Dr. Ravi Sandhu is Professor of
Information Security and Assurance and Director of the Laboratory for
Information Security Technology (www.list.gmu.edu)
at George Mason University,
where he has been since 1989. Previously
he spent seven years on the Computer and Information Science faculty at Ohio State
University. He earned his B.Tech.
and M.Tech. degrees in
Electrical Engineering from the Indian Institutes of Technology at Bombay and
Delhi respectively, and his M.S. and Ph.D. degrees in Computer Science from
Rutgers University. He is a Fellow of
ACM, a Fellow of IEEE and recipient of the IEEE Computer Society Technical
Achievement Award.
His research
career has been focused on information security, privacy and trust, with
special emphasis on models, protocols and mechanisms. His PhD work on the safety and expressive
power of access control models was followed by a series of models culminating
in the Typed Access Matrix in 1992, whose strong safety results remain
state-of-art even today. At George Mason,
in collaboration with Prof. Sushil Jajodia, he analyzed and reconciled the
conflict between confidentiality and integrity in building multilevel secure
relational and object-oriented databases.
In 1993 he showed that separation of duty and conflict of interest
policies such as Chinese Walls were natural and simple instances of information
flow in a classic lattice of security labels, contrary to the then prevalent
belief that these were fundamentally different from information flow. In 1996, along with industry colleagues from
SETA Corporation, he published a seminal paper on role-based access control (RBAC)
which firmly established RBAC as the preferred access control model for most
enterprises. This paper ended a two and
a half decade standoff between the traditional mandatory and discretionary
access control models, neither of which had proven to be terribly useful in
practical systems. RBAC bases
authorization on the familiar organizational construct of roles, such as
Professor, Student, Payroll Supervisor, Purchasing Manager, etc., thereby
greatly simplifying the administration of authorizations while providing flexibility
and sophistication where needed. This model evolved into the 2004 NIST/ANSI
standard RBAC model and is on track to become an ISO standard. Along with his collaborators Ravi has investigated many aspects of RBAC including
administrative models, delegation models, enforcement architectures and
web-based implementations. More recently
in 2002, in partnership with his student Jaehong Park, he introduced
the Usage Control (UCON) model as a foundation for next-generation access
control by integrating obligations and conditions with the usual notion of authorization
and providing for continuity of enforcement and mutability of attributes. Other recent activities include models for
Information Sharing and their enforcement and implementation using modern
Trusted Computing technologies, and the PEI
(policy, enforcement and implementation) layered models framework for
synthesizing secure systems.
Ravi is the founding editor of the Synergy Lecture Series
on Information Security, Privacy and Trust.
Earlier, he founded the ACM Transactions on Information and Systems
Security (TISSEC) in 1997 and served as editor-in-chief until 2004. He
was Chairman of ACM SIGSAC from 1995 to 2003, and founded and led the ACM
Conference on Computer and Communications Security and the ACM Symposium on
Access Control Models and Technologies to high reputation and prestige.
He served as the security editor for IEEE Internet Computing from
1998-2004. In 2000 Ravi Sandhu
co-founded the company now known as TriCipher and continues to serve as its
Chief Scientist. He is the principal
security architect of the TriCipher Armored Credential System which earned the
coveted FIPS 140 level 2 rating from NIST.
He is an inventor on eight patents for security technology inventions and
has over a dozen patents pending. He has
been a leader in security curriculum development, particularly at the MS and
PhD levels.
October 2006