With continuous growth in the number of information objects and the users that can access these objects, ensuring that access is compliant with company policies has become a big challenge. Role-based Access Control (RBAC) — a policy-neutral access control model that serves as a bridge between academia and industry — is probably the most suitable security model for commercial applications.Interestingly, role design determines RBAC's cost. When there are hundreds or thousands of users within an organization, with individual functions and responsibilities to be accurately reflected in terms of access permissions, only a well-defined role engineering process allows for significant savings of time and money while protecting data and systems.Among role engineering approaches, searching through access control systems to find de facto roles embedded in existing permissions is attracting increasing interest. The focus falls on role mining, which is applied data mining techniques to automate — to the extent possible — the role design task.This book explores existing role mining algorithms and offers insights into the automated role design approaches proposed in the literature. Alongside theory, this book acts as a practical guide for using role mining tools when implementing RBAC. Besides a comprehensive survey of role mining techniques deeply rooted in academic research, this book also provides a summary of the role-based approach, access control concepts and describes a typical role engineering process.Among the pioneering works on role mining, this book blends business elements with data mining theory, and thus further extends the applications of role mining into business practice. This makes it a useful guide for all academics, IT and business professionals.

The authors explain role based access control (RBAC), its administrative and cost advantages, implementation issues and imigration from conventional access control methods to RBAC.

These proceedings contain the papers of IFIP/SEC 2010. It was a special honour and privilege to chair the Program Committee and prepare the proceedings for this conf- ence, which is the 25th in a series of well-established international conferences on security and privacy organized annually by Technical Committee 11 (TC-11) of IFIP. Moreover, in 2010 it is part of the IFIP World Computer Congress 2010 celebrating both the Golden Jubilee of IFIP (founded in 1960) and the Silver Jubilee of the SEC conference in the exciting city of Brisbane, Australia, during September 20–23. The call for papers went out with the challenging motto of “Security & Privacy Silver Linings in the Cloud” building a bridge between the long standing issues of security and privacy and the most recent developments in information and commu- cation technology. It attracted 102 submissions. All of them were evaluated on the basis of their significance, novelty, and technical quality by at least five member of the Program Committee. The Program Committee meeting was held electronically over a period of a week. Of the papers submitted, 25 were selected for presentation at the conference; the acceptance rate was therefore as low as 24. 5% making SEC 2010 a highly competitive forum. One of those 25 submissions could unfortunately not be included in the proceedings, as none of its authors registered in time to present the paper at the conference.

This book constitutes the proceedings of the 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, held in Rome Italy in June 2010. The 18 full and 11 short papers presented in this volume were carefully reviewed and selected from 61 submissions. The topics covered are query and data privacy; data protection; access control; data confidentiality and query verification; policy definition and enforcement; and trust and identity management.

"Cybercrime costs firms USD 1 trillion globally" - Headlines like this released by Reuters news agency on 29th January 2009 tend to regularly dominate international press lately. Surveys indicate that insiders like employees are one of the biggest threats to data security within organisations. As a result of improper account management users accumulate a number of excessive rights over time, resulting in the so called identity chaos. In the course of constantly growing IT infrastructures on the one hand, as well as the legislative regulations and law on the other hand, role-based Identity Management in particular has become a means of solving the identity chaos and meeting data security requirements. However, the central challenge organisations face in this context is how to construct a role catalogue for their Identity Management infrastructure. Some companies deal with this issue by applying predominantly manual procedures based on organisational and operational structures. These approaches are known as Role Engineering methodologies. Throughout the last few years, so-called Role Mining methodologies which use Data Mining techniques that cluster existing access rights of employees have evolved as alternative approaches. Recent findings show that a combination of Role Engineering and Role Mining is necessary to define a good collection of roles. This book gives insight into a hybrid tool-supported methodology for cleansing identity and account data and developing business roles for employees using Role Engineering and Role Mining techniques. Its main goals are to increase the overall user management data quality and support companies throughout a semi-automated process of defining roles. The methodology considers existing employee information and access privileges without neglecting organisational structures and business experts' knowledge about the organisation.

This essential resource for professionals and advanced students in security programming and system design introduces the foundations of programming systems security and the theory behind access control models, and addresses emerging access control mechanisms.

Role-based access control (RBAC) is a widely used technology to control information flows as well as control flows within and between applications in compliance with restrictions implied by security policies, in particular, to prevent disclosure of information or access to resources beyond restrictions defined by those security policies. Since RBAC only provides the alternatives of either granting or denying access, more fine-grained control of information flows such as “granting access to information provided that it will not be disclosed to targets outside our organisation during further processing” is not possible. In business processes, in particular those spanning several organisations, which are commonly defined using business process execution language (BPEL), useful information flows not violating security policy-implied limitations would be prevented if only the access control capabilities offered by RBAC are in use. The book shows a way of providing more refined methods of information flow control that allow for granting access to information or resources by taking in consideration the former or further information flow in a business process requesting this access. The methods proposed are comparatively easy to apply and have been proven to be largely machine-executable by a prototypical realisation. As an addition, the methods are extended to be also applicable to BPEL-defined workflows that make use of Grid services or Cloud services. IT Security Specialists Chief Information Officers (CIOs) Chief Security Officers (CSOs) Security Policy and Quality Assurance Officers and Managers Business Process and Web/Grid/Cloud Service Designers, Developers, Operational Managers Interested Learners / Students in the Field of Security Management.