .C69 2008ebOnline resources: Click to ViewRole Engineering forEnterprise Security Management -- Contents v -- 1 Introduction 1 -- Background for the Book -- Role-Based Access Control -- Role Engineering -- Aims of the Book -- How the Book Can Be Used -- References -- 2 The Business Case for Role-Based Access Control 9 -- Evaluating the RBAC Business Case -- Security Requirements -- Return on Investment -- The Economic Case -- The Security Case -- The Compliance Case -- References -- 3 Role Engineering in the Phases of the System Development Life Cycle 21 -- Conducting a Role Engineering Effort as an Independent Activity -- Conducting a Role Engineering Effort in Conjunction with a System Development Effort -- References -- 4 Role Engineering and Why We Need It 33 -- What Is Role Engineering? -- An Example of Incorrect Engineering -- Sources of Roles -- Access Control Policy -- Role Names and Permissions -- Non-RBAC Support of the Access Control Policy -- Resources Subject to RBAC -- Constraints -- Use of Hierarchies -- Realization of Roles in IT Systems -- Structural Roles and Functional Roles -- Role Engineering as Requirements Engineering -- Role Engineering as Systems Engineering -- References -- 5 Defining Good Roles 59 -- Types of Roles -- Role Engineering Guidelines -- Objects to Be Protected -- Identifying Protected Objects -- Role Names -- Supporting the Access Control Policy -- Business Rules and Security Rules -- Permissions -- More on Role Names -- More on Permissions -- When Are We Done? -- 6 The Role Engineering Process 75 -- Approaches to Defining Roles -- Advantages and Disadvantages -- The Scenario Hurdle -- A Recommendation -- References -- 7 Designing the Roles 89 -- How Do We Go About Engineering Roles? -- A Strategy for Preserving Role Understandability -- Structural Role Names Should Mirror Functional Role Names -- When to Use Hierarchies -- Defining Role Hierarchies.
Alternatives to Hierarchies -- Constraints -- References -- 8 Engineering the Permissions 103 -- Objects -- Operations -- Operations on Objects -- Levels of Abstraction -- Permissions Are Independent Building Blocks -- Overcoming the Paradox -- Two Schools of Thought -- Translating High-Level Permissions into IT Permissions -- Reference -- 9 Tools That Can Be Used to Assist theRole Engineering Process 121 -- Potential Benefits of Role Engineering Tools -- What Tools Can Do -- Deciding Whether Tools Are Needed -- What Tools Cannot Do -- Tool Selection Criteria -- Cost-Benefit Analysis -- Some Available Tools -- Tools Summary -- 10 Putting It All Together: The Role Formation Process 131 -- Combining the Ingredients -- Workflows -- Relating Permissions to Roles -- Role Hierarchies -- Reflecting Constraints -- Process for Role Formation -- Testing Roles Against Access Control Policy -- Organizing Role Definitions in a Repository -- References -- 11 What Others Have Been Doing 147 -- Role Definition Projects -- Permission Definition Projects -- Healthcare Scenario Roadmap -- Healthcare Scenarios -- Task Force Makeup -- Communication Mechanisms -- Exit Criteria -- Work Method of the Task Force -- Existing and Emerging Standards -- RBAC Research Activities -- Context-Sensitive Permissions -- Automatic Assignment of Roles to Users -- Multihierarchy Role Relationships -- Economic Analysis of RBAC -- Dynamic Role Definitions -- Testing and Assurance of RBAC Policy Definitions -- SACMAT and ACSAC -- References -- 12 Planning a Role Engineering Effort 167 -- The Importance of Good Planning -- Justifying the Project -- Planning the Project -- Communications Plan -- The Planning Process -- Discussion of the Six Questions -- Level of Effort -- Key Milestones -- Measuring Progress -- Additional Tracking -- Summarizing the Plan -- Summary -- References.
13 Staffing for Role Engineering 179 -- Effectiveness Considerations -- Cost Considerations -- Risk Considerations -- Stability Considerations -- Team Management Functions -- Team Building -- Staff Selection -- Types of Individuals Needed -- Leadership -- Communications -- Motivation -- Staff Development -- Staff Evaluation -- Staff Retention -- References -- 14 What Can Go Wrong and Why? 193 -- Quality of Role Definitions -- Problems in Execution of the Role Engineering Process -- Efficiency in the Use of Role Engineering Resources -- Maintenance Planning -- Backtracking -- Other Limitations of Role Engineering -- Overcoming Obstacles -- Practical Guidance from Eurekify, Ltd. -- Reference -- 15 Summary and Conclusion 205 -- Making the Business Case -- Integrating Role Engineering into the System Development Life Cycle -- Defining Good Roles -- The Process of Defining Roles -- Tools That Can Assist in the Role Engineering Process -- Activities of Organizations Relevant to Role Engineering -- Planning and Staffing a Role Engineering Effort -- Potential Pitfalls and How to Avoid Them -- Reminders of Key Recommendations -- What We Can Expect in the Future -- Final Recommendations -- References -- Bibliography 213 -- About the Authors 217 -- Index 221.
This authoritative resource shows IT managers, network engineers, and IT security specialists how to define and deploy roles for securing enterprise systems. Written by leading authorities in the field, the book explains how to identify risks, determine project costs, plan and staff a role engineering effort.
Description based on publisher supplied metadata and other sources.
Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2018. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.
There are no comments on this title.