Panel on granularity in access control

This panel will address the following question. Does an increase in the granularity of access control systems produce a measurable reduction in risk and help meet the goals of the organization, or is the cost prohibitively high? After decades of access control research, products, and practice, there has been a trend towards more complex access control policies and models that more finely restrict (or allow) access to resources. This allows policy administrators to more closely specify any high level abstract policy they may have in mind, or accurately enforce regulations such as HIPPA, SOX, or PCI. The end goal is to allow only those actions that are desirable in hindsight, or via an approach to which Bishop et al. refer as the Oracle Policy. As the expressive power of access control models can vary, an administrator may need a more powerful model to specify the high level policy they need for their particular application. It is not uncommon for new models to add new key-attributes, data-sources, features, or relations to provide a richer set of tools. This has resulted in an explosion of new one-off models in the literature, few of which make their way to real products or deployment. To increase the expressive power of a model, increase its granularity, reduce the complexity of administration and to answer desirable security queries such as safety, a plethora of new concepts have been added to access control models. To name a few: groups and roles; hierarchies and constraints; parameterized permissions; exceptions; time and location of users and resources; relationships between subjects; attributes of subjects, objects, and actions; information flow; conflict of interest classes; obligations; trust, benefit, and risk; workflows; delegation; situational awareness and context; and so on. All of these constructs build to a meta-model, as Barker observes. This granularity has resulted in many novel and useful findings, new algorithms, and challenging open research issues, but poses potential problems as well. With granularity often comes complexity which manifests itself in specifying policies, managing and maintaining policies over time, and auditing logs to ensure compliance. This panel will discuss issues surrounding the problem of complexity in access control. From designing and specifying new models, designing enforcement mechanisms on real-world systems, policy lifecycle, and the role of analytics from automatically generating policies to auditing logs. So, is this complexity worth it? Does increasing the granularity produce a measurable reduction in the risk to sensitive resources and protect the goals of the organization or is the cost prohibitively high? Can we ever truly specify a "correct" and "complete" policy, which may be too dynamic and require the interpretation of the courts to decide, especially when policies are intended to enforce ambiguous regulations. Finally, at what cost should we strive for a perfect, fine-grained policy? Should more resources be places on recovery from security breaches than on prevention? Should we be "going for mean time to repair equals zero rather than mean time between failure equals infinity."