Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Role-Based Access Control", David F. Ferraiolo/D. Ric

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Role-Based Access Control", David F. Ferraiolo/D. Richard Kuhn/Ramaswamy Chandramouli
Date: Mon, 30 Jan 2006 08:01:32 -0800 
BKROLBAC.RVW   20051106

"Role-Based Access Control", David F. Ferraiolo/D. Richard
Kuhn/Ramaswamy Chandramouli, 2003, 1-58053-370-1
%A   David F. Ferraiolo
%A   D. Richard Kuhn
%A   Ramaswamy Chandramouli
%C   685 Canton St., Norwood, MA   02062
%D   2003
%G   1-58053-370-1
%I   Artech House/Horizon
%O   617-769-9750 800-225-9977 fax: 6177696334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1580533701/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1580533701/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1580533701/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   316 p.
%T   "Role-Based Access Control"

The original papers on role-based access control (RBAC) saw it as an
extension of mandatory access control (MAC): a given role in an
organization would have a given requirement for clearance, and
therefore a particular person in a role would have access to material
labelled at a specific sensitivity.  In the preface, the authors state
that they are following current interest in RBAC as a means of
identity management, with little distinction made between the use of
discretionary or mandatory access control policies.  The intended
audiences are security professionals, software developers, and
instructors and students in security courses.

Chapter one outlines the basics of access control, moves to a history
of access control and RBAC, and ends with a justification for the use
of RBAC in the enterprise.  More details of access control concepts
are provided in chapter two, along with some repetitions of the models
in chapter one.  The basics of role-based access control are outlined
in chapter three.  Chapter four examines role hierarchies and the
inheritance of privilege.  Separation of duties (somewhat
oversimplified in the equation to the "two man rule") addresses the
issue of conflation of roles, although chapter five is rather weak in
terms of practical implementation.  Chapter six looks at the use of
RBAC with both mandatory (MAC) and discretionary (DAC) access control. 
The NIST (US National Institute of Standards and Technology) RBAC
standard is explained in chapter seven.

Chapter eight examines the intriguing idea of using role-based
adminstration to manage the assignments and permissions of RBAC
itself.  (This material is highly formal, and would require dedicated
study by those attempting to implement it.)  Enterprise access
frameworks (EAFs) are proposed in chapter nine, reaching back to
mandatory access control for a kind of automated assignment of
permissions direct from corporate policy.  (Much of this text is taken
up with XML code.)  The relation of RBAC to various popular
technologies is suggested in chapter ten.  A short case study of the
transition of a company to RBAC is provided in chapter eleven. 
Chapter twelve deals with RBAC facilities in a number of commercial
products.

The writing is frequently uneven and repetitious, but the concepts are
generally clear enough.  The book also uses lots of acronyms, and
isn't always careful about providing an explanation for them.

In regard to the stated audiences, most security professionals will
find much of interest and value in the first half of the book, and it
would act as a useful text in a number of security courses.  Software
developers might not find as much to their advantage.  The second half
of the book is questionable.  For those involved in the formal and
theoretical study of role-based access control, this work will have
much merit, but that is a select audience, and the demands on the
reader will be significant.

copyright Robert M. Slade, 2005   BKROLBAC.RVW   20051106


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
Woe be to him that reads but one book.        - George Herbert, 1651
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Role-Based Access Control", David F. Ferraiolo/D. Richard Kuhn/Ramaswamy Chandramouli, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] REVIEW: "InfoSec Career Hacking", Aaron W. Bayles et al, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Date:  [CISSP-D] Book review FAQ, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  [CISSP-D] REVIEW: "InfoSec Career Hacking", Aaron W. Bayles et al, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Thread:  [CISSP-D] Book review FAQ, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]