SpringerLink
Log in

Maintain High-Quality Access Control Policies: An Academic and Practice-Driven Approach

  • Conference paper
  • First Online:
Data and Applications Security and Privacy XXXVII (DBSec 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13942))

Included in the following conference series:

Abstract

Organizations encounter great difficulties in maintaining high-quality Access Control Policies (ACPs). Policies originally modeled and implemented with good quality deteriorate over time, leading to inaccurate authorization decisions and reduced policy maintainability. As a result, security risks arise, delays prevent users from carrying out tasks, and ACP management becomes more expensive and error-prone. In contrast to the initial modeling of ACPs, their long-term maintenance has been addressed scarcely by existing research. This work addresses this research gap with three contributions: First, we provide a detailed problem analysis based on a literature survey and six real-world practitioner expert interviews. Second, we propose a framework that supports organizations in implementing and performing ACP maintenance. Third, we present a maintenance case study in which we implemented maintenance capabilities for a real-world ACP dataset that allowed us to significantly improve its quality.

The research leading to these results was supported by the German Federal Ministry of Education and Research as part of the DEVISE project (https://devise.ur.de).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Owasp foundation.: Owasp top ten project (2021). https://owasp.org/Top10/. Accessed Apr 10 2023

  2. Adams, W.C.: Conducting semi-structured interviews. Handbook of practical program evaluation, pp. 492–505 (2015)

    Google Scholar 

  3. Basel Committee on Banking Supervision: Basel accords (1988–2004). https://www.bis.org/basel_framework/index.htm. Accessed Apr 10 2023

  4. Batra, G., Atluri, V., Vaidya, J., Sural, S.: Incremental maintenance of abac policies. In: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, pp. 185–196 (2021)

    Google Scholar 

  5. Bauer, L., Cranor, L.F., Reeder, R.W., Reiter, M.K., Vaniea, K.: Real life challenges in access-control management. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2009, pp. 899–908. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1518701.1518838,https://doi.org/10.1145/1518701.1518838

  6. Beckerle, M., Martucci, L.A.: Formal definitions for usable access control rule sets from goals to metrics. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, pp. 1–11 (2013)

    Google Scholar 

  7. Benedetti, M., Mori, M.: Parametric rbac maintenance via max-sat. In: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, SACMAT 2018, pp. 15–25. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3205977.3205987. https://doi.org/10.1145/3205977.3205987

  8. Benedetti, M., Mori, M.: On the use of max-SAT and PDDL in RBAC maintenance. Cybersecurity 2(1), July 2019. https://doi.org/10.1186/s42400-019-0036-9. https://doi.org/10.1186/s42400-019-0036-9

  9. Beyond Identity: Former employees admit to using continued account access to harm previous employers, February 2022. https://www.beyondidentity.com/blog/great-resignation-impact-on-company-security

  10. Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Visual role mining: a picture is worth a thousand roles. IEEE Trans. Knowl. Data Eng. 24(6), 1120–1133 (2011)

    Article  Google Scholar 

  11. Das, S., Mitra, B., Atluri, V., Vaidya, J., Sural, S.: Policy engineering in rbac and abac. From Database to Cyber Security: Essays Dedicated to Sushil Jajodia on the Occasion of His 70th Birthday, pp. 24–54 (2018)

    Google Scholar 

  12. Das, S., Sural, S., Vaidya, J., Atluri, V., Rigoll, G.: VisMAP: visual mining of attribute-based access control policies. In: Garg, D., Kumar, N.V.N., Shyamasundar, R.K. (eds.) ICISS 2019. LNCS, vol. 11952, pp. 79–98. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36945-3_5

  13. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001). https://doi.org/10.1145/501978.501980. https://doi.org/10.1145/501978.501980

  14. Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security - a survey and classification of the research area. Computers & Security 30(8), 748–769 (2011) 10.1016/j.cose.2011.08.002, https://www.sciencedirect.com/science/article/pii/S016740481100099X

  15. Fuchs, L., Kunz, M., Pernul, G.: Role model optimization for secure role-based identity management. In: European Conference on Information Systems (ECIS), pp. 1–15, Juni 2014. https://epub.uni-regensburg.de/30394/

  16. Fuchs, L., Pernul, G.: Supporting compliant and secure user handling - a structured approach for in-house identity management. In: The Second International Conference on Availability, Reliability and Security (ARES’07), pp. 374–384 (2007). https://doi.org/10.1109/ARES.2007.145

  17. Fuchs, L., Pernul, G.: HyDRo – hybrid development of roles. In: Information Systems Security, pp. 287–302. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_24. https://doi.org/10.1007/978-3-540-89862-7 _24

  18. Groll, S., Kern, S., Fuchs, L., Pernul, G.: Monitoring access reviews by crowd labelling. In: Fischer-Hübner, S., Lambrinoudakis, C., Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2021. LNCS, vol. 12927, pp. 3–17. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86586-3_1

    Chapter  Google Scholar 

  19. Guarnieri, M., Arrigoni Neri, M., Magri, E., Mutti, S.: On the notion of redundancy in access control policies. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, pp. 161–172 (2013)

    Google Scholar 

  20. Hadj, M.A.E., Erradi, M., Khoumsi, A., Benkaouz, Y.: Validation and correction of large security policies: A clustering and access log based approach. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5330–5332 (2018). https://doi.org/10.1109/BigData.2018.8622610

  21. Hevner, A., Chatterjee, S., Hevner, A., Chatterjee, S.: Design science research in information systems. Design research in information systems: theory and practice, pp. 9–22 (2010)

    Google Scholar 

  22. Hill, L.: How automated access verification can help organizations demonstrate HIPAA compliance: a case study. J. Healthc. Inf. Manag. 20(2), 116–122 (2006)

    Google Scholar 

  23. Hu, H., Ahn, G.J., Kulkarni, K.: Anomaly discovery and resolution in web access control policies. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, pp. 165–174 (2011)

    Google Scholar 

  24. Hu, J., Zhang, Y., Li, R.: Towards automatic update of access control policy. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–7. USENIX Association, USA (2010)

    Google Scholar 

  25. Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations. Tech. rep., U.S. Department of Commerce (Jan 2014). https://doi.org/10.6028/nist.sp.800-162. https://doi.org/10.6028/nist.sp.800-162

  26. Hummer, M., Groll, S., Kunz, M., Fuchs, L., Pernul, G.: Measuring identity and access management performance - an expert survey on possible performance indicators. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, pp. 233–240. SCITEPRESS - Science and Technology Publications (2018). https://doi.org/10.5220/0006557702330240. https://doi.org/10.5220/0006557702330240

  27. Hummer, M., Kunz, M., Netter, M., Fuchs, L., Pernul, G.: Adaptive identity and access management - contextual data based policies. EURASIP J. Inf. Secur. 2016(1), August 2016. https://doi.org/10.1186/s13635-016-0043-2. https://doi.org/10.1186/s13635-016-0043-2

  28. International Organization for Standardization: Iso/iec 27000:2013 - information technology - security techniques - information security management systems - overview and vocabulary (2013). https://www.iso.org/standard/54534.html. Accessed Apr 10 2023

  29. Jaferian, P., Rashtian, H., Beznosov, K.: To authorize or not authorize: hel** users review access policies in organizations. In: Proceedings of the Tenth USENIX Conference on Usable Privacy and Security, SOUPS 2014, pp. 301–320. USENIX Association, USA (2014)

    Google Scholar 

  30. Kern, S., Baumer, T., Groll, S., Fuchs, L., Pernul, G.: Optimization of access control policies. J. Inf. Secur. Appl. 70, 103301 (2022) https://doi.org/10.1016/j.jisa.2022.103301. https://www.sciencedirect.com/science/article/pii/S2214212622001533

  31. Kunz, M., Puchta, A., Groll, S., Fuchs, L., Pernul, G.: Attribute quality management for dynamic identity and access management. J. Inf. Secur. Appl. 44, 64–79 (2019). https://doi.org/10.1016/j.jisa.2018.11.004. https://www.sciencedirect.com/science/article/pii/S2214212618301467

  32. Mitra, B., Sural, S., Vaidya, J., Atluri, V.: A survey of role mining. ACM Comput. Surv. (CSUR) 48(4), 1–37 (2016)

    Article  Google Scholar 

  33. Molloy, I., et al.: Mining roles with semantic meanings. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 21–30 (2008)

    Google Scholar 

  34. One Hundred Seventh Congress of the United States of America: Sarbanes-oxley act of 2002 (2002). https://www.govinfo.gov/content/pkg/PLAW-107publ204/pdf/PLAW-107publ204.pdf. Accessed 10 Apr 2023

  35. Parkinson, S., Khan, S.: A survey on empirical security analysis of access-control systems: a real-world perspective. ACM Comput. Surv. 55(6) (2022). https://doi.org/10.1145/3533703. https://doi.org/10.1145/3533703

  36. Puchta, A., Böhm, F., Pernul, G.: Contributing to current challenges in identity and access management with visual analytics. In: Foley, S.N. (ed.) DBSec 2019. LNCS, vol. 11559, pp. 221–239. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22479-0_12

    Chapter  Google Scholar 

  37. Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45608-2_3

    Chapter  MATH  Google Scholar 

  38. Sandhu, R.S.: Role-based access control. portions of this chapter have been published earlier in sandhu et al. (1996), sandhu (1996), sandhu and bhamidipati (1997), sandhu et al. (1997) and sandhu and feinstein (1994). In: Zelkowitz, M.V. (ed.) Advances in Computers, Advances in Computers, vol. 46, pp. 237–286. Elsevier, online (1998). https://doi.org/10.1016/S0065-2458(08)60206-5. https://www.sciencedirect.com/science/article/pii/S0065245808602065

  39. Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)

    Article  Google Scholar 

  40. Servos, D., Osborn, S.L.: Current research and open problems in attribute-based access control. ACM Comput. Surv. 49(4) (2017). https://doi.org/10.1145/3007204. https://doi.org/10.1145/3007204

  41. Smetters, D.K., Good, N.: How users use access control. In: Proceedings of the 5th Symposium on Usable Privacy and Security. SOUPS 2009. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1572532.1572552. https://doi.org/10.1145/1572532.1572552

  42. Strembeck, M.: Scenario-driven role engineering. IEEE Secur. Privacy 8(1), 28–35 (2010). https://doi.org/10.1109/MSP.2010.46

    Article  Google Scholar 

  43. Sun, W., Su, H., **e, H.: Policy-engineering optimization with visual representation and separation-of-duty constraints in attribute-based access control. Future Internet 12(10), 164 (2020)

    Article  Google Scholar 

  44. Verde, N.V., Vaidya, J., Atluri, V., Colantonio, A.: Role engineering: from theory to practice. In: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, pp. 181–192 (2012)

    Google Scholar 

  45. **a, H., Dawande, M., Mookerjee, V.: Role refinement in access control: model and analysis. INFORMS J. Comput. 26(4), 866–884 (2014)

    Article  MathSciNet  Google Scholar 

  46. **ang, C., et al.: Towards continuous access control validation and forensics. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 113–129. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3319535.3363191. https://doi.org/10.1145/3319535.3363191

  47. Xu, T., Naing, H.M., Lu, L., Zhou, Y.: How do system administrators resolve access-denied issues in the real world? In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, CHI 2017, pp. 348–361. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3025453.3025999. https://doi.org/10.1145/3025453.3025999

  48. Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Dependable Secure Comput. 12(5), 533–545 (2014)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Nexis GmbH, Franz-Mayer-Straße 1, Regensburg, 93053, Bavaria, Germany

    Sascha Kern, Thomas Baumer & Ludwig Fuchs

  2. University of Regensburg, Universitätsstraße 31, Regensburg, 93053, Bavaria, Germany

    Günther Pernul

Authors
  1. Sascha Kern
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Baumer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ludwig Fuchs
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Günther Pernul
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sascha Kern .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. University of Molise, Campobasso, Italy

    Anna Lisa Ferrara

A Appendix

A Appendix

Table 5. Question catalogue for the semi-structured expert interviews
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2023 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kern, S., Baumer, T., Fuchs, L., Pernul, G. (2023). Maintain High-Quality Access Control Policies: An Academic and Practice-Driven Approach. In: Atluri, V., Ferrara, A.L. (eds) Data and Applications Security and Privacy XXXVII. DBSec 2023. Lecture Notes in Computer Science, vol 13942. Springer, Cham. https://doi.org/10.1007/978-3-031-37586-6_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-37586-6_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-37585-9

  • Online ISBN: 978-3-031-37586-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation