A study of least privilege in CapBasED-AMS

Workflow systems are becoming very popular and are being used to support many of the day to day activities in large organizations. One of the major problems with workflow systems is that they often use heterogeneous and distributed hardware and software systems to execute a given activity. This gives rise to decentralized security policies and mechanisms, which, in order to enable activity execution, give too many privileges to agents (humans or systems) for executing the work. We develop the concept of least privilege, wherein the set of agents are given just enough privileges to complete the given activities. We develop our concepts in the context of CapBasED-AMS (Capability-based and Event-driven Activity Management System). CapBasED-AMS deals with the management and execution of activities. An activity consists of multiple inter-dependent tasks (atomic activities, each executed by a single agent) that need to be coordinated, scheduled and executed by a set of agents. We formalize the concept of least privilege and present algorithms to statically assign least privilege assignment to the agents. We develop the concept of dynamic least privilege enforcement, wherein an agent is given its privileges only during the duration of the task for which those privileges were assigned. Finally, we introduce a metric, security risk factor and use it to evaluate the trade-off between least privilege and resilience to agent failure.