Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3176258.3176307acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article
Public Access

Minimizing Privilege Assignment Errors in Cloud Services

Published: 13 March 2018 Publication History

Abstract

The Principle of Least Privilege is a security objective of granting users only those accesses they need to perform their duties. Creating least privilege policies in the cloud environment with many diverse services, each with unique privilege sets, is significantly more challenging than policy creation previously studied in other environments. Such security policies are always imperfect and must balance between the security risk of granting over-privilege and the effort to correct for under-privilege. In this paper, we formally define the problem of balancing between over-privilege and under-privilege as the Privilege Error Minimization Problem (PEMP) and present a method for quantitatively scoring security policies. We design and compare three algorithms for automatically generating policies: a naive algorithm, an unsupervised learning algorithm, and a supervised learning algorithm. We present the results of evaluating these three policy generation algorithms on a real-world dataset consisting of 5.2 million Amazon Web Service (AWS) audit log entries. The application of these methods can help create policies that balance between an organization's acceptable level of risk and effort to correct under-privilege.

References

[1]
Amazon Web Services. 2017. IAM Policy Generator Source Code. https://awsiamconsole.s3.amazonaws.com/iam/assets/js/bundles/policies.js. (2017). Accessed: 2017-05-04.
[2]
Aaron Blankstein and Michael J Freedman. 2014. Automating isolation and least privilege in web services Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, 133--148.
[3]
Leo Breiman, Jerome Friedman, Charles J Stone, and Richard A Olshen. 1984. Classification and regression trees. CRC press.
[4]
Suresh Chari, Ian Molloy, Youngja Park, and Wilferid Teiken. 2013. Ensuring continuous compliance through reconciling policy with usage ACM Symposium on Access control models and technologies (SACMAT). ACM, 49--60.
[5]
Martin Ester, Hans-Peter Kriegel, Jörg Sander, Xiaowei Xu, et almbox. 1996. A density-based algorithm for discovering clusters in large spatial databases with noise. Knowledge discovery in databases (KDD), Vol. Vol. 96. AAAI Press, 226--231.
[6]
David F Ferraiolo, Ravi Sandhu, Serban Gavrila, D Richard Kuhn, and Ramaswamy Chandramouli. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), Vol. 4, 3 (2001), 224--274.
[7]
Mario Frank, Joachim M Buhmann, and David Basin. 2010. On the definition of role mining. In ACM Symposium on Access control models and technologies (SACMAT). ACM, 35--44.
[8]
Google, Inc. . 2017. Manifest.permission | Android Developers. https://developer.android.com/reference/android/Manifest.permission.html. (2017). Accessed: 2017-01-10.
[9]
Rob J Hyndman and George Athanasopoulos. 2014. Forecasting: principles and practice. OTexts.
[10]
IBM Corporation. 2012. z/OS Security Server RACF General User's Guide. https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.icha100/toc.htm. (2012). Accessed: 2017-05--17.
[11]
John D Kelleher, Brian Mac Namee, and Aoife D`Arcy. 2015. Fundamentals of Machine Learning for Predictive Data Analytics. (2015).
[12]
Spyros Makridakis. 1990. Sliding Simulation: A New Approach to Time Series Forecasting. Management Science, Vol. 36, 4 (1990), 505--512.
[13]
Spyros Makridakis, A Andersen, Robert Carbone, Robert Fildes, Michele Hibon, Rudolf Lewandowski, Joseph Newton, Emanuel Parzen, and Robert Winkler. 1982. The accuracy of extrapolation (time series) methods: Results of a forecasting competition. Journal of forecasting Vol. 1, 2 (1982), 111--153.
[14]
Christopher D. Manning, Prabhakar Raghavan, and Hinrich Schütze. 2008. Introduction to Information Retrieval. Cambridge University Press, New York, NY, USA. 117--119 pages.
[15]
Ian Molloy, Ninghui Li, Tiancheng Li, Ziqing Mao, Qihua Wang, and Jorge Lobo. 2009. Evaluating role mining algorithms. In ACM Symposium on Access control models and technologies (SACMAT). ACM, 95--104.
[16]
Ian Molloy, Youngja Park, and Suresh Chari. 2012. Generative Models for Access Control Policies: Applications to Role Mining over Logs with Attribution. In ACM Symposium on Access control models and technologies (SACMAT). ACM, 45--56.
[17]
Sara Motiee, Kirstie Hawkey, and Konstantin Beznosov. 2010. Do windows users follow the principle of least privilege?: investigating user account control practices. In Symposium on Usable Privacy and Security (SOUPS). ACM.
[18]
Pedregosa, F., et al. . 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research Vol. 12 (2011), 2825--2830.
[19]
Jerome H Saltzer and Michael D Schroeder. 1975. The protection of information in computer systems. Proc. IEEE Vol. 63, 9 (1975), 1278--1308.
[20]
Matthew Sanders and Chuan Yue. 2017. Automated Least Privileges in Cloud-Based Web Services Hot Topics in Web Systems and Technologies (HotWeb). IEEE.
[21]
SANS Institute. 2010. A Compliance Primer for IT Professionals. https://www.sans.org/reading-room/whitepapers/compliance/compliance-primer-professionals-33538. (2010). Accessed: 2017-09--24.
[22]
Jürgen Schlegelmilch and Ulrike Steffens. 2005. Role mining with ORCA. In ACM Symposium on Access control models and technologies (SACMAT). ACM, 168--176.
[23]
scikit-learn developers. 2016. Overview of clustering methods. http://scikit-learn.org/stable/modules/clustering.html. (2016). Accessed: 2017-09-01.
[24]
Brian T. Sniffen, David R. Harris, and John D. Ramsdell. 2006. Guided policy generation for application authors. SELinux Symposium.
[25]
Harold F Tipton and Kevin Henry. 2006. Official (ISC) 2 guide to the CISSP CBK. Auerbach Publications.
[26]
Jaideep Vaidya, Atluri Vijayalakshmi, and Qi Guo. 2007. The role mining problem: finding a minimal descriptive set of roles. ACM Symposium on Access control models and technologies (SACMAT). ACM, 175--184.
[27]
Bob Violino. 2017. Cloud Computing Sees Huge Growth Rates Across All Segments. http://www.information-management.com/news/infrastructure/cloud-computing-sees-huge-growth-rates-across-all-segments-10030682--1.html. (2017). Accessed: 2017-09-07.
[28]
Ruowen Wang, William Enck, Douglas Reeves, Xinwen Zhang, Peng Ning, Dingbang Xu, Wu Zhou, and Ahmed M. Azab. 2015. EASEAndroid: Automatic Policy Analysis and refinement for security enhanced android via large-scale semi-supervised learning USENIX Security Symposium. USENIX, 351--366.
[29]
Yongzheng Wu, Jun Sun, Yang Liu, and Jin Song Dong. 2013. Automatically partition software into least privilege components using dynamic data dependency analysis. In IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE Press, 323--333.

Cited By

View all
  • (2024)Automatically Reducing Privilege for Access Control PoliciesProceedings of the ACM on Programming Languages10.1145/36897388:OOPSLA2(763-790)Online publication date: 8-Oct-2024
  • (2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
  • (2023)Social Transparency in Network Monitoring and Security SystemsProceedings of the 22nd International Conference on Mobile and Ubiquitous Multimedia10.1145/3626705.3627773(37-53)Online publication date: 3-Dec-2023
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy
March 2018
401 pages
ISBN:9781450356329
DOI:10.1145/3176258
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2018

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. cloud computing
  2. principle of least privilege
  3. role based access control (rbac)

Qualifiers

  • Research-article

Funding Sources

Conference

CODASPY '18
Sponsor:

Acceptance Rates

CODASPY '18 Paper Acceptance Rate 23 of 110 submissions, 21%;
Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)125
  • Downloads (Last 6 weeks)12
Reflects downloads up to 23 Nov 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Automatically Reducing Privilege for Access Control PoliciesProceedings of the ACM on Programming Languages10.1145/36897388:OOPSLA2(763-790)Online publication date: 8-Oct-2024
  • (2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
  • (2023)Social Transparency in Network Monitoring and Security SystemsProceedings of the 22nd International Conference on Mobile and Ubiquitous Multimedia10.1145/3626705.3627773(37-53)Online publication date: 3-Dec-2023
  • (2021)Automating Audit with Policy Inference2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00001(1-16)Online publication date: Jun-2021
  • (2020)Automated Enforcement of the Principle of Least Privilege over Data Source Access2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00075(510-517)Online publication date: Dec-2020
  • (2020)ASPGen: an Automatic Security Policy Generating Framework for AppArmor2020 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom51426.2020.00075(392-400)Online publication date: Dec-2020
  • (2019)Mining least privilege attribute based access control policiesProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359805(404-416)Online publication date: 9-Dec-2019

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media