skip to main content
10.1145/2462410.2462889acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
panel

Panel on granularity in access control

Published: 12 June 2013 Publication History

Abstract

This panel will address the following question. Does an increase in the granularity of access control systems produce a measurable reduction in risk and help meet the goals of the organization, or is the cost prohibitively high?
After decades of access control research, products, and practice, there has been a trend towards more complex access control policies and models that more finely restrict (or allow) access to resources. This allows policy administrators to more closely specify any high level abstract policy they may have in mind, or accurately enforce regulations such as HIPPA, SOX, or PCI. The end goal is to allow only those actions that are desirable in hindsight, or via an approach to which Bishop et al. refer as the Oracle Policy.
As the expressive power of access control models can vary, an administrator may need a more powerful model to specify the high level policy they need for their particular application. It is not uncommon for new models to add new key-attributes, data-sources, features, or relations to provide a richer set of tools. This has resulted in an explosion of new one-off models in the literature, few of which make their way to real products or deployment.
To increase the expressive power of a model, increase its granularity, reduce the complexity of administration and to answer desirable security queries such as safety, a plethora of new concepts have been added to access control models. To name a few: groups and roles; hierarchies and constraints; parameterized permissions; exceptions; time and location of users and resources; relationships between subjects; attributes of subjects, objects, and actions; information flow; conflict of interest classes; obligations; trust, benefit, and risk; workflows; delegation; situational awareness and context; and so on.
All of these constructs build to a meta-model, as Barker observes.
This granularity has resulted in many novel and useful findings, new algorithms, and challenging open research issues, but poses potential problems as well. With granularity often comes complexity which manifests itself in specifying policies, managing and maintaining policies over time, and auditing logs to ensure compliance.
This panel will discuss issues surrounding the problem of complexity in access control. From designing and specifying new models, designing enforcement mechanisms on real-world systems, policy lifecycle, and the role of analytics from automatically generating policies to auditing logs. So, is this complexity worth it? Does increasing the granularity produce a measurable reduction in the risk to sensitive resources and protect the goals of the organization or is the cost prohibitively high?
Can we ever truly specify a "correct" and "complete" policy, which may be too dynamic and require the interpretation of the courts to decide, especially when policies are intended to enforce ambiguous regulations. Finally, at what cost should we strive for a perfect, fine-grained policy? Should more resources be places on recovery from security breaches than on prevention? Should we be "going for mean time to repair equals zero rather than mean time between failure equals infinity."

References

[1]
S. Barker. The next 700 access control models or a unifying meta-model? In SACMAT, pages 187--196, 2009.
[2]
M. Bishop, S. Engle, D. Frincke, C. Gates, F. Greitzer, S. Peisert, and S. Whalen. A risk management approach to the "insider threat". In C. W. Probst, J. Hunker, D. Gollmann, and M. Bishop, editors, Insider Threats in Cyber Security, volume 49 of Advances in Information Security, pages 115--137. Springer US, 2010.
[3]
G. McGraw. Silver bullet speaks with Dan Geer. Security Privacy, IEEE, 4(4):10--13, 2006.
[4]
M. V. Tripunitara and N. Li. A Theory for Comparing the Expressive Power of Access Control Models. Journal of Computer Security, 15:231--272, 2007.

Cited By

View all
  • (2025)A Systematic Review of Access Control Models: Background, Existing Research, and ChallengesIEEE Access10.1109/ACCESS.2025.353314513(17777-17806)Online publication date: 2025
  • (2015)Managing Multi-dimensional Multi-granular Security Policies Using Data WarehousingNetwork and System Security10.1007/978-3-319-25645-0_15(221-235)Online publication date: 6-Nov-2015

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '13: Proceedings of the 18th ACM symposium on Access control models and technologies
June 2013
278 pages
ISBN:9781450319508
DOI:10.1145/2462410
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 June 2013

Check for updates

Author Tags

  1. granularity
  2. security

Qualifiers

  • Panel

Conference

SACMAT '13
Sponsor:

Acceptance Rates

SACMAT '13 Paper Acceptance Rate 19 of 62 submissions, 31%;
Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 11 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)A Systematic Review of Access Control Models: Background, Existing Research, and ChallengesIEEE Access10.1109/ACCESS.2025.353314513(17777-17806)Online publication date: 2025
  • (2015)Managing Multi-dimensional Multi-granular Security Policies Using Data WarehousingNetwork and System Security10.1007/978-3-319-25645-0_15(221-235)Online publication date: 6-Nov-2015

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media