Detecting permissions creep in access control

Simon Parkinson completed a residency with Digital Catapult researching permissions creep

During my time as Digital Catapult Researcher in Residence, I undertook research, guided by end-user consultation, into machine learning techniques of detecting irregular access control permissions without any prior knowledge (i.e., they are unsupervised). This resulted in the development of a new modelling and learning technique, which was applied to Microsoft’s New Technology File System permissions as a case study. Known as Creeper, this new software automatically reviews access control permissions across a network and alerts you when a user does not appear to have permissions that are appropriate to their current role.

I undertook extensive empirical analysis on benchmark datasets as well as real commercial implementations with an average detection accuracy of 97%. The software (including source code) was then publicly released so that end-users can download and utilise the underlying research.

The residency offered me the opportunity to explore an area I believe could be a significant security concern in an environment where I could easily access a much broader range of industry stakeholders than I would ordinarily meet in academic circles.

What is permissions creep?

Employees within organisations often change job role as their careers progress. When this happens, it is usual for new permissions to be added in an ad hoc way to match the needs of a new role. Similarly, new permissions are often given when a user is assigned to a temporary role but the permissions aren’t revoked after the role is finished. Organisations are rigid in assigning user permissions when creating new user accounts and follow standard operating procedures. They often have a structured (and probably automated) process for enrolling new users. Whereas elevating user privileges at these other times is often done by system administrators who make the change based on their experience and analysis to permit required actions.

The escalation of privileges, if not properly removed on time, causes privilege creep. Equally this applies to file system permissions, it could be that a user has access to many resources which are no longer required for their new job. The security concern with privilege creep is that a user can effectively end up with an accumulation of permissions that enable an unnecessary high-level of access.

Why is permissions creep a concern for industry?

Users with a higher level of permission than is necessary introduces significant security risks. For example, an employee can access and damage more data, should they decide. More significant is the potential for malicious software to execute under the user’s credentials and therefore acquire the same access rights. This could result in ransomware being able to access and encrypt more data than if it was to execute under a lower level of permissions.

The key findings of the research

Based on experimental analysis performed in this Residency, the developed unsupervised technique achieves an accuracy of 96% and 98% in simulation and real-world analysis, respectively. The research was performed on a wide-range file systems, including testing with 5 key end-users. The research also highlighted the scale of the problem with no analytic solutions currently available to audit file system permissions, identifying instances of permission creep without the need for security expertise. More information can be found in a recently accepted article, Creeper: a tool for detecting permission creep in file system access controls.

How the Digital Catapult Residency supported this research

The residency was key to the success of this project as it provided a working environment whereby stakeholders of the research were easily accessible for collaboration and knowledge exchange. As my research is driven by end-user need, being able to have frequent discussions and access to suitable testing environments was a key factor to the success of this project. This residency was carried out in Yorkshire, Bradford, with support also provided from the Digital Catapult team in London. There were many opportunities throughout the residency to attend and present and key events, such as the Yorkshire Enterprises Network annual networking event.

Since completing my residency, I have continued the development of my research, including pursuing different security applications where the underlying algorithms can be of benefit. One such avenue of research is exploring security event analysis. Funding was obtained in 2018 from Innovate UK under its Cyber Security Academics Startup Scheme to explore the potential commercialisation of the research. The funding provided resources and support to research the market opportunity, perform validation, and develop a minimal viable product which was demonstrated at a showcase event in January, 2019.

Simon Parkinson was Research in Residence at Digital Catapult from 1 June 2017 to September 2017, focussing on the research and development of unsupervised machine learning to detect security vulnerabilities in access control policies.