Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Oct 30, 2012

SMotW #30: access control matrix status

Security Metric of the Week #30: status of logical access control matrices for computer applications

The idea behind this metric was to ask application development and support teams, application owners and/or other suitable people to assess the status of logical access control matrices for a range of application systems, perhaps comparing and ranking them.  

Right up-front, we're making the bold assumption that they understand the term "access control matrix".  In practice we might need to explain and help them figure out the basis on which to figure out how good or bad each one is.

In the hypothetical Acme Inc context, the PRAGMATIC score for this metric works out at 50%:

P
R
A
G
M
A
T
I
C
Score
70
50
60
60
88
25
40
20
40
50%





Although the access control matrix status is a reasonable Predictor of the quality of an application's access control, that is only one component of application  security, and a rather small part of information security as a whole, hence the Relevance score is not so hot.  

The metric is fairly Actionable in the sense that poor scores indicate a need to improve on the way access control matrices are used,  However it may not be clear how to go about making improvements, purely on the strength of the metric.  One approach is to share good practices from high-scoring secure applications with the low-scoring ones, which is fine so long as the systems are comparable and someone is able to identify which practices are good.  

The metric is fairly Genuine in that it is hard to justify a high measure for an application that patently lacks an effective access control matrix (e.g. it doesn't have one at all, or it is undocumented, out of date, incomplete or a total mess).  On the other hand, an assertive application/information asset owner may well be upset at his/her system being scored lower than his/her peers but, instead of actually improving the access controls applying pressure to those who generate the data for the metric.  The potential conflicts of interest of the measurers also depress the Independence rating.

The surprisingly high rating for Meaning reflects the above-stated assumption that people are broadly familiar with the concept, plus the fact that 'status of the access control matrices' is much simpler and easier for people to understand than logical access controls in general or application security as a whole.  The access control matrix is clearly just one element, but in our experience, it is a reasonable indicator of application security.  To put that another way, few secure application systems lack one, and most highly secure application systems have well-developed access matrices that are actively maintained and used.

The ratings for Accuracy, Timeliness and Cost-effectiveness are low due to the amount of time and effort it would take to gather meaningful measures from the range of people envisaged.