Extending RBAC for large enterprises and its quantitative risk evaluation

Seiichi Kondo, Mizuho Iwaihara, Masatoshi Yoshikawa, Masashi Torato

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Systems and security products based on the RBAC model have been widely introduced to enterprises. Especially, the demands on enforcement of enterprise-level security policies and total identity management are rapidly growing. The RBAC model needs to be extended to deal with various circumstances of large enterprises, such as geographical distribution and heterogeneous environments including physical access control. In this paper, we introduce a new RBAC model, suitable for single sign-on systems. This model optimizes evaluation of rule-based RBAC so that total operation costs and productivity can be improved. Furthermore, to select most cost-effective RBAC extensions for enterprise-wide requirements, we propose a quantitative risk evaluation method based on fault trees. We construct fault trees having security violation and productivity loss as top events, and RBAC standard functions and security incidents as basic events. Probabilities of the top events are computed for given RBAC models and operation environments. We apply this method to a real enterprise system using the above RBAC extension and the proposed model realizes more safety and productivity over the base model.

Original languageEnglish
Title of host publicationIFIP International Federation for Information Processing
Pages99-112
Number of pages14
Volume286
DOIs
Publication statusPublished - 2008
Externally publishedYes

Publication series

NameIFIP International Federation for Information Processing
Volume286
ISSN (Print)15715736

Fingerprint

Large enterprises
Risk evaluation
Role-based access control
Productivity
Fault
Rule-based
Enforcement
Costs
Physical environment
Violations
Access control
Model evaluation
Incidents
Security policy
Safety
Identity management
Geographical distribution
Enterprise systems
Evaluation method

ASJC Scopus subject areas

  • Information Systems and Management

Cite this

Kondo, S., Iwaihara, M., Yoshikawa, M., & Torato, M. (2008). Extending RBAC for large enterprises and its quantitative risk evaluation. In IFIP International Federation for Information Processing (Vol. 286, pp. 99-112). (IFIP International Federation for Information Processing; Vol. 286). https://doi.org/10.1007/978-0-387-85691-9_9

Extending RBAC for large enterprises and its quantitative risk evaluation. / Kondo, Seiichi; Iwaihara, Mizuho; Yoshikawa, Masatoshi; Torato, Masashi.

IFIP International Federation for Information Processing. Vol. 286 2008. p. 99-112 (IFIP International Federation for Information Processing; Vol. 286).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kondo, S, Iwaihara, M, Yoshikawa, M & Torato, M 2008, Extending RBAC for large enterprises and its quantitative risk evaluation. in IFIP International Federation for Information Processing. vol. 286, IFIP International Federation for Information Processing, vol. 286, pp. 99-112. https://doi.org/10.1007/978-0-387-85691-9_9
Kondo S, Iwaihara M, Yoshikawa M, Torato M. Extending RBAC for large enterprises and its quantitative risk evaluation. In IFIP International Federation for Information Processing. Vol. 286. 2008. p. 99-112. (IFIP International Federation for Information Processing). https://doi.org/10.1007/978-0-387-85691-9_9
Kondo, Seiichi ; Iwaihara, Mizuho ; Yoshikawa, Masatoshi ; Torato, Masashi. / Extending RBAC for large enterprises and its quantitative risk evaluation. IFIP International Federation for Information Processing. Vol. 286 2008. pp. 99-112 (IFIP International Federation for Information Processing).
@inproceedings{86f098c616cc4a479b0abc0984c3c030,
title = "Extending RBAC for large enterprises and its quantitative risk evaluation",
abstract = "Systems and security products based on the RBAC model have been widely introduced to enterprises. Especially, the demands on enforcement of enterprise-level security policies and total identity management are rapidly growing. The RBAC model needs to be extended to deal with various circumstances of large enterprises, such as geographical distribution and heterogeneous environments including physical access control. In this paper, we introduce a new RBAC model, suitable for single sign-on systems. This model optimizes evaluation of rule-based RBAC so that total operation costs and productivity can be improved. Furthermore, to select most cost-effective RBAC extensions for enterprise-wide requirements, we propose a quantitative risk evaluation method based on fault trees. We construct fault trees having security violation and productivity loss as top events, and RBAC standard functions and security incidents as basic events. Probabilities of the top events are computed for given RBAC models and operation environments. We apply this method to a real enterprise system using the above RBAC extension and the proposed model realizes more safety and productivity over the base model.",
author = "Seiichi Kondo and Mizuho Iwaihara and Masatoshi Yoshikawa and Masashi Torato",
year = "2008",
doi = "10.1007/978-0-387-85691-9_9",
language = "English",
isbn = "9780387856902",
volume = "286",
series = "IFIP International Federation for Information Processing",
pages = "99--112",
booktitle = "IFIP International Federation for Information Processing",

}

TY - GEN

T1 - Extending RBAC for large enterprises and its quantitative risk evaluation

AU - Kondo, Seiichi

AU - Iwaihara, Mizuho

AU - Yoshikawa, Masatoshi

AU - Torato, Masashi

PY - 2008

Y1 - 2008

N2 - Systems and security products based on the RBAC model have been widely introduced to enterprises. Especially, the demands on enforcement of enterprise-level security policies and total identity management are rapidly growing. The RBAC model needs to be extended to deal with various circumstances of large enterprises, such as geographical distribution and heterogeneous environments including physical access control. In this paper, we introduce a new RBAC model, suitable for single sign-on systems. This model optimizes evaluation of rule-based RBAC so that total operation costs and productivity can be improved. Furthermore, to select most cost-effective RBAC extensions for enterprise-wide requirements, we propose a quantitative risk evaluation method based on fault trees. We construct fault trees having security violation and productivity loss as top events, and RBAC standard functions and security incidents as basic events. Probabilities of the top events are computed for given RBAC models and operation environments. We apply this method to a real enterprise system using the above RBAC extension and the proposed model realizes more safety and productivity over the base model.

AB - Systems and security products based on the RBAC model have been widely introduced to enterprises. Especially, the demands on enforcement of enterprise-level security policies and total identity management are rapidly growing. The RBAC model needs to be extended to deal with various circumstances of large enterprises, such as geographical distribution and heterogeneous environments including physical access control. In this paper, we introduce a new RBAC model, suitable for single sign-on systems. This model optimizes evaluation of rule-based RBAC so that total operation costs and productivity can be improved. Furthermore, to select most cost-effective RBAC extensions for enterprise-wide requirements, we propose a quantitative risk evaluation method based on fault trees. We construct fault trees having security violation and productivity loss as top events, and RBAC standard functions and security incidents as basic events. Probabilities of the top events are computed for given RBAC models and operation environments. We apply this method to a real enterprise system using the above RBAC extension and the proposed model realizes more safety and productivity over the base model.

UR - http://www.scopus.com/inward/record.url?scp=50249130272&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=50249130272&partnerID=8YFLogxK

U2 - 10.1007/978-0-387-85691-9_9

DO - 10.1007/978-0-387-85691-9_9

M3 - Conference contribution

SN - 9780387856902

VL - 286

T3 - IFIP International Federation for Information Processing

SP - 99

EP - 112

BT - IFIP International Federation for Information Processing

ER -