RBAC Attack Exposure Auditor. Tracking User Risk Exposure per Role-Based Access Control Permissions

Damrau, Adelaide

01 May 2023

Access control models and implementation guidelines for determining, provisioning, and de-provisioning user permissions are challenging due to the differing approaches, unique for each organization, the lack of information provided by case studies concerning the organization’s security policies, and no standard means of implementation procedures or best practices. Although there are multiple access control models, one stands out, role-based access control (RBAC). RBAC simplifies maintenance by enabling administrators to group users with similar permissions. This approach to managing user permissions supports the principle of least privilege and separation of duties, which are needed to ensure an organization maintains acceptable user access security requirements. However, if not properly maintained, RBAC produces the problem of role explosion. What happens when security administrations cannot maintain the increasing number of roles and their assigned permissions provisioned to the organization users? This paper attempts to solve this problem by implementing a scalable RBAC system and assigning each permission a risk value score determined by the severity of risk it would expose the organization to if someone had unauthorized access to that permission. Using RBAC’s role and permission design, each user will be assigned a risk value score determined by the summation of their roles’ risk based on permission values. This method allows security administrators to view the users and roles with the highest level of risk, therefore prioritizing the highest risk users and roles when maintaining user roles and permissions.

Role-Based Access Control

Principle of Least Privilege

Separation of Duties

Permission

Risk

Role Explosion

Databases and Information Systems

Information Security

Other Computer Sciences

Permission Based Risk Assessment for Enhancing Privacy of Android Users

Rashid Idris, Muhammad

January 2018

Mobile applications tend to access data beyond their intended functionality and share this data with third parties for various purposes including marketing, profiling and advertisement. This data also includes user’s personal information and access to this personal information without user’s consent put user’s privacy at risk. User’s Inability to easily find privacy friendly apps and befuddling permission requests paves the way for malicious apps to get access to user’s personal information. Keeping in mind the different level of privacy aware users, we have presented a privacy enforcement framework in this thesis. This framework not only helps user to find alternative privacy friendly apps but also encourage users to review their privacy settings on the smartphone. An app discovery tool is developed to search privacy friendly apps amongst the group with similar functionality. The search results are sorted by privacy friendly score which is calculated using simplified version of risk assessment method known as EBIOS. Threat posed to personal information by various apps are then highlighted and presented to user in an easy-to-understand way before installing the app. We have validated the results of our discovery tool by comparing them to the manual inspection of various functional groups i.e., group of applications with similar functionality. Two list of permissions, one created by subjective and manual analysis of abstract functionality of functional group called expert opinion and other created by our tool based on permissions requested by functional group are compared. Our tool has correctly identified the permissions which are similar to expert opinion. / Mobila applikationer tenderar att ta del av data utanför deras tilltänkta funktionalitet och delar den här datan med tredjehands parter för olika syften som marknadsföring, profilering och reklam. Datan inkluderar även personlig information och tillgång till den personliga informationen utan användarens medvetande sätter användarens integritet i risk. Användares oförmåga att enkelt hitta integritetsvänliga appar och förvirrande godkännande förfrågningar öppnar vägen för illvilliga appar att få tillgång till användarens personliga information. Med tanke på hur olika användare uppmärksammar integritetnivåer presenterar vi ett integritetsupprätthållande ramverk i den här uppsatsen. Ramverket hjälper inte bara användare att hitta integritetsvänliga appar utan uppmuntrar även användaren att granska integritetsinställningarna i sin telefon. Ett applikationsupptäckarverktyg utvecklades för att söka efter integritetsvänliga appar inom samma funktionsområde. Sökresultatet är sorterat efter en integritetsvänlighetspoäng beräknad med en förenklad version av riskbedömningsmetoden känd som EBIOS. Hot mot personlig information från olika appar uppmärksammas och presenteras på ett användarvänligt sätt innan appen installeras. Vi har validerat resultatet från vårt applikationsupptäckarverktyg genom att jämföra det med en manuell inspektion av appar inom samma funktionsområde, exempelvist grupper av applikationer med liknande funktion. Två listor togs fram, en framtagen genom subjektiv och manuell analys av normal funktionalitet kallad expertutlåtande och en framtagen av vårt applikationsupptäckarverktyg baserat på funktionsområde. Vårt verktyg har korrekt identifierat godkännande i likhet med expertutlåtandet.

Computer and Information Sciences

Data- och informationsvetenskap

Increasing Efficiency and Scalability in AWS IAM by Leveraging an Entity-centric Attribute- & Role-based Access Control (EARBAC) Model

Karlsson, Rasmus, Jönrup, Pontus

January 2023

Cloud computing is becoming increasingly popular among all types of companies due to its inherent benefits. However, because of its infrastructure, it might be difficult to manage access rights between users and resources. To address these difficulties, Amazon Web Services (AWS) provides Identity and Access Management (IAM) and features that support the use of different access control models, for example, Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC). Access control models are used for authorisation within systems to decide who gets access to what. Therefore, to determine what constitutes an efficient (the average time it takes to perform a task in AWS IAM) and secure access control model, a thorough study of background material and related work was conducted. Through this study, it was found that RBAC lacked scalability whilst ABAC lacked administrative capabilities. It was also found that flexibility and scalability were two important factors when designing access control models. Furthermore, by conducting a survey and designing an access control model for AWS through various iterations, a new access control model called Entity-centric Attribute- & Role-based Access Control (EARBAC) was developed. In an experiment comparing it with the RBAC model, the EARBAC model was found to be both efficient and secure, in addition to its flexibility and scalability. Furthermore, EARBAC was also found to be 27% faster than RBAC in AWS IAM. These results suggest that the model is useful when developing cloud infrastructures in AWS.

Cloud

Authorisation

Security

AWS

Amazon

RBAC

ABAC

EARBAC

Access Control

Access Control Model

Access Control Models

Principle of Least Privilege

Computer Sciences

Datavetenskap (datalogi)