Access controls are the processes and mechanisms that allow only authorized users to perform operations upon the resources of a system. Using access controls, administrators attempt to implement the Principle of Least Privilege, a design principle where privileged entities operate using the minimal set of privileges necessary to complete their job. This protects the system against threats and vulnerabilities by reducing exposure to unauthorized activities. Although access control can be considered only one area of security research, it is a pervasive and omnipresent aspect of information security. But achieving the Principle of Least Privilege is a difficult task. It requires the administrators of the access control policies to have an understanding of the overall system, each user's job function, the operations and resources necessary to those job functions, and how to express these using the access control model and language of the system. In almost all production systems today, this process of defining access control policies is performed manually. It is error prone and done without quantitative metrics to help administrators and auditors determine if the Principle of Least Privilege has been achieved for the system. In this dissertation, we explore the use of automated methods to create least privilege access control policies. Specifically, we (1) develop a framework for policy generation algorithms, derive metrics for determining adherence to the Principle of Least Privilege, and apply these to evaluate a real world dataset, (2) develop two machine learning based algorithms for generating role based policies and compare their performance to naive methods, and (3) develop a rule mining based algorithm to create attribute based policies and evaluate its effectiveness to role based methods. By quantifying the performance of access control policies, developing methods to create least privilege policies, and evaluating their performance using real world data, the projects presented in this dissertation advance the state of access control research and address a problem of great significance to security professionals.
Copyright of the original work is retained by the author.
The export option will allow you to export the current search results of the entered query to a file. Different
formats are available for download. To export the items, click on the button corresponding with the preferred download format.
By default, clicking on the export buttons will result in a download of the allowed maximum amount of items.
To select a subset of the search results, click "Selective Export" button and make a selection of the items you want to export.
The amount of items that can be exported at once is similarly restricted as the full export.
After making a selection, click one of the export format buttons. The amount of items that will be exported is indicated in the bubble next to export format.