Real life challenges in access-control management

Bauer, Lujo; Cranor, Lorrie Faith; Reeder, Robert W.; Reiter, Michael K.; Vaniea, Kami

doi:10.1145/1518701.1518838

Cited by 63 publications

(35 citation statements)

References 16 publications

(13 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…No financial incentive was offered to the participants. 1 We used semi-structured interviews as our method of inquiry in the pilot study. This method provided us the flexibility to ask for details regarding the challenges faced when managing access control rule sets.…”

Section: Methodsmentioning

confidence: 99%

“…These activities are now expected even from less experienced users [4]. However, the task of generating and managing access control rule sets is not trivial [1,4,13]. Errors in access control rule sets can lead to unintended results, such as sharing more (or less) data than desired and the generation of too complex access control rule sets [13].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Formal definitions for usable access control rule sets from goals to metrics

Beckerle

Martucci

2013

Proceedings of the Ninth Symposium on Usable Privacy and Security

View full text Add to dashboard Cite

Access control policies describe high level requirements for access control systems. Access control rule sets ideally translate these policies into a coherent and manageable collection of Allow/Deny rules. Designing rule sets that reflect desired policies is a difficult and time-consuming task. The result is that rule sets are difficult to understand and manage. The goal of this paper is to provide means for obtaining usable access control rule sets, which we define as rule sets that (i) reflect the access control policy and (ii) are easy to understand and manage. In this paper, we formally define the challenges that users face when generating usable access control rule sets and provide formal tools to handle them more easily. We started our research with a pilot study in which specialists were interviewed. The objective was to list usability challenges regarding the management of access control rule sets and verify how those challenges were handled by specialists. The results of the pilot study were compared and combined with results from related work and refined into six novel, formally defined metrics that are used to measure the security and usability aspects of access control rule sets. We validated our findings with two user studies, which demonstrate that our metrics help users generate statistically significant better rule sets.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Formal definitions for usable access control rule sets from goals to metrics

Beckerle

Martucci

2013

Proceedings of the Ninth Symposium on Usable Privacy and Security

View full text Add to dashboard Cite

show abstract

“…Such work provides valuable insights to work such as ours. For example, our assertions about the badness of exceptions in ACLs are based on the observations of Bauer et al [7]. Similarly, the work of Smetters and Good [28] discusses the value of groups and also makes some insightful observations.…”

Section: Related Workmentioning

confidence: 96%

“…This is particularly relevant to entries of the form user:, as these can be viewed as exceptions. It is known that exceptions in access control policies make them difficult to administer [7]. One may argue that if askfacl is always use to manage an ACL, then the redundancy should not matter.…”

Section: Designmentioning

confidence: 99%

Relating declarative semantics and usability in access control

Krishnan

Tripunitara

Chik

et al. 2012

Proceedings of the Eighth Symposium on Usable Privacy and Security

View full text Add to dashboard Cite

“…For instance, it is well-known that users' social networks have many more contacts than they interact with on a day-to-day basis: a 2011 poll of 1,954 British citizens found that the average person had 476 1 Facebook friends, but only 152 contacts in their cellular phone [38]. Furthermore, research studies have shown that users frequently make mistakes when authoring even basic access control policies in commodity systems [5,11,30]. As such, it is clear that accidents and misconfigurations can lead to over-sharing in large social networks.…”

mentioning

confidence: 99%

Combining social authentication and untrusted clouds for private location sharing

Adams

Lee

2013

Proceedings of the 18th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

With the advent of GPS-enabled smartphones, location-sharing services (LSSs) have emerged that share data collected through those mobile devices. However, research has shown that many users are uncomfortable with LSS operators managing their location histories, and that the ease with which contextual data can be shared with unintended audiences can lead to regrets that sometimes outweigh the benefits of these systems. In an effort to address these issues, we have developed SLS: a secure location sharing system that combines location-limited channels, multi-channel key establishment, and untrusted cloud storage to hide user locations from LSS operators while also limiting unintended audience sharing. In addition to describing the key agreement and locationsharing protocols used by the architecture, we discuss an iOS implementation of SLS that enables location sharing at tunable granularity through an intuitive policy interface on the user's mobile device. [6,8,21,22,28,29,35] and in practice [12,15,18, 20] her geographic location with her social contacts either as a first-class data object or as support for other content (e.g., attaching one's location to restaurant review). This sharing can be done in a near seamless manner, particularly when the LSS is embedded within a larger social platform.Despite their popularity, LSSs are not without their own security and privacy problems. By their very design, these systems have the implicit shortcoming that sharing one's location with social contacts requires sharing this location with the LSS operator as well. This can lead to undesirable profiling of users by third parties, or increase users' exposure risk in the event of an LSS compromise. In addition, it is has been shown that social networks in general [36] and LSSs in particular [29] can sometimes lead to situations in which users experience regrets after (over)sharing information. This is often the result of the so-called unintended audience problem, in which data is shared with individuals other than those with whom the subject intended to share.This may manifest as a result of a location being automatically attached to content posted on a social network, accidental sharing of a location with a user's entire set of contacts instead of a restricted subset, or posting a location that contradicts other statements made by the user [29].The latter problem is symptomatic of both LSS and access control complexity. For instance, it is well-known that users' social networks have many more contacts than they interact with on a day-to-day basis: a 2011 poll of 1,954 British citizens found that the average person had 476 1 Facebook friends, but only 152 contacts in their cellular phone [38]. Furthermore, research studies have shown that users frequently make mistakes when authoring even basic access control policies in commodity systems [5,11,30]. As such, it is clear that accidents and misconfigurations can lead to over-sharing in large social networks. On the other hand, the problem of required sharing with LSS operator...

show abstract

Real life challenges in access-control management

Cited by 63 publications

References 16 publications

Formal definitions for usable access control rule sets from goals to metrics

Formal definitions for usable access control rule sets from goals to metrics

Relating declarative semantics and usability in access control

Combining social authentication and untrusted clouds for private location sharing

Contact Info

Product

Resources

About