Book Review: Access Control, Security, and Trust: A Logical Approach 

 
Download Article Article in Digital Form

Access Control, Security, and Trust: A Logical ApproachAccess control, security and trust are among the greatest risks—compliance and otherwise—facing corporations today. Controlling access to protected objects is central to any security program, and the foundation of Access Control, Security, and Trust:  A Logical Approach is straightforward:  Reference monitors are the means to protect objects of value in systems.

Access Control, Security, and Trust:  A Logical Approach is intended to serve the needs of computer engineers and computer scientists who are responsible for specifying, designing, implementing, building, and verifying or certifying secure computer and information systems. However, beginners to the study of access security will be enlightened by the education presented, as the authors remain cognizant throughout the book of the reader’s need to understand the basic concepts of authentication and authorization. The book provides answers to the following dilemmas:

  • Who or what are access-protected resources?
  • How can one protect the access control confidentiality, integrity and availability (CIA) triangle?
  • Who or what is trusted or believed?
  • How one can conclude that a system is worthy of trust?

The publication aims to fill a gap left by many books on computer and network security. The book lays out algorithm logic, but does not require a highly mathematical intellect to understand its contents. The publication’s methodical focus on access control and reference monitors introduces a language for describing access-control scenarios, inference rules and resulting formulas. The authors explain the concepts in elementary, easy-to-understand language and leave in-depth understanding of the mathematical concepts optional for later reading.

Access Control, Security, and Trust:  A Logical Approach is divided into four parts:  Preliminaries, Distributed Access Control, Isolation and Sharing, and Access Policies. Part I explains the language and basics of access control, reasoning and reference rules. Building on these concepts of security mechanisms, this part also differentiates among and describes security policy types. Part II explores distributed access control in network environments, digital authentication, and delegation concepts and protocols. Part III ties the logical lessons of the first two sections into the core of cybersecurity: hardware security. Part IV expands on the security policies discussed in part I and introduces a richer notion of confidentiality and integrity levels, models and policies based on principles, objects and roles.

The unique strength of the 326-page book is its plethora of tables and exercises, converting its mathematical logic into real-world, nonmathematical language and visuals. Chapter summaries recap the line-by-line mathematical formulas in unambiguous statements.

Editor’s Note

Access Control, Security, and Trust:  A Logical Approach is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, e-mail bookstore@isaca.org or telephone +1.847.660.5650. Learn more and collaborate on Access Controls at www.isaca.org/topic-access-control.

Reviewed by Connie Spinelli, CISA, CFE, CIA, CMA, CPA
a risk management consultant providing governance, risk and compliance (GRC); enterprise risk management (ERM); and Sarbanes-Oxley/ internal audit program infrastructure solutions and education. Utilizing her experiences and training in the areas of management accounting; internal and external financial, IT and operational audit; and business process risks and controls, Spinelli works with all members of the C-suite.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.