research-article

Formal definitions for usable access control rule sets from goals to metrics

Authors:

Matthias Beckerle,

Leonardo A. MartucciAuthors Info & Claims

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

Article No.: 2, Pages 1 - 11

https://doi.org/10.1145/2501604.2501606

Published: 24 July 2013 Publication History

Get Access

Abstract

Access control policies describe high level requirements for access control systems. Access control rule sets ideally translate these policies into a coherent and manageable collection of Allow/Deny rules. Designing rule sets that reflect desired policies is a difficult and time-consuming task. The result is that rule sets are difficult to understand and manage. The goal of this paper is to provide means for obtaining usable access control rule sets, which we define as rule sets that (i) reflect the access control policy and (ii) are easy to understand and manage. In this paper, we formally define the challenges that users face when generating usable access control rule sets and provide formal tools to handle them more easily. We started our research with a pilot study in which specialists were interviewed. The objective was to list usability challenges regarding the management of access control rule sets and verify how those challenges were handled by specialists. The results of the pilot study were compared and combined with results from related work and refined into six novel, formally defined metrics that are used to measure the security and usability aspects of access control rule sets. We validated our findings with two user studies, which demonstrate that our metrics help users generate statistically significant better rule sets.

References

[1]

Bauer, L., Cranor, L. F., Reeder, R. W., Reiter, M. K., and Vaniea, K. Real life challenges in access-control management. In Proc. CHI 2009, ACM (2009), 899--908.

Digital Library

Google Scholar

[2]

Bonatti, P. A., and Samarati, P. A uniform framework for regulating service access and information release on the web. J. Comput. Secur. 10 (Sep 2002), 241--271.

Digital Library

Google Scholar

[3]

Brand, S. DoD 5200.28-STD Department of Defense Trusted Computer System Evaluation Criteria (Orange Book). National Computer Security Center (1985).

Google Scholar

[4]

Egelman, S., Oates, A., and Krishnamurthi, S. Oops, I did it again: mitigating repeated access control errors on Facebook. In Proc. CHI 2011, ACM (2011), 2295--2304.

Digital Library

Google Scholar

[5]

Ferraiolo, D. F., and Kuhn, D. R. Role-based access controls. In Proc. of the 15^th National Computer Security Conference (1992), 554--563.

Google Scholar

[6]

Jin, X., Krishnan, R., and Sandhu, R. A unified attribute-based access control model covering DAC, MAC and RBAC. In Proceedings of the 26^th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy, DBSec'12, Springer-Verlag (Berlin, Heidelberg, 2012), 41--55.

Digital Library

Google Scholar

[7]

Mazurek, M. L., Arsenault, J. P., Bresee, J., Gupta, N., Ion, I., Johns, C., Lee, D., Liang, Y., Olsen, J., Salmon, B., Shay, R., Vaniea, K., Bauer, L., Cranor, L. F., Ganger, G. R., and Reiter, M. K. Access control for home data sharing: evaluating social acceptability. In Proc. CHI 2010, ACM (2010), 645--654.

Digital Library

Google Scholar

[8]

Mazurek, M. L., Klemperer, P. F., Shay, R., Takabi, H., Bauer, L., and Cranor, L. F. Exploring reactive access control. In Proc. CHI 2011, ACM (2011), 2085--2094.

Digital Library

Google Scholar

[9]

Mitchell, T. M. Machine Learning, 1 ed. McGraw-Hill, Inc., New York, NY, USA, 1997.

Digital Library

Google Scholar

[10]

Reeder, R. W., Bauer, L., Cranor, L. F., Reiter, M. K., Bacon, K., How, K., and Strong, H. Expandable grids for visualizing and authoring computer security policies. In Proc. CHI 2008, ACM (2008), 1473--1482.

Digital Library

Google Scholar

[11]

Reeder, R. W., Bauer, L., Cranor, L. F., Reiter, M. K., and Vaniea, K. More than skin deep: measuring effects of the underlying model on access-control system usability. In Proc. CHI 2011, ACM (2011), 2065--2074.

Digital Library

Google Scholar

[12]

Samarati, P., and di Vimercati, S. D. C. Access control: Policies, models, and mechanisms. In Foundations of Security Analysis and Design, Tutorial Lectures (FOSAD 2000), vol. 2171 of Lecture Notes in Computer Science, Springer (2000), 137--196.

Digital Library

Google Scholar

[13]

Smetters, D. K., and Good, N. How users use access control. In Proc. SOUPS 2009, ACM International Conference Proceeding Series, ACM (2009).

Digital Library

Google Scholar

[14]

Yuan, E., and Tong, J. Attributed based access control (ABAC) for web services. In ICWS, IEEE Computer Society (11--15 Jul 2005), 561--569.

Digital Library

Google Scholar

Cited By

View all

Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Kern SBaumer TFuchs LPernul G(2023)Maintain High-Quality Access Control Policies: An Academic and Practice-Driven ApproachData and Applications Security and Privacy XXXVII10.1007/978-3-031-37586-6_14(223-242)Online publication date: 12-Jul-2023
https://doi.org/10.1007/978-3-031-37586-6_14
Sahani GThaker CShah S(2022)Supervised Learning-Based Approach Mining ABAC Rules from Existing RBAC Enabled SystemsICST Transactions on Scalable Information Systems10.4108/eetsis.v5i16.1560(e3)Online publication date: 7-Sep-2022
https://doi.org/10.4108/eetsis.v5i16.1560
Show More Cited By

Index Terms

Formal definitions for usable access control rule sets from goals to metrics

Recommendations

Constraints-based access control
Das'01: Proceedings of the fifteenth annual working conference on Database and application security

The most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.This paper ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Towards more pro-active access control in computer systems and networks

Access control is a core security technology which has been widely used in computer systems and networks to protect sensitive information and critical resources and to counter malicious attacks. Although many access control models have been developed in ...

Reviews

Reviewer: Massimiliano Masi

The usability and manageability of access control policies in an attribute-based access control (ABAC) setting are the main focus of this paper. The authors aim to provide a scientific way to obtain a usable access control rule set. If we had clear and simple access control rules, it would be trivial to enforce the separation of duties. In fact, with ABAC models, few theoretical results have been found to formally prove that a given policy respects the aforementioned security concepts due to the complexity that the attribute/policy couple may have. This is even more complicated in policy-based access control, where the policy is not a set of attributes to be matched; rather, the policy evaluation is dependent on an external context, since it may contain code fragments written in a programming language (such as Extensible Access Control Markup Language (XACML)). Thus, a method that users can exploit to (in)formally define the function “policy x is more usable than policy y ” is extremely important (and challenging). The authors stress the fact that both IT experts and non-experts can manage the access control policies. The study is structured as follows. With the help of volunteers, the authors ran a first pilot with IT administrators to define “six goals for building usable and secure access control rule sets.” Such rules were formalized and metrics were attached. The authors then conducted two chained user studies; the output of the first study was used as input on the second user study in order to evaluate how helpful the found metrics were to users in creating new rule sets. The approach was validated by testing three different hypotheses. Although there are some known limitations, the results are encouraging. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

July 2013

241 pages

ISBN:9781450323192

DOI:10.1145/2501604

Conference Chairs:
Lujo Bauer
Carnegie Mellon University
,
Konstantin Beznosov
University of British Columbia
,
General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 July 2013

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Seventh Framework Programme

Conference

SOUPS '13

Sponsor:

Carnegie Mellon University

SOUPS '13: Symposium On Usable Privacy and Security

July 24 - 26, 2013

Newcastle, United Kingdom

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
448
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Kern SBaumer TFuchs LPernul G(2023)Maintain High-Quality Access Control Policies: An Academic and Practice-Driven ApproachData and Applications Security and Privacy XXXVII10.1007/978-3-031-37586-6_14(223-242)Online publication date: 12-Jul-2023
https://doi.org/10.1007/978-3-031-37586-6_14
Sahani GThaker CShah S(2022)Supervised Learning-Based Approach Mining ABAC Rules from Existing RBAC Enabled SystemsICST Transactions on Scalable Information Systems10.4108/eetsis.v5i16.1560(e3)Online publication date: 7-Sep-2022
https://doi.org/10.4108/eetsis.v5i16.1560
Karimi LAldairi MJoshi JAbdelhakim M(2022)An Automatic Attribute-Based Access Control Policy Extraction From Access LogsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.305433119:4(2304-2317)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2021.3054331
Kern SBaumer TGroll SFuchs LPernul G(2022)Optimization of Access Control PoliciesJournal of Information Security and Applications10.1016/j.jisa.2022.10330170(103301)Online publication date: Nov-2022
https://doi.org/10.1016/j.jisa.2022.103301
Alohaly MTakabi D(2021)A Hybrid Policy Engineering Approach for Attribute-Based Access Control (ABAC)Proceedings of the 12th International Conference on Soft Computing and Pattern Recognition (SoCPaR 2020)10.1007/978-3-030-73689-7_80(847-857)Online publication date: 16-Apr-2021
https://doi.org/10.1007/978-3-030-73689-7_80
Yanez‐Sierra JDiaz‐Perez ASosa‐Sosa V(2021)A Data Science Approach Based on User Interactions to Generate Access Control Policies for Large Collections of DocumentsMachine Learning Techniques and Analytics for Cloud Security10.1002/9781119764113.ch18(379-415)Online publication date: 3-Dec-2021
https://doi.org/10.1002/9781119764113.ch18
Yanez-Sierra JDiaz-Perez ASosa-Sosa V(2020)On the Accuracy Evaluation of Access Control Policies in a Social Network2020 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI51800.2020.00048(244-249)Online publication date: Dec-2020
https://doi.org/10.1109/CSCI51800.2020.00048
Voronkov AMartucci LLindskog S(2020)Measuring the Usability of Firewall Rule SetsIEEE Access10.1109/ACCESS.2020.29710938(27106-27121)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2971093
Bui TStoller SLe HKerschbaum FMashatan ANiu JLee A(2019)Efficient and Extensible Policy Mining for Relationship-Based Access ControlProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3325106(161-172)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1145/3322431.3325106
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Constraints-based access control

An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security

Towards more pro-active access control in computer systems and networks

Reviews

Access critical reviews of Computing literature here