Abstract
Emerging security systems need to carefully reconcile usability considerations in their design. In this context, we address authorization policies, which are used to limit the actions a principal may exercise on a resource. We compare two designs from the standpoint of the ease with which such policies can be devised and expressed. The two designs we consider are read-write-execute policies in UNIX, which was designed many decades ago, and identity-based policies in Amazon Web Services (AWS), which is a modern system. These can be seen, in the evolution of such designs, as two extremes—in the former, only the three actions read, write and execute are allowed in an authorization policy; in the latter, more than a thousand actions are allowed. While a richer set of actions lends to finer-grained authorization policies, the question we pose is: are such policies easier to formulate? Our question is important because a trend in the design of such policy languages in real systems over the years has been to enrich the set of actions. For a meaningful comparison between the two extremes, we design an overlay authorization policy syntax for AWS that allows the three actions read, write and execute only. We then describe our design of an ethics-approved, human participants study to assess whether a richer set of actions indeed results in better usability, and our results from carrying out the study. Using carefully chosen statistical methods that are appropriate for our study, we find that there is indeed evidence that allowing for a richer set of actions lends to better usability. Our work has significant implications to design in emerging security systems that seek to reconcile usability.
Portions of this work were supported via grants from the Natural Sciences and Engineering Research Council of Canada (NSERC) and Mitacs, Canada.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Amazon Web Services (AWS): Serverless shopping cart microservice, January 2021.https://github.com/aws-samples/aws-serverless-shopping-cart
Amazon Web Services (AWS): Actions, resources, and condition keys for amazon elastic transcoder. https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html. Accessed 31 Jan 2021
Amazon Web Services (AWS): Amazon dynamodb, https://aws.amazon.com/dynamodb/. Accessed 31 Jan 2021
Amazon Web Services (AWS): Amazon elastic transcoder. https://aws.amazon.com/elastictranscoder/. Accessed 31 Jan 2021
Amazon Web Services (AWS): Amazon resource names (ARMS). https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html. Accessed 31 Jan 2021
Amazon Web Services (AWS): Amazon simple queue service. https://aws.amazon.com/sqs/. Accessed 31 Jan 2021
Amazon Web Services (AWS): Amazon web services (AWS) - cloud computing services. https://aws.amazon.com. Accessed 31 Jan 2021
Amazon Web Services (AWS): Aws identity and access management – user guide – access management – policies and permissions in IAM. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html. Accessed 31 Jan 2021
Bauer, L., Cranor, L.F., Reeder, R.W., Reiter, M.K., Vaniea, K.: A user study of policy creation in a flexible access-control system. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2008, pp. 543–552. ACM, New York (2008)
Beznosov, K., Inglesant, P., Lobo, J., Reeder, R., Zurko, M.E.: Usability meets access control: challenges and research opportunities. In: Proceedings of the Symposium on Access Control Models and Technologies, SACMAT 2009, pp. 73–74. ACM, New York (2009)
Bishop, M.: Introduction to Computer Security, 1st edn. Addison-Wesley, Boston (2004)
Both, D.: An introduction to linux’s ext4 filesystem. opensource.com, May 2017. https://opensource.com/article/17/5/introduction-ext4-filesystem
Brostoff, S., Sasse, M.A., Chadwick, D., Cunningham, J., Mbanaso, U., Otenko, S.: ‘R-what?’ development of a role-based access control policy-writing tool for e-scientists. Softw. Pract. Exp. 35(9), 835–856 (2005)
Google Developers: Android API reference – android platform – manifest.permission, https://developer.android.com/reference/android/Manifest.permission. Accessed 31 Jan 2021
Gusmeroli, S., Piccione, S., Rotondi, D.: A capability-based security approach to manage access control in the internet of things. Math. Comput. Model. 58(5), 1189–1205 (2013)
Inglesant, P., Sasse, A.M., Chadwick, D., Shi, L.L.: Expressions of expertness: the virtuous circle of natural language for access control policy specification. In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS 2008, ACM, New York (2008)
Krishnan, V., Tripunitara, M.V., Chik, K., Bergstrom, T.: Relating declarative semantics and usability in access control. In: Proceedings of the Eighth Symposium on Usable Privacy and Security. SOUPS 2012, ACM, New York (2012)
Lipford, H.R., Besmer, A., Watson, J.: Understanding privacy settings in facebook with an audience view. In: Proceedings of the 1st Conference on Usability, Psychology, and Security. UPSEC2008, USENIX Association (2008)
Maxion, R.A., Reeder, R.W.: Improving user-interface dependability through mitigation of human error. Int. J. Hum.-Comput. Stud. 63(1), 25–50 (2005)
Mazurek, M.L., et al.: Access control for home data sharing: attitudes, needs and practices. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 645–654. ACM, New York (2010)
McLeod, S.A.: Experimental design. Simply Psychology, January 2017. https://www.simplypsychology.org/experimental-designs.html
Network Encyclopedia: NTFS permissions (windows NT). https://networkencyclopedia.com/ntfs-permissions-windows-nt/. Accessed 31 Jan 2021
Osborne, C.: The top 10 security challenges of serverless architectures. Zero Day, January 2017. https://www.zdnet.com/article/the-top-10-risks-for-apps-on-serverless-architectures/
Paul, T., Puscher, D., Strufe, T.: Improving the usability of privacy settings in Facebook. arXiv e-prints arXiv:1109.6046, September 2011
Pero-Cebollero, M., Guardia-Olmos, J.: The adequacy of different robust statistical tests in comparing two independent groups. Psicologica 34, 407–424 (2013)
Ramesh Johari: MS & E 226: “Small" Data, Lecture 13: The bootstrap (v3). September 2020.http://web.stanford.edu/~rjohari/teaching/notes/226_lecture13_inference.pdf
Reeder, R.W., Maxion, R.A.: User interface dependability through goal-error prevention. In: 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 60–69 (2005)
Reeder, R.W., Maxion, R.A.: User interface defect detection by hesitation analysis. In: International Conference on Dependable Systems and Networks (DSN 2006), pp. 61–72 (2006)
Reeder, R.W., Bauer, L., Cranor, L.F., Reiter, M.K., Vaniea, K.: More than skin deep: measuring effects of the underlying model on access-control system usability. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2011, pp. 2065–2074. ACM, New York (2011)
Reeder, R.W., et al.:Expandable grids for visualizing and authoring computer security policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2008, pp. 1473–1482. ACM, New York (2008)
Ritchie, D.M., Thompson, K.: The Unix time sharing system. Commun. ACM 17, 365–375 (1974)
Smith, J., Nguyen Quang Do, L., Murphy-Hill, E.: Why can’t johnny fix vulnerabilities: a usability evaluation of static analysis tools for security. In: Proceedings of the Symposium on Usable Privacy and Security. SOUPS2020, Usenix, Aug 2020
Chen,Y.-C.: STAT/Q SCI 403: introduction to resampling methods, Lecture 5: Bootstrap, April 2017. http://faculty.washington.edu/yenchic/17Sp_403/Lec5-bootstrap.pdf,
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, B., Gill, P., Mihai, N., Tripunitara, M. (2022). Granularity and Usability in Authorization Policies. In: Meng, W., Katsikas, S.K. (eds) Emerging Information Security and Applications. EISA 2021. Communications in Computer and Information Science, vol 1403. Springer, Cham. https://doi.org/10.1007/978-3-030-93956-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-93956-4_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93955-7
Online ISBN: 978-3-030-93956-4
eBook Packages: Computer ScienceComputer Science (R0)