Algorithms and experience in increasing the intelligibility and hygiene of access control in large organizations

Marc Donner, David Nochlin, Dennis Shasha, Wendy Walasek

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Security managers in large organizations must manage the access of tens of thousands of employees on diverse data. Databases store the access control information but the security officers use essentially manual techniques to determine who has too much access and why. We call this task the Audit Problem. The security research community has offered promising frameworks such as role-based access control, but these still leave open the problems of designing the roles and determining group memberships and of demonstrating that there are substantial benefits to be reaped from making a change. In this paper, we propose a data-mining approach that includes an algorithm that starts with a set of atomic permissions of the form (user, asset, privilege) and derives a smaller but equivalent set (user group, asset group, privilege group). The asset and privilege groups so identified constitute promising roles. The users so identified constitute useful groups. In this paper we report on actual experience with actual corporate access control data. We built a production role-based access control authorization service, storing the tables in a relational database and transmitting queries as XML 'documents' over MQ message queues. Our experiments show that the proposed algorithm can reduce the number of permission assertions by a factor of between 10 and 100. With such a reduction, the Audit Problem is brought from the absurd to the plausible.

Original languageEnglish (US)
Title of host publicationData and Applications Security: Developments and Directions - IFIP TC11 / WG11.3 Fourteenth Annual Working Conference on Database Security
PublisherSpringer New York LLC
Pages295-316
Number of pages22
Volume73
ISBN (Print)0792375149, 9780792375142
StatePublished - 2001
EventIFIP TC11 / WG11.3 14th Annual Working Conference on Database Security - Schoorl, Netherlands
Duration: Aug 21 2000Aug 23 2000

Publication series

NameIFIP Advances in Information and Communication Technology
Volume73
ISSN (Print)18684238

Other

OtherIFIP TC11 / WG11.3 14th Annual Working Conference on Database Security
CountryNetherlands
CitySchoorl
Period8/21/008/23/00

Fingerprint

Access control
Assets
Hygiene
Role-based access control
Audit
Query
Queue
Group membership
Relational database
Authorization
Data mining
Managers
Data base
Factors
Experiment
Employees

ASJC Scopus subject areas

  • Information Systems and Management

Cite this

Donner, M., Nochlin, D., Shasha, D., & Walasek, W. (2001). Algorithms and experience in increasing the intelligibility and hygiene of access control in large organizations. In Data and Applications Security: Developments and Directions - IFIP TC11 / WG11.3 Fourteenth Annual Working Conference on Database Security (Vol. 73, pp. 295-316). (IFIP Advances in Information and Communication Technology; Vol. 73). Springer New York LLC.

Algorithms and experience in increasing the intelligibility and hygiene of access control in large organizations. / Donner, Marc; Nochlin, David; Shasha, Dennis; Walasek, Wendy.

Data and Applications Security: Developments and Directions - IFIP TC11 / WG11.3 Fourteenth Annual Working Conference on Database Security. Vol. 73 Springer New York LLC, 2001. p. 295-316 (IFIP Advances in Information and Communication Technology; Vol. 73).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Donner, M, Nochlin, D, Shasha, D & Walasek, W 2001, Algorithms and experience in increasing the intelligibility and hygiene of access control in large organizations. in Data and Applications Security: Developments and Directions - IFIP TC11 / WG11.3 Fourteenth Annual Working Conference on Database Security. vol. 73, IFIP Advances in Information and Communication Technology, vol. 73, Springer New York LLC, pp. 295-316, IFIP TC11 / WG11.3 14th Annual Working Conference on Database Security, Schoorl, Netherlands, 8/21/00.
Donner M, Nochlin D, Shasha D, Walasek W. Algorithms and experience in increasing the intelligibility and hygiene of access control in large organizations. In Data and Applications Security: Developments and Directions - IFIP TC11 / WG11.3 Fourteenth Annual Working Conference on Database Security. Vol. 73. Springer New York LLC. 2001. p. 295-316. (IFIP Advances in Information and Communication Technology).
Donner, Marc ; Nochlin, David ; Shasha, Dennis ; Walasek, Wendy. / Algorithms and experience in increasing the intelligibility and hygiene of access control in large organizations. Data and Applications Security: Developments and Directions - IFIP TC11 / WG11.3 Fourteenth Annual Working Conference on Database Security. Vol. 73 Springer New York LLC, 2001. pp. 295-316 (IFIP Advances in Information and Communication Technology).
@inproceedings{0f762eb80ae04a409cb2f1304358f811,
title = "Algorithms and experience in increasing the intelligibility and hygiene of access control in large organizations",
abstract = "Security managers in large organizations must manage the access of tens of thousands of employees on diverse data. Databases store the access control information but the security officers use essentially manual techniques to determine who has too much access and why. We call this task the Audit Problem. The security research community has offered promising frameworks such as role-based access control, but these still leave open the problems of designing the roles and determining group memberships and of demonstrating that there are substantial benefits to be reaped from making a change. In this paper, we propose a data-mining approach that includes an algorithm that starts with a set of atomic permissions of the form (user, asset, privilege) and derives a smaller but equivalent set (user group, asset group, privilege group). The asset and privilege groups so identified constitute promising roles. The users so identified constitute useful groups. In this paper we report on actual experience with actual corporate access control data. We built a production role-based access control authorization service, storing the tables in a relational database and transmitting queries as XML 'documents' over MQ message queues. Our experiments show that the proposed algorithm can reduce the number of permission assertions by a factor of between 10 and 100. With such a reduction, the Audit Problem is brought from the absurd to the plausible.",
author = "Marc Donner and David Nochlin and Dennis Shasha and Wendy Walasek",
year = "2001",
language = "English (US)",
isbn = "0792375149",
volume = "73",
series = "IFIP Advances in Information and Communication Technology",
publisher = "Springer New York LLC",
pages = "295--316",
booktitle = "Data and Applications Security: Developments and Directions - IFIP TC11 / WG11.3 Fourteenth Annual Working Conference on Database Security",

}

TY - GEN

T1 - Algorithms and experience in increasing the intelligibility and hygiene of access control in large organizations

AU - Donner, Marc

AU - Nochlin, David

AU - Shasha, Dennis

AU - Walasek, Wendy

PY - 2001

Y1 - 2001

N2 - Security managers in large organizations must manage the access of tens of thousands of employees on diverse data. Databases store the access control information but the security officers use essentially manual techniques to determine who has too much access and why. We call this task the Audit Problem. The security research community has offered promising frameworks such as role-based access control, but these still leave open the problems of designing the roles and determining group memberships and of demonstrating that there are substantial benefits to be reaped from making a change. In this paper, we propose a data-mining approach that includes an algorithm that starts with a set of atomic permissions of the form (user, asset, privilege) and derives a smaller but equivalent set (user group, asset group, privilege group). The asset and privilege groups so identified constitute promising roles. The users so identified constitute useful groups. In this paper we report on actual experience with actual corporate access control data. We built a production role-based access control authorization service, storing the tables in a relational database and transmitting queries as XML 'documents' over MQ message queues. Our experiments show that the proposed algorithm can reduce the number of permission assertions by a factor of between 10 and 100. With such a reduction, the Audit Problem is brought from the absurd to the plausible.

AB - Security managers in large organizations must manage the access of tens of thousands of employees on diverse data. Databases store the access control information but the security officers use essentially manual techniques to determine who has too much access and why. We call this task the Audit Problem. The security research community has offered promising frameworks such as role-based access control, but these still leave open the problems of designing the roles and determining group memberships and of demonstrating that there are substantial benefits to be reaped from making a change. In this paper, we propose a data-mining approach that includes an algorithm that starts with a set of atomic permissions of the form (user, asset, privilege) and derives a smaller but equivalent set (user group, asset group, privilege group). The asset and privilege groups so identified constitute promising roles. The users so identified constitute useful groups. In this paper we report on actual experience with actual corporate access control data. We built a production role-based access control authorization service, storing the tables in a relational database and transmitting queries as XML 'documents' over MQ message queues. Our experiments show that the proposed algorithm can reduce the number of permission assertions by a factor of between 10 and 100. With such a reduction, the Audit Problem is brought from the absurd to the plausible.

UR - http://www.scopus.com/inward/record.url?scp=84904258787&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84904258787&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84904258787

SN - 0792375149

SN - 9780792375142

VL - 73

T3 - IFIP Advances in Information and Communication Technology

SP - 295

EP - 316

BT - Data and Applications Security: Developments and Directions - IFIP TC11 / WG11.3 Fourteenth Annual Working Conference on Database Security

PB - Springer New York LLC

ER -