the cups blog

07-23-08

Access Control Policy Analysis & Visualization Tools for Security Professionals

Kami Vaniea, Qun Ni, Lorrie Faith Cranor, Elisa Bertino

Societe Generale: 7.2 billion trading loss in 2008. Employee moved from compliance to trading and his access wasn’t removed. Used knowledge and access to make high risk large trades.
Policy administration is non-trivial. Policies are huge and difficult to work with, polices can be something implemented to control access and physical access and file systems. Can be thousands of rules. Just CMU’s swipe card system which allows/denies access for thousands of people to buildings. Windows is deny takes precedence, firewall is first rule counter conflict resolution: need to understand these differences. Policies not consistently managed. Access to IT resources tend to be ad hoc.
Research on firewalls to analyze and determines all effective policy changes given a prospective new rule. Privacy: EXAM compares policies. Physical access-control: grey project at CMU.
Topic: how can we use visualizations to take policy analysis information and present it in ways people can use?
Privacy-aware role based access control (PRBAC): extends RBAC with support for privacy policies by adding a purpose element. Users assigned to roles, roles get permissions. Purposes attached to purpose bindings.
Example: distributed management with a central admin and 4 department admins. [Visual walk through of types of rules] Good central rule: employees can access room 101 from 9 am – 5 pm. Dept admin adds a rule that only people from project A can access. Then you and the rules to get project A from 9 am to 5 pm. Conflict: can get times that never overlap, etc. and conflicts. Also dominating rules, with one superceding the other. Can be redundant or an error.
Detecting conflicts and other policy issues: can use tools but how do we present to an administrator?
Prisimos system, not yet implemented. [Screen shot] Columns of rules, rows of roles, resources, actions, conditions, and obligations. Check box = this element and anything below (in a group) is associated. Solid box = some of the ones below are used in the rule but not all, need to expand. Right side, recommended changes with dominating and conflicting rules. Can click these to zero in and only look at relevant parts of the rule set, highlights conflicts.
Conclusion: policy authors need assistance. Tools exist. We need to build policy analysis visualizations which allow policy authors to better understand analysis of their policies.
Q: Actions row is most interesting part. Could be open ended definition. What are the implications of a certain action? Do you include that? A: AFS has 7 or 8 different actions and even the CS undergrads don’t get it. If I make a role called students what does that mean? Q: was getting at something else, you had a row of access. As an admin, what happens if this person has access, can you predict those? A: for file systems, well defined. For file access control, it’s RWIL, etc well defined. Something like firewall is more complex. Different issue from what this issue is looking at. Interesting research direction but not one this UI solves.
Q: combine rules and get conflicts. Will this UI help me as a user to spot them in combination? A: yes, line up the rules next to each other so you can see them side by side and see what’s wrong. Might be good to explain if they’re being and’ed and that’s the error.
Q: how computationally hard to detect conflicts? What about rules agree but are nonsensical, like I grant access to an inner room and not the outer room. A: not my area but: it’s linear and quick. To do second part, would have to build a domain-specific set of rules. Q: users add arbitrary constraints on what makes sense together? A: could but would be a problem for the admins. Q: yes, something for them to set. A: that’s why we’re looking at central v. dept admins
Q: how configurable with complex constraints, might need to be local to understand A: less on analysis than presentation. How do I make the and’ed part be in English. Q: what if it’s not time, what if it’s who signed an NDA? A: so far I’m staying out of organizational issues, just computer checkable condition you can compare. What you’re describing is complex and general, other researchers probably working on it.
Q: another case where we want to use computers so we have to do things computers can deal with? A: this gets back to intro speaker, answer is in having the policies out there and thinking ahead. Q: more general: human lives are lived in ways that are not measurable and computer processable in some ways. Is it that companies have restrictions so people have to constrain their lives to what a computer can be programmed to do. Universities are trying develop minds, but artists can’t go into computer labs. What are you doing to the human spirit? A: you can build the humans back into the loop in some ways, can put humans back in charge, you want an exception go talk to them. There are tools that make the marriage between “keep the bad guys out” and “how do I get in?” You cannot protect privacy without blocking access, so human spirit issues not just about gaining access.
Q: imagine no central admin. When teams want to know what they can share and not share, have you thought about the first column: some things people might not want to reveal, what happens when you don’t want to publish your rules to other teams? Don’t want to list the resources? A: some portion of the policy needs to go to *someone* for analysis. May be 3rd party, someone trusted, more involved. There are privacy issues and distributed issues, how do you combine these.
Q: how do you know these conflicts exist in real systems and that admins want to have answers to? A: doing data collection right now. AFS only controls access to directories not files. Yet other unix systems have file-based rules. Very easy to create conflicts like that. Especially when you have less skilled people this happens in practice. Another example: DBA access v. HR data.
Q: companies might have thousands of rules, will a table based representation scale? A: the table does not, but looking at the conflicts does: you limit the view to a handful of rules. Should not have 200 rules all conflicting at the same time, more like 3-4. Don’t try to scale, try to pick which part of the policy do I care about right now.