Abstract
Organizations encounter great difficulties in maintaining high-quality Access Control Policies (ACPs). Policies originally modeled and implemented with good quality deteriorate over time, leading to inaccurate authorization decisions and reduced policy maintainability. As a result, security risks arise, delays prevent users from carrying out tasks, and ACP management becomes more expensive and error-prone. In contrast to the initial modeling of ACPs, their long-term maintenance has been addressed scarcely by existing research. This work addresses this research gap with three contributions: First, we provide a detailed problem analysis based on a literature survey and six real-world practitioner expert interviews. Second, we propose a framework that supports organizations in implementing and performing ACP maintenance. Third, we present a maintenance case study in which we implemented maintenance capabilities for a real-world ACP dataset that allowed us to significantly improve its quality.
The research leading to these results was supported by the German Federal Ministry of Education and Research as part of the DEVISE project (https://devise.ur.de).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Owasp foundation.: Owasp top ten project (2021). https://owasp.org/Top10/. Accessed Apr 10 2023
Adams, W.C.: Conducting semi-structured interviews. Handbook of practical program evaluation, pp. 492–505 (2015)
Basel Committee on Banking Supervision: Basel accords (1988–2004). https://www.bis.org/basel_framework/index.htm. Accessed Apr 10 2023
Batra, G., Atluri, V., Vaidya, J., Sural, S.: Incremental maintenance of abac policies. In: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, pp. 185–196 (2021)
Bauer, L., Cranor, L.F., Reeder, R.W., Reiter, M.K., Vaniea, K.: Real life challenges in access-control management. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2009, pp. 899–908. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1518701.1518838,https://doi.org/10.1145/1518701.1518838
Beckerle, M., Martucci, L.A.: Formal definitions for usable access control rule sets from goals to metrics. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, pp. 1–11 (2013)
Benedetti, M., Mori, M.: Parametric rbac maintenance via max-sat. In: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, SACMAT 2018, pp. 15–25. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3205977.3205987. https://doi.org/10.1145/3205977.3205987
Benedetti, M., Mori, M.: On the use of max-SAT and PDDL in RBAC maintenance. Cybersecurity 2(1), July 2019. https://doi.org/10.1186/s42400-019-0036-9. https://doi.org/10.1186/s42400-019-0036-9
Beyond Identity: Former employees admit to using continued account access to harm previous employers, February 2022. https://www.beyondidentity.com/blog/great-resignation-impact-on-company-security
Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Visual role mining: a picture is worth a thousand roles. IEEE Trans. Knowl. Data Eng. 24(6), 1120–1133 (2011)
Das, S., Mitra, B., Atluri, V., Vaidya, J., Sural, S.: Policy engineering in rbac and abac. From Database to Cyber Security: Essays Dedicated to Sushil Jajodia on the Occasion of His 70th Birthday, pp. 24–54 (2018)
Das, S., Sural, S., Vaidya, J., Atluri, V., Rigoll, G.: VisMAP: visual mining of attribute-based access control policies. In: Garg, D., Kumar, N.V.N., Shyamasundar, R.K. (eds.) ICISS 2019. LNCS, vol. 11952, pp. 79–98. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36945-3_5
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001). https://doi.org/10.1145/501978.501980. https://doi.org/10.1145/501978.501980
Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security - a survey and classification of the research area. Computers & Security 30(8), 748–769 (2011) 10.1016/j.cose.2011.08.002, https://www.sciencedirect.com/science/article/pii/S016740481100099X
Fuchs, L., Kunz, M., Pernul, G.: Role model optimization for secure role-based identity management. In: European Conference on Information Systems (ECIS), pp. 1–15, Juni 2014. https://epub.uni-regensburg.de/30394/
Fuchs, L., Pernul, G.: Supporting compliant and secure user handling - a structured approach for in-house identity management. In: The Second International Conference on Availability, Reliability and Security (ARES’07), pp. 374–384 (2007). https://doi.org/10.1109/ARES.2007.145
Fuchs, L., Pernul, G.: HyDRo – hybrid development of roles. In: Information Systems Security, pp. 287–302. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_24. https://doi.org/10.1007/978-3-540-89862-7 _24
Groll, S., Kern, S., Fuchs, L., Pernul, G.: Monitoring access reviews by crowd labelling. In: Fischer-Hübner, S., Lambrinoudakis, C., Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2021. LNCS, vol. 12927, pp. 3–17. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86586-3_1
Guarnieri, M., Arrigoni Neri, M., Magri, E., Mutti, S.: On the notion of redundancy in access control policies. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, pp. 161–172 (2013)
Hadj, M.A.E., Erradi, M., Khoumsi, A., Benkaouz, Y.: Validation and correction of large security policies: A clustering and access log based approach. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5330–5332 (2018). https://doi.org/10.1109/BigData.2018.8622610
Hevner, A., Chatterjee, S., Hevner, A., Chatterjee, S.: Design science research in information systems. Design research in information systems: theory and practice, pp. 9–22 (2010)
Hill, L.: How automated access verification can help organizations demonstrate HIPAA compliance: a case study. J. Healthc. Inf. Manag. 20(2), 116–122 (2006)
Hu, H., Ahn, G.J., Kulkarni, K.: Anomaly discovery and resolution in web access control policies. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, pp. 165–174 (2011)
Hu, J., Zhang, Y., Li, R.: Towards automatic update of access control policy. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–7. USENIX Association, USA (2010)
Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations. Tech. rep., U.S. Department of Commerce (Jan 2014). https://doi.org/10.6028/nist.sp.800-162. https://doi.org/10.6028/nist.sp.800-162
Hummer, M., Groll, S., Kunz, M., Fuchs, L., Pernul, G.: Measuring identity and access management performance - an expert survey on possible performance indicators. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, pp. 233–240. SCITEPRESS - Science and Technology Publications (2018). https://doi.org/10.5220/0006557702330240. https://doi.org/10.5220/0006557702330240
Hummer, M., Kunz, M., Netter, M., Fuchs, L., Pernul, G.: Adaptive identity and access management - contextual data based policies. EURASIP J. Inf. Secur. 2016(1), August 2016. https://doi.org/10.1186/s13635-016-0043-2. https://doi.org/10.1186/s13635-016-0043-2
International Organization for Standardization: Iso/iec 27000:2013 - information technology - security techniques - information security management systems - overview and vocabulary (2013). https://www.iso.org/standard/54534.html. Accessed Apr 10 2023
Jaferian, P., Rashtian, H., Beznosov, K.: To authorize or not authorize: hel** users review access policies in organizations. In: Proceedings of the Tenth USENIX Conference on Usable Privacy and Security, SOUPS 2014, pp. 301–320. USENIX Association, USA (2014)
Kern, S., Baumer, T., Groll, S., Fuchs, L., Pernul, G.: Optimization of access control policies. J. Inf. Secur. Appl. 70, 103301 (2022) https://doi.org/10.1016/j.jisa.2022.103301. https://www.sciencedirect.com/science/article/pii/S2214212622001533
Kunz, M., Puchta, A., Groll, S., Fuchs, L., Pernul, G.: Attribute quality management for dynamic identity and access management. J. Inf. Secur. Appl. 44, 64–79 (2019). https://doi.org/10.1016/j.jisa.2018.11.004. https://www.sciencedirect.com/science/article/pii/S2214212618301467
Mitra, B., Sural, S., Vaidya, J., Atluri, V.: A survey of role mining. ACM Comput. Surv. (CSUR) 48(4), 1–37 (2016)
Molloy, I., et al.: Mining roles with semantic meanings. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 21–30 (2008)
One Hundred Seventh Congress of the United States of America: Sarbanes-oxley act of 2002 (2002). https://www.govinfo.gov/content/pkg/PLAW-107publ204/pdf/PLAW-107publ204.pdf. Accessed 10 Apr 2023
Parkinson, S., Khan, S.: A survey on empirical security analysis of access-control systems: a real-world perspective. ACM Comput. Surv. 55(6) (2022). https://doi.org/10.1145/3533703. https://doi.org/10.1145/3533703
Puchta, A., Böhm, F., Pernul, G.: Contributing to current challenges in identity and access management with visual analytics. In: Foley, S.N. (ed.) DBSec 2019. LNCS, vol. 11559, pp. 221–239. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22479-0_12
Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45608-2_3
Sandhu, R.S.: Role-based access control. portions of this chapter have been published earlier in sandhu et al. (1996), sandhu (1996), sandhu and bhamidipati (1997), sandhu et al. (1997) and sandhu and feinstein (1994). In: Zelkowitz, M.V. (ed.) Advances in Computers, Advances in Computers, vol. 46, pp. 237–286. Elsevier, online (1998). https://doi.org/10.1016/S0065-2458(08)60206-5. https://www.sciencedirect.com/science/article/pii/S0065245808602065
Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)
Servos, D., Osborn, S.L.: Current research and open problems in attribute-based access control. ACM Comput. Surv. 49(4) (2017). https://doi.org/10.1145/3007204. https://doi.org/10.1145/3007204
Smetters, D.K., Good, N.: How users use access control. In: Proceedings of the 5th Symposium on Usable Privacy and Security. SOUPS 2009. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1572532.1572552. https://doi.org/10.1145/1572532.1572552
Strembeck, M.: Scenario-driven role engineering. IEEE Secur. Privacy 8(1), 28–35 (2010). https://doi.org/10.1109/MSP.2010.46
Sun, W., Su, H., **e, H.: Policy-engineering optimization with visual representation and separation-of-duty constraints in attribute-based access control. Future Internet 12(10), 164 (2020)
Verde, N.V., Vaidya, J., Atluri, V., Colantonio, A.: Role engineering: from theory to practice. In: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, pp. 181–192 (2012)
**a, H., Dawande, M., Mookerjee, V.: Role refinement in access control: model and analysis. INFORMS J. Comput. 26(4), 866–884 (2014)
**ang, C., et al.: Towards continuous access control validation and forensics. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 113–129. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3319535.3363191. https://doi.org/10.1145/3319535.3363191
Xu, T., Naing, H.M., Lu, L., Zhou, Y.: How do system administrators resolve access-denied issues in the real world? In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, CHI 2017, pp. 348–361. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3025453.3025999. https://doi.org/10.1145/3025453.3025999
Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Dependable Secure Comput. 12(5), 533–545 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kern, S., Baumer, T., Fuchs, L., Pernul, G. (2023). Maintain High-Quality Access Control Policies: An Academic and Practice-Driven Approach. In: Atluri, V., Ferrara, A.L. (eds) Data and Applications Security and Privacy XXXVII. DBSec 2023. Lecture Notes in Computer Science, vol 13942. Springer, Cham. https://doi.org/10.1007/978-3-031-37586-6_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-37586-6_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37585-9
Online ISBN: 978-3-031-37586-6
eBook Packages: Computer ScienceComputer Science (R0)