Bartsch, Steffen (2012)
Policy Override in Practice: Model, Evaluation, and Decision Support.
In: Security and Communication Networks
doi: 10.1002/sec.547
Artikel, Bibliographie
Kurzbeschreibung (Abstract)
The predominant strategy in restricting permissions in information systems is to limit users on the basis of the ‘need-to-know’ principle. Although appropriate in highly security-sensitive contexts, this culture of protection will, in other contexts, often reduce users' productivity and is seen as a hassle because the everyday exceptions to the routine tasks can be severely hindered. This paper proposes a more flexible authorization model, policy override, which allows end users to override authorization in a controlled manner. In this article, I describe the authorization model and its implementation in a medium enterprise's business application. I evaluated policy override use over a period of 1 year through quantitative and qualitative analysis to identify challenges and offer advice on the implementation of policy override in practice. One important challenge is the setting of adequate bounds for policy override. To overcome this obstacle, I propose and evaluate a qualitative risk-based calculus that offers decision support to balance additional risks of policy override with the benefits of more flexible authorization.
| Typ des Eintrags: | Artikel |
|---|---|
| Erschienen: | 2012 |
| Autor(en): | Bartsch, Steffen |
| Art des Eintrags: | Bibliographie |
| Titel: | Policy Override in Practice: Model, Evaluation, and Decision Support |
| Sprache: | Englisch |
| Publikationsjahr: | Mai 2012 |
| Titel der Zeitschrift, Zeitung oder Schriftenreihe: | Security and Communication Networks |
| DOI: | 10.1002/sec.547 |
| Kurzbeschreibung (Abstract): | The predominant strategy in restricting permissions in information systems is to limit users on the basis of the ‘need-to-know’ principle. Although appropriate in highly security-sensitive contexts, this culture of protection will, in other contexts, often reduce users' productivity and is seen as a hassle because the everyday exceptions to the routine tasks can be severely hindered. This paper proposes a more flexible authorization model, policy override, which allows end users to override authorization in a controlled manner. In this article, I describe the authorization model and its implementation in a medium enterprise's business application. I evaluated policy override use over a period of 1 year through quantitative and qualitative analysis to identify challenges and offer advice on the implementation of policy override in practice. One important challenge is the setting of adequate bounds for policy override. To overcome this obstacle, I propose and evaluate a qualitative risk-based calculus that offers decision support to balance additional risks of policy override with the benefits of more flexible authorization. |
| Freie Schlagworte: | Secure Data |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik > Theoretische Informatik - Kryptographie und Computeralgebra LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt 20 Fachbereich Informatik > SECUSO - Security, Usability and Society Profilbereiche > Cybersicherheit (CYSEC) LOEWE > LOEWE-Zentren 20 Fachbereich Informatik Profilbereiche LOEWE |
| Hinterlegungsdatum: | 28 Jul 2016 18:35 |
| Letzte Änderung: | 17 Mai 2018 13:02 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum