Automated least privileges in cloud-based web services

Proceedings of the fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies Pub Date : 2017-10-14 DOI:10.1145/3132465.3132470

M. Sanders, Chuan Yue

{"title":"Automated least privileges in cloud-based web services","authors":"M. Sanders, Chuan Yue","doi":"10.1145/3132465.3132470","DOIUrl":null,"url":null,"abstract":"The principle of least privilege is a fundamental guideline for secure computing that restricts privileged entities to only the permissions they need to perform their authorized tasks. Achieving least privileges in an environment composed of many heterogeneous web services provided by a third party is an important but difficult and error prone task for many organizations. This paper explores the challenges that make achieving least privileges uniquely difficult in the cloud environment and the potential benefits of automated methods to assist with creating least privilege policies from audit logs. To accomplish these goals, we implement two frameworks: a Policy Generation Framework for automatically creating policies from audit log data, and an Evaluation Framework to quantify the security provided by generated roles. We apply these frameworks to a real world dataset of audit log data with 4.3 million events from a small company and present results describing the policy generator's effectiveness. Results show that it is possible to significantly reduce over-privilege and administrative burden of permission management.","PeriodicalId":411240,"journal":{"name":"Proceedings of the fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3132465.3132470","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

The principle of least privilege is a fundamental guideline for secure computing that restricts privileged entities to only the permissions they need to perform their authorized tasks. Achieving least privileges in an environment composed of many heterogeneous web services provided by a third party is an important but difficult and error prone task for many organizations. This paper explores the challenges that make achieving least privileges uniquely difficult in the cloud environment and the potential benefits of automated methods to assist with creating least privilege policies from audit logs. To accomplish these goals, we implement two frameworks: a Policy Generation Framework for automatically creating policies from audit log data, and an Evaluation Framework to quantify the security provided by generated roles. We apply these frameworks to a real world dataset of audit log data with 4.3 million events from a small company and present results describing the policy generator's effectiveness. Results show that it is possible to significantly reduce over-privilege and administrative burden of permission management.

查看原文本刊更多论文

基于云的web服务中的自动最小权限

最小特权原则是安全计算的基本原则，它将拥有特权的实体限制在执行其授权任务所需的权限范围内。对于许多组织来说，在由第三方提供的许多异构web服务组成的环境中实现最小特权是一项重要但困难且容易出错的任务。本文探讨了在云环境中难以实现最小特权的挑战，以及帮助从审计日志创建最小特权策略的自动化方法的潜在好处。为了实现这些目标，我们实现了两个框架:一个是用于从审计日志数据自动创建策略的策略生成框架，另一个是用于量化生成的角色所提供的安全性的评估框架。我们将这些框架应用于一个真实世界的审计日志数据集，其中包含来自一家小公司的430万个事件，并给出了描述策略生成器有效性的结果。结果表明，可以显著减少权限管理的过度权限和管理负担。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies

自引率

0.00%

发文量