Usable Policy Template Authoring for Iterative Policy Refinement

Abstract—People must have usable tools in order to author and maintain high-quality policies. In this paper we discuss policy templates as a mechanism for policy authoring. We believe that policy templates can be leveraged to make policy authoring more usable and to provide consistent policy authoring interfaces across a wide variety of policy domains. Templates provide users with a structured format for authoring policies; however, a general approach for creating policy templates has not been described in published research to date. Based on research in policy management, we propose an iterative policy refinement process that consists of three user roles and spans policy authoring, template authoring, and policy element definition. We designed a GUI-based prototype that enables users to create policy templates. In this paper we describe our proposed policy refinement process, the necessary user roles, a template authoring prototype, and the results of an empirical study of template authoring. I

Security Policies That Make Sense for Complex Systems: Comprehensible Formalism for the System Consumer

Information Systems today rarely are contained within a single user workstation, server, or networked environment. Data can be transparently accessed from any location, and maintained across various network infrastructures. Cloud computing paradigms commoditize the hardware and software environments and allow an enterprise to lease computing resources by the hour, minute, or number of instances required to complete a processing task. An access control policy mediates access requests between authorized users of an information system and the system\u27s resources. Access control policies are defined at any given level of abstraction, such as the file, directory, system, or network, and can be instantiated in layers of increasing (or decreasing) abstraction. For the system end-user, the functional allocation of security policy to discrete system components, or subsystems, may be too complex for comprehension. In this dissertation, the concept of a metapolicy, or policy that governs execution of subordinate security policies, is introduced. From the user\u27s perspective, the metapolicy provides the rules for system governance that are functionally applied across the system\u27s components for policy enforcement. The metapolicy provides a method to communicate updated higher-level policy information to all components of a system; it minimizes the overhead associated with access control decisions by making access decisions at the highest level possible in the policy hierarchy. Formal definitions of policy often involve mathematical proof, formal logic, or set theoretic notation. Such policy definitions may be beyond the capability of a system user who simply wants to control information sharing. For thousands of years, mankind has used narrative and storytelling as a way to convey knowledge. This dissertation discusses how the concepts of storytelling can be embodied in computational narrative and used as a top-level requirements specification. The definition of metapolicy is further discussed, as is the relationship between the metapolicy and various access control mechanisms. The use of storytelling to derive the metapolicy and its applicability to formal requirements definition is discussed. The author\u27s hypothesis on the use of narrative to explain security policy to the system user is validated through the use of a series of survey instruments. The survey instrument applies either a traditional requirements specification language or a brief narrative to describe a security policy and asks the subject to interpret the statements. The results of this research are promising and reflect a synthesis of the disciplines of neuroscience, security, and formal methods to present a potentially more comprehensible knowledge representation of security policy

Functionality-based application confinement: A parameterised and hierarchical approach to policy abstraction for rule-based application-oriented access controls

Access controls are traditionally designed to protect resources from users, and consequently make access decisions based on the identity of the user, treating all processes as if they are acting on behalf of the user that runs them. However, this user-oriented approach is insufficient at protecting against contemporary threats, where security compromises are often due to applications running malicious code, either due to software vulnerabilities or malware. Application-oriented access controls can mitigate this threat by managing the authority of individual applications. Rule-based application-oriented access controls can restrict applications to only allow access to the specific finely-grained resources required for them to carry out their tasks, and thus can significantly limit the damage that can be caused by malicious code. Unfortunately existing application-oriented access controls have policy complexity and usability problems that have limited their use. This thesis proposes a new access control model, known as functionality-based application confinement (FBAC). The FBAC model has a number of unique features designed to overcome problems with previous approaches. Policy abstractions, known as functionalities, are used to assign authority to applications based on the features they provide. Functionalities authorise elaborate sets of finely grained privileges based on high-level security goals, and adapt to the needs of specific applications through parameterisation. FBAC is hierarchical, which enables it to provide layers of abstraction and encapsulation in policy. It also simultaneously enforces the security goals of both users and administrators by providing discretionary and mandatory controls. An LSM-based (Linux security module) prototype implementation, known as FBAC-LSM, was developed as a proof-of-concept and was used to evaluate the new model and associated techniques. The policy requirements of over one hundred applications were analysed, and policy abstractions and application policies were developed. Analysis showed that the FBAC model is capable of representing the privilege needs of applications. The model is also well suited to automaiii tion techniques that can in many cases create complete application policies a priori, that is, without first running the applications. This is an improvement over previous approaches that typically rely on learning modes to generate policies. A usability study was conducted, which showed that compared to two widely-deployed alternatives (SELinux and AppArmor), FBAC-LSM had significantly higher perceived usability and resulted in significantly more protective policies. Qualitative analysis was performed and gave further insight into the issues surrounding the usability of application-oriented access controls, and confirmed the success of the FBAC model