Browse Books

Reviewer: S. Nagaraj

Computers have become part and parcel of our everyday lives. For a variety of applications, it is desirable to control access to computer systems. Checking the identity of users, agents, or computers in a network is one of the preliminary tasks before granting access to resources. Authenticating users (verifying their identities), authorizing them to perform permitted actions, ensuring nonrepudiation of action (prevention of denial of participation in a transaction), and guaranteeing confidentiality and integrity of data in transactions constitute the fundamental requirements for ensuring the security of transactions. This book on access control systems centers on security, identity management, and trust models. The book may be read by anyone with an interest in computer security; however, the advanced topics in the book require a strong background in computer security. Eight chapters comprise the book. Chapter 1 introduces the basics of security and access control. The author touches on the elements of systems security, identification and authentication of entities, and the management of passwords in a reliable manner. The chapter introduces access control policies, models, and mechanisms. Access control paradigms, role-based access control, delegation, masquerading, trust, and assurance are the main topics in this chapter. Some security-design principles are also highlighted. Chapter 2 introduces models for managing identity. It discusses local identity, network identity, federated identity, and concepts such as global Web identity. The extensible name service (XNS) approach to global Web identity is also mentioned; XNS is a protocol, based on Extensible Markup Language (XML), for discovering and linking together identities that enter into a Web transaction. The chapter includes a discussion of centralized enterprise-level identity management. Chapter 3 concentrates on the elements of trust paradigms in computing. Third-party approaches for managing trust are discussed with the Kerberos protocol as an illustrative example. Public key infrastructure (PKI) and its use for trust establishment are also mentioned here. In addition, the chapter includes information about attribute certificates. Attribute certificates are data constructs similar to public key certificates; when compared to public key certificates, the attribute certificates do not contain a public key. The chapter includes examples of trust management mechanisms on the World Wide Web. In this context, security in Web services, Security Assertion Markup Language (SAML), and Web cookies are also touched upon. Chapter 4 deals with mandatory access control models. The theory of mandatory access control is introduced, along with two important models: the Bell-LaPadula model and the Biba model. The author compares the two models, and focuses on issues related to their implementation. The author concludes the chapter by citing a security model known as the "Chinese wall policy." Chapter 5 concentrates on discretionary access control and the access-matrix model. Implementation considerations and the safety aspects of the access-matrix model are also studied. Chapter 6 looks at a security model known as the take-grant protection model. The author includes its definition and debates its security aspects. Chapter 7 is on the schematic protection model. Rules of operation related to the model are presented along with its applications. Chapter 8 is the last chapter of the book. It studies role-based access control (RBAC). This chapter discusses basic RBAC and hierarchical RBAC. A comparative discussion of RBAC is also included in the chapter. The chapter studies flow analysis and separation of duty in RBAC. Consistency properties that should hold in RBAC systems are also presented. The author concludes the chapter by analyzing mechanisms for functional specification for RBAC. The book includes adequate references and a handy index. Many of the references are up to date and closely connected with the subject matter of the book. The coverage of topics in the book is satisfactory. The book will be useful for those who wish to go deep into mechanisms for access control. It may be used for advanced courses in information security. Practitioners and university students are likely to benefit from reading it. On the negative side, the book has conspicuous typographical errors (for example, Kerberos is misspelled as Kerbers in chapter 3). Although the author did include a few examples from IBM products, including many more real-world examples would have made the presentation less drab. The author could have highlighted important open problems and challenging issues in the field (for example, alternatives to access control lists) and looked at directions for future research. Nevertheless, I recommend this book as a useful reference book for access control. Online Computing Reviews Service