research-article

Real life challenges in access-control management

Authors:

Lorrie Faith Cranor,

Robert W. Reeder,

Michael K. Reiter,

Kami VanieaAuthors Info & Claims

CHI '09: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 899 - 908

https://doi.org/10.1145/1518701.1518838

Published: 04 April 2009 Publication History

Abstract

In this work we ask the question: what are the challenges of managing a physical or file system access-control policy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-control policy for either a file system or a physical space. Based on these interviews we identified three sets of real-world requirements that are either ignored or inadequately addressed by technology: 1) policies are made/implemented by multiple people; 2) policy makers are distinct from policy implementers; and 3) access-control systems don't always have the capability to implement the desired policy. We present our interview results and propose several possible solutions to address the observed issues.

Supplementary Material

JPG File (1518838.jpg)

Download
15.08 KB

index.html (index.html)

Slides from the presentation

Download
.97 KB

Audio only (1518838.mp3)

Download
10.58 MB

Video (1518838.mp4)

Download
145.49 MB

References

[1]

M. Abadi. On SDSI's linked local name spaces. Journal of Computer Security, 6(1--2):3--21, Oct. 1998.

Digital Library

[2]

A. W. Appel and E. W. Felten. Proof-carrying authentication. In Proceedings of the 6th ACM Conference on Computer and Communications Security, Singapore, Nov. 1999.

Digital Library

[3]

R. Barrett, E. Kandogan, P. P. Maglio, E. Haber, L. A. Takayama, and M. Prabaker. Field studies of computer system administrators analysis of system management tools and practices. In CSCW, 2004.

Digital Library

[4]

L. Bauer, L. Cranor, R. W. Reeder, M. K. Reiter, and

[5]

K. Vaniea. A user study of policy creation in a flexible access-control system. In CHI, 2008.

[6]

L. Bauer, S. Garriss, and M. K. Reiter. Distributed proving in access-control systems. In Proceedings of the 2005 IEEE Symposium on Security&Privacy, pages 81--95, 2005.

Digital Library

[7]

A. Beaufour and P. Bonnet. Personal servers as digital keys. In Proc. 2nd IEEE International Conference of Pervasive Computing and Communications, Mar. 2004.

Digital Library

[8]

H. Beyer and K. Holtzblatt. Contextual Design: Defining customer-centered systems. Morgan Kaufmann Publishers, 1998.

Digital Library

[9]

D. Botta, R. Werlinger, A. Gagn´e, K. Beznosov, L. Iverson, S. Fels, and B. Fisher. Towards understanding IT security professionals and their tools. In SOUPS, pages 100--111, 2007.

Digital Library

[10]

C. A. Brodie, C.-M. Karat, and J. Karat. An empirical study of natural language parsing of privacy policy rules using the sparcle policy workbench. In SOUPS, pages 8--19, 2006.

Digital Library

[11]

D. Cappelli, A. Desai, A. Moore, T. Shimeall, E. Weaver, and B. Willke. Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers' Information, Systems, or Networks. Technical Report CMU/SEI-2006-TN-041, CERT, Software Engineering Institute at Carnegie Mellon University and Cylab, 2007.

[12]

B. Cleary. Employee role changes and socgen: Good lessons from a bad example, April 2008. http://www.scmagazineus.com/Employee-Role-Changes-and-SocGen-Good-lessons-from-a-badexample/article/108541/.

[13]

P. Dourish, E. Grinter, J. D. de la Flor, and M. Joseph. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal Ubiquitous Comput., 8(6):391--401, 2004.

[14]

S. Gaw, E. W. Felten, and P. Fernandez-Kelly. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In CHI, pages 591--600, 2006.

Digital Library

[15]

E. M. Huang and K. N. Truong. Breaking the disposable technology paradigm: opportunities for sustainable interaction design for mobile phones. In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 323--332, New York, NY, USA, 2008. ACM.

Digital Library

[16]

N. Li and J. C. Mitchell. Understanding SPKI/SDSI using first-order logic. International Journal of Information Security, 2004.

Digital Library

[17]

M. R. Randazzo, M. Keeney, E. Kowalski, D. Cappelli, and A. Moore. Insider thread study: Illicit cyber activity in the banking and finance sector. Technical report, Carnegie Mellon University Software Engineering Institute, 2005.

[18]

R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In CHI, pages 1473--1482, 2008.

Digital Library

[19]

J. Saltzer and M. Schroeder. The protection of information in computer systems. IEEE, Proceedings, 63:1278--1308, 1975.

[20]

A. Woodruff, S. Augustin, and B. Foucault. Sabbath day home automation: it's like mixing technology and religion. In CHI '07: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 527--536, New York, NY, USA, 2007. ACM.

Digital Library

Cited By

Feretzakis GVerykios V(2024)Trustworthy AI: Securing Sensitive Data in Large Language ModelsAI10.3390/ai50401345:4(2773-2800)Online publication date: 6-Dec-2024
https://doi.org/10.3390/ai5040134
Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Sammak RRotthaler ARamulu HWermke DAcar YTorres-Arias SDe Carli LZhang Y(2024)Developers' Approaches to Software Supply Chain Security: An Interview StudyProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696160(56-66)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696160
Show More Cited By

Index Terms

Real life challenges in access-control management
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime
  2. Professional topics
    1. Computing and business

Recommendations

A user study of policy creation in a flexible access-control system
CHI '08: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little has been done to evaluate these systems in practical situations with real users, and few attempts have been made to discover ...
A posteriori compliance control
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

While preventative policy enforcement mechanisms can provide theoretical guarantees that policy is correctly enforced, they have limitations in practice. They are inflexible when unanticipated circumstances arise, and most are either inflexible with ...
Obligation Management Framework for Usage Control
SACMAT 2024: Proceedings of the 29th ACM Symposium on Access Control Models and Technologies

Obligations were introduced in access and usage control as a mechanism to specify mandatory actions to be fulfilled as part of authorization. In this paper, we address challenges related to obligation management in access and usage control, focusing on ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '09: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2009

2426 pages

ISBN:9781605582467

DOI:10.1145/1518701

General Chairs:
Dan R. Olsen
Brigham Young University
,
Richard B. Arthur
Brigham Young University
,
Program Chairs:
Ken Hinckley
Microsoft Research
,
Meredith Ringel Morris
Microsoft Research
,
Scott Hudson
Carnegie Mellon University
,
Saul Greenberg
University of Calgary

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '09

Sponsor:

CHI '09: CHI Conference on Human Factors in Computing Systems

April 4 - 9, 2009

MA, Boston, USA

Acceptance Rates

CHI '09 Paper Acceptance Rate 277 of 1,130 submissions, 25%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
1,593
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)3

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Feretzakis GVerykios V(2024)Trustworthy AI: Securing Sensitive Data in Large Language ModelsAI10.3390/ai50401345:4(2773-2800)Online publication date: 6-Dec-2024
https://doi.org/10.3390/ai5040134
Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Sammak RRotthaler ARamulu HWermke DAcar YTorres-Arias SDe Carli LZhang Y(2024)Developers' Approaches to Software Supply Chain Security: An Interview StudyProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696160(56-66)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696160
Al Lail MPinto DAlmanza LSalazar FRizzi C(2024)Beyond Traditional Methods: Deep Learning with Data Augmentation for Robust Access Control2024 33rd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN61486.2024.10637533(1-6)Online publication date: 29-Jul-2024
https://doi.org/10.1109/ICCCN61486.2024.10637533
Zhu SZhang Y(2024)Probabilistic Access Policies with Automated Reasoning SupportComputer Aided Verification10.1007/978-3-031-65633-0_20(443-466)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-65633-0_20
Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Jodeiri Akbarfam ABarazandeh Sgupta dMaleki H(2023)Deep Learning Meets Blockchain for Automated and Secure Access ControlSSRN Electronic Journal10.2139/ssrn.4629585Online publication date: 2023
https://doi.org/10.2139/ssrn.4629585
Wermke DKlemmer JWöhler NSchmüser JRamulu HAcar YFahl S(2023)"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179378(1545-1560)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179378
Fourné MWermke DEnck WFahl SAcar Y(2023)It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179320(1527-1544)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179320
Llamas JPreuveneers DJoosen W(2023)Effective Machine Learning-based Access Control Administration through Unlearning2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00011(50-57)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSPW59978.2023.00011
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten