Intentional Access Management: Making Access Control Usable for End-Users

1
Intentional Access Management Making Access
Control Usable for End-Users

• Xiang Cao
• January 24, 2006

2
Background

• Context
• Shared file-systems as collaborative
  infrastructure
• Need
• Fine-grained, user-centered, dynamic control of
  sharing to match trust ad-hoc collaboration
• Solution
• End-user management of resource sharing
• Minimal changes to backend infrastructure

3
Human Factors

• Security is only as good as its weakest link,
  and people are the weakest link in the chain.
  (B. Schneier, Secrets and Lies, 2000)
• Configuration errors -gt 90 security failures
  (Bishop, 1996)

4
Recognition of the Need to Align Security and
Usability

• CRA 2003 Grand Challenge
• PITAC 2005 priority
• Special publications
• IEEE Security Privacy 2004
• Security and Usability, OReilly 2005
• CHI 2003 WUPSS 2004 CHI 2005 SOUPS 2005

5
Characteristics of End-Users

• Security
• A secondary task (Whitten and Tygar 1999)
• Not an everyday task
• Limited technical capacity
• Little security knowledge

6
The Gaps

• Gap 1 Complexity
• User interest expertise (low to non-existent)
• Task complexity (high) (I will demonstrate!)
• Gap 2 Intention gt Implementation
• Even for simple needs (intentions)
• e.g., Lee needs to be able to edit my thesis
  draft
• User must be able to
• Assess state of system is the intention already
  fulfilled?
• Determine how to modify configuration to fulfill
  intention

7
Research Focus

• Access control models
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Role-based Access Control (RBAC)
• Access control mechanisms
• access control lists (ACLs)
• capability lists
• policy-based
• WebDAV and Windows NTFS

8
Intention

• Primary user intentions
• G1 Principal X must have privilege Y on object Z
• G2 Principal X must not have privilege Y on
  object Z
• ACE vs. Intention

ACE Intention
- in an ACL a statement of enforcement that is only examined if previous statements in the ACL are irrelevant or incomplete regarded as data in the enforcement/control algorithm statement of goal or output constraint many different ACLs could result in this goal being fulfilled
9
Task Analysis

• Norman/THEA models
• Perceive and interpret information from the
  environment, and evaluate whether the problem is
  solved
• If the problem remains unsolved, formulate a
  subgoal, according to perceived information, for
  solving all or part of the problem if the
  problem is solved, exit the loop
• Formulate a plan to achieve the subgoal
• Execute the actions in the plan

10
G1 Principal X must have privilege Y on object Z
11
G2 Principal X must not have privilege Y on
object Z
12
Branch Points

• Q1 Does principal X have privilege Y on Z?
• Q2 Do I have the right to modify the ACL of
  object Z?
• Q3 Are any of the principals in X explicitly
  denied privilege Y to object Z?
• Q3.1 Are those principals denied privilege Y to
  object Z individually or via some group to which
  they belong?
• Q4 Does group X2 exist such that X2 has
  privilege Y to object Z and I have privilege to
  modify group X2?
• Q5 Do I have the privilege to create a new
  group?
• Q6 Are those principals granted privilege Y to
  object Z individually or via some group to which
  they belong?
• Q7 Does group X3 exist such that X3 is denied
  privilege Y to object Z and I have privilege to
  modify group X3?

13
Complicating Factors

• Ordering of ACEs
• stated privilege vs. effective privilege
• ACL restrictions
• deny-before-grant (NTFS ACL)
• no-inherited-ace-conflict
• Indirection by group membership
• Indirection by ACL inheritance
• Privilege hierarchy
• Administrative privileges

14
Example

• ACEs
• grant the group students the privilege
  write-content
• deny the group users the privilege write
• grant the user jack the privilege write-content
• Intention
• The user jack must have the privilege
  write-content
• Jack is a member of the group users

15
Side Effects

• Side effects Peripheral or secondary effects
  caused by some actions to accomplish an
  intention.
• Raised when the intention cannot be resolved in a
  direct way
• Modify group membership
• Modify inherited ACL
• Add/Remove/Modify ACEs not exactly matched with
  intentions
• Complications
• Loop in process
• Modeling decisions

16
Conflicts

• Conflicts
• Matched principals privileges
• Contradictory actions (deny vs. grant)
• Between two intentions of
• Same user
• Different users
• Conflict detection and resolution

17
Summary of the Analysis

• Gulfs of execution and evaluation
• Algorithmic relationship between the goal and ACL
  configuration changes
• Incremental changes
• Direct manipulation
• A higher level of abstraction based on effects

Norman, Donald A. (1988) The Design of
Everyday Things. New York, Doubleday
18
Access Matrix
U1 Access Matrix constraints
U2 Access Matrix constraints


Object
read
read write


ACL
AC rules
Privilege/Action
Principal / Actor
AC rules
Policy
_


_
RBAC
AC rules
19
Access Control Access Management
Access Goals (Intentions) V AC Rules
IAM 1. The user expresses intentions in term of
effective permissions 2. The system solves
implementation problem (intention?implementation)
with feedback
Access Goals (Intentions)
Access Management
Access Control
Intentional Access Management (IAM)
UI
Access Control Mechanism
Privileges/ Enforcement
AC Rules
20
Hypothesis

• Intentional Access Management will make the
  access control system easier to use
• A level of abstraction matching end-users goals
• No need to learn the access control mechanisms
• Reduction of the tasks conceptual complexity
• Accuracy improvement
• Speed improvement
• User satisfaction improvement

21
Design Principles

• User decisions should be made/requested in an
  environment where
• the user has access to essential information
  needed to make the decision reliably
• (Yees Principle of Visibility)
• the system is responsible for predicting and
  presenting such information when it can.
• (Yees Principle of Clarity)
• Manipulation in terms of effective permissions
• Related projects Zurko (MAP Adage), Maxion and
  Reeder (Salmon)

22
Basic IAM IAM Wizard

• The user initiates interaction with the system by
  expressing an intention in terms of an output
  constraint on the access control system
• The system translates these intentions into
  implementation
• The system follows Yees principles of clarity
  and visibility in informing the user of the
  consequences of actions not directly implied by
  their intentions and
• The system informs the user of modeling
  variations as well as detected ambiguities and
  conflicts in intentions.

23
Full IAM

• Maintenance of intentions for each user
• The ability to retract previous intentions
• Maintenance of connections between intentions and
  implementation actions and
• Management of conflicts by initiating user
  interactions to resolve conflicts.

24
Full IAM (contd)
25
Multi-Backend IAM
26
Pros Cons

• Pros
• A level of abstraction matching end-users goals
• No need to change the deployed back-ends/enforceme
  nt models
• Ability to resolve conflicts
• Ability to resolve reflexive needs
  (self-grant)
• Cons
• Burden on users for tracking and managing
  intentions over time

27
ImplementationIAM Wizard for WebDAV

• Server Slide
• Client DAV Explorer
• Existing ACL Editor
• New module IAM Wizard

28
Interface Design

• Displaying security context when any resource is
  selected

29
DialogA
30
DialogB
31
DialogB-2
32
DialogC
33
User Study

• Goals (Feasibility Usability)
• Lose nothing not upset end-user expectations or
  cause confusion
• Gains accuracy, speed, user confidence and
  satisfaction
• 10 participants
• Business (2), Arts (2), Engineering (4), CS (2)
• None knew ACL in WebDAV

34
Task Statements

• You are co-authoring a book named book1 with
  some collaborators. The chapters of this book are
  stored in /files/book1/ on the WebDAV server.
• Training Task Jack is an independent reviewer,
  and you want him make some comments on this book.
  Please make sure that Jack can read and change
  the content of the file files/book1/comments.txt.

35
Task Statements (contd)

• 4 Tasks
• Task1 task requirements were already fulfilled
• Task2 simply adding an ACE
• Task3
• similar to Task2
• administrative privilege included
• Task4 an alternative way by modifying group
  membership

36
Results

• Speed

Average time to complete Task1, Task2, Task3, and
Task4
37
Results

• Accuracy

Percent of accurate completions for the four
tasks
Using ACL Editor () Using IAM wizard ()
Task1 100 100
Task2 70 100
Task3 30 100
Task4 10 100
38
Results

• User Confidence
• User Satisfaction
• I really hope that the whole computer system can
  be designed in this way so that I can use it
  easily.

Using ACL Editor (Mean, Standard Deviation) Using IAM wizard
Task1 6.9, 0.3 7, 0
Task2 6.4, 0.7 7, 0
Task3 6.3, 0.8 7, 0
Task4 1.6, 1.8 7, 0
39
Achievements

• Conceptual change
• directly accommodates users task-oriented goals
• Bridges both the gulf of evaluation and gulf
  of execution
• A high level of abstraction
• Intentional analysis
• algorithmic relationship between the goal and
  configuration
• side effects
• conflicts
• modeling decisions
• IAM models Wizard, Full, Multi-backend
• Implementation IAM Wizard for WebDAV
• User study

40
Future Work

• Better model of necessary user intentions
• Presentation of privileges in task-oriented terms
• Full and Multi-backend IAMs
• Resolution of conflicts
• Presentation and exploration of side effects
• Interactions with multiple systems
• Interactions with system administrative actions

41
Q A

• Thank You !

42
(No Transcript)
43
Philosophy

• End-user are not security experts
• They may not understand the complex security
  mechanisms
• Therefore, lets provide usable and powerful
  security decision support tools to help them
  control their information more effectively

44
HCI Terms

• Gulf of Evaluation
• Expectations/Intentions ? System representations
• Gulf of Execution
• Intentions ? System supports

Norman, Donald A. (1988) The Design of Everyday
Things. New York, Doubleday
45
Example Access Control List

• User test2 has two intentions
• Intention1 User test must have the read-acl
  privilege and
• Intention2 User test must have the write-acl
  privilege.
• User test has two intentions
• Intention3 User test2 must have the
  read-content privilege and
• Intention4 User test3 must have the
  read-content privilege.

46
Related Work

• Usable Access Control
• MAP (Zurko and Simon, 1996 )
• Adage(Zurko et al., 1999)
• Salmon (Maxion and Reeder, 2004)
• Design Principles
• Psychological Acceptability (Saltzer and
  Schroeder, 1975)
• Lees 10 principles for aligning security and
  usability (2002)
• Visibility The interface should let the user
  easily review any active authority relationships
  that could affect security decisions.
• Clarity The effect of any authority-manipulating
  user action should be clearly apparent to the
  user before the action takes effect.

47
General HCI principle

• The conceptual complexity of a task should not
  exceed the users commitment to that task

48
Task Analysis (contd)

• Assess the current state of the system
• Decide whether or not the goal is already
  fulfilled
• Develop a strategy to decide how to minimally
  achieve the goal state given the current system
  state.

49
Modeling Decisions
50
WebDAV Access Control

• WebDAV Web-based Distributed Authoring and
  Versioning
• WebDAV Access Control (Superset of NTFS ACL)
• Principal
• Privilege
• Resource
• ACL Evaluation
• ordered ACEs
• stated privilege vs. effective privilege

51
Windows NTFS Access Control

• Deny-before-grant
• Ownership
• Permissions on files and folders

52
ACL Editor
53
IAM Wizard
54
Interface Design (contd)

• User Cannot Lock Him- or Herself Out of Own
  Folder and File

55
Interface Design (contd)

• Needed Information Shown to the User When He
  Setting Intention
• User Notified Only When Necessary
• Side Effects Shown to the User

56
Implementation Limitations

• Client-side implementation
• ACE conflicts
• Basic intentions
• Side effects

57
Definition of Usability

• Ease of learning
• Efficiency of use
• Memorability
• Error frequency and severity
• Subjective satisfaction
• Adopted by US Department of Health and Human
  Services

58
Participants

• 10 participants
• Business (2), Arts (2), Engineering (4), CS (2)
• Frequency of using computers
• daily (8), a few times a week (2)
• Experience of setting file permissions
• have (8), never (2)
• Familiarity with ACL and its evaluation
• average (2), know a little (5), dont know at
  all (3)
• None knew ACL in WebDAV

59
Procedure

• Tasks 1, 2, 3
• 8 - The ACL Editor first, and then the IAM wizard
• 2 -The IAM wizard first, and then the ACL Editor
• Task 4
• The ACL Editor first, and then the IAM wizard
• Learn ACL evaluation before using the ACL Editor
• Rate confidence on correctness after each task

60
Future Work
Existing Model Existing Model Alternative Model Alternative Model
- The user identifies resources - The user identifies an intention to share resources with others or restrict sharing
- The user makes a statement guiding security enforcement of resources - The system determines possible enforcement statements to fulfill the intention
- The system enforces - The system automatically chooses the enforcement and informs (or not) the user by Surprise-Explain-Reward OR - The system presents alternative enforcement possibilities with consequences to the user and requests a decision
Resources
Resources
Security Enforcement System
Security Enforcement System
Security Tools
Sharing Tools
61
Access Matrix
Object
read
read write


ACL
AC rules
Privilege/Action
Principal / Actor
AC rules
Policy
_


_
RBAC
AC rules