Charles Morisset‘s talk at the June 2017 RISCS meeting reported on his work with David Sanchez, a recent MSc graduate from Newcastle University, on visualising access policies to help people make better decisions. Funded by a small NCSC grant, the project finished in January 2017.
A common problem among security practitioners is maintaining access control policies when they have hundreds of rules, may be misconfigured, and have to be updated for changes in policy. Practitioners have to go through these files, which encode many hundreds or even thousands of rules in a markup language called XACML in order to understand what they can change. Even for technically trained experts, these files are difficult to read:
Morisset’s project studied visualising these using different options such as maps, user roles, permissions, and multilateral grids: making complex policies easier to understand at a glance should mean fewer errors to leave networks vulnerable. An online demonstration shows the design the group came up with, an ongoing effort called VisABAC, for the visualisation of attribute based access control policies, and a test for visitors to take to help assess the effectiveness of these design changes. A significant difficulty for the project is that there is no benchmark for reading access control policies and therefore no way to answer the simple question: does this approach work to improve the situation or not? Morisset is hoping RISCS participants will be able to help answer this question.
In the meantime, the researchers conducted a test in which they recruited 32 students, gave them the tool, identified the policy, and asked them to find the attributes. The results suggested that graphics are helpful with new policies but tend to be ignored once people have formed a mental model of how the policy works.
For future work, Morisset wants to:
- consider helping security experts;
- consider the general problem of understanding access control;
- integrate multiple and appropriate visualisation techniques;
- fully integrate with XACML and role-based access control.
Morisset also hopes to be able to use these designs to extend the ability to understand access control policies to non-technical people.
In comments, Angela Sasse noted that her group is finding that companies are increasingly delegating access control to people with no technical training – department managers pass the job on to their PAs or to project managers.