David Ferraiolo

2:30 p.m. - 3:30 p.m.
Friday, April 1, 2005
Room 404, IS Building

2:00 p.m. - 2:30 p.m.
Light refreshments with the speaker before the talk
5th Floor Large Commons room, IS Building

Abstract: Access control is the administrative and automated process of defining and limiting which system users can perform which system operations on which system resources. Pertaining to each organization is a unique set of policies that dictate the circumstances and conditions under which specific users are permitted access to specific resources. Access control policies are enforced through a mechanism consisting of access control functions and access control data that together map a user’s access request to a decision whether to grant or deny access. Access control mechanisms come in a wide variety of forms, each with their individual (and often proprietary) attributes, functions, and methods for configuring policy, and a tight coupling to a class of policies. This talk presents the standardization and economic conditions that have driven evolution of access control mechanisms and products from mandatory and discretionary access control products of the early 80s in support of military policies, through role-based access control products of the mid 90s in support of the policy and administrative needs of commercial organizations, to present day efforts to devise a policy neutral access control mechanism in support of the emerging needs of Government and commercial organizations.

Biography: David F. Ferraiolo is the supervisor of the Emerging Technologies Research group of the Computer Security Division at the National Institute of Standards and Technology (NIST). He has over 19 years of experience in computer and communications security, serving both the government and private industry. During his last 10 years of employment at NIST, he has conducted extensive research in various areas of access control, including formal model development, reference and prototype implementation, product demonstration development and evaluation, and is given credited as the originator of numerous commercially available security mechanisms. He is a coauthor of a recent book on RBAC, is the author or coauthor of more than 20 papers in the area of access control, and the principle inventor on two U.S. patents. He received a U.S. Department of Commerce gold medal in 2002 and a 1998 Excellence in Technology Transfer award from the Federal Laboratory Consortium for research in RBAC, and has served on the editorial boards of the US Federal Criteria and the international Common Criteria (ISO 15408). His talks have included Key Note speeches at technical conferences, and lectures at Universities and corporations. His publications are widely referenced from sources within the U.S., Canada, Europe, Asia, and Africa and have impacted research and standardization efforts around the world. He received a combined B.S. in computer science and mathematics from the State University of New York at Albany in 1982.