"Shifting Access Control Left" using Asset and Goal Models
Shamal Faily
TL;DR
This work tackles the challenge of designing for access control early by surface-level knowledge asymmetries across stakeholders using asset models and KAOS goal models. It proposes a tool-supported technique that employs boundary objects to align assets, goals, and access-control policies, accompanied by a CAIRIS-based validation algorithm that flags undefined, unauthorized, or potentially violative access. The authors illustrate the approach with a PYRAMID component from a military air system, revealing missing policy statements and conflicts between policy and implementation. The paper contributes a practical, pluggable methodology for shifting access control left, discusses integration with threat modelling and CI/CD workflows, and outlines avenues for extending to RBAC/ABAC and broader empirical validation.
Abstract
Access control needs have broad design implications, but access control specifications may be elicited before, during, or after these needs are captured. Because access control knowledge is distributed, we need to make knowledge asymmetries more transparent, and use expertise already available to stakeholders. In this paper, we present a tool-supported technique identifying knowledge asymmetries around access control based on asset and goal models. Using simple and conventional modelling languages that complement different design techniques, we provide boundary objects to make access control transparent, thereby making knowledge about access control concerns more symmetric. We illustrate this technique using a case study example considering the suitability of a reusable software component in a new military air system.