Laissez-Faire File Sharing
Total Page:16
File Type:pdf, Size:1020Kb
Laissez-faire file sharing Access control designed for individuals at the endpoints Maritza L. Johnson Steven M. Bellovin Columbia University Columbia University [email protected] [email protected] Robert W. Reeder Stuart E. Schechter Microsoft Microsoft Research [email protected] [email protected] ABSTRACT 1. INTRODUCTION When organizations deploy file systems with access con- Despite decades of research into shared file systems, email trol mechanisms that prevent users from reliably sharing remains an enormously popular way to share files. Prior files with others, these users will inevitably find alternative research has shown that email is used more frequently than means to share. Alas, these alternatives rarely provide the other sharing mechanisms [5, 29] and that many users choose same level of confidentiality, integrity, or auditability pro- email as their primary sharing mechanism [31]. Our anecdo- vided by the prescribed file systems. Thus, the imposition tal experiences at Microsoft align with these findings; even of restrictive mechanisms and policies by system designers those individuals and groups we work with that primarily and administrators may actually reduce the system’s secu- use shared file systems (shared folders or SharePoint) in- rity. evitably resort to email attachments when access controls We observe that the failure modes of file systems that en- interfere with sharing. force centrally-imposed access control policies are similar to Like many before us, we set out to enumerate the user re- the failure modes of centrally-planned economies: individu- quirements that lead users to circumvent the file sharing sys- als either learn to circumvent these restrictions as matters of tems prescribed by their organizations. This effort was part necessity or desert the system entirely, subverting the goals of a larger effort to retrofit an existing file sharing system to behind the central policy. better meet the needs of individual knowledge workers; our We formalize requirements for laissez-faire sharing, which goal was to make Windows shared folders as easy to use as it parallel the requirements of free market economies, to bet- is to attach files to email. As we enumerated the needs of in- ter address the file sharing needs of information workers. dividual knowledge workers we discovered surprising resem- Because individuals are less likely to feel compelled to cir- blances to the economic freedoms and other requirements cumvent systems that meet these laissez-faire requirements, that are essential to empowering individual workers in mar- such systems have the potential to increase both productiv- ket economies. These economic parallels provide theoretical ity and security. grounding not only to explain recent survey and interview results, but also to show that this circumvention of centrally- managed access control is inevitable. Categories and Subject Descriptors Indeed, both centrally-planned command economies and K.6 [Management of Computing and Information Sys- file sharing systems with centralized access control share tems]: System Management, Security and Protection, Eco- similar failure modes. Centrally-managed policies hinder in- nomics; H.1.2 [Models and Principles]: User/Machine dividual productivity and give individuals less incentive to Systems—Human Factors participate in the system. As a result many individuals ei- ther flee the system or subvert central planners as a matter of General Terms necessity. In centrally-planned economies the consequences of failures include lost productivity, emigration, and the loss Security, Human Factors, Economics, Management of goods to underground markets. When users opt for alternatives to organizations’ prescribed Keywords systems for storing and sharing files, the organization will File sharing, access control management no longer be able to audit who has accessed the files, en- sure these files are stored in a secure manner, back up files, or otherwise protect their integrity. Thus, overly restric- tive access control policies may negatively impact not only Permission to make digital or hard copies of all or part of this work for productivity, but security as well. personal or classroom use is granted without fee provided that copies are For example, restrictions on where shared data can be not made or distributed for profit or commercial advantage and that copies accessed often lead users to a dangerous circumvention of bear this notice and the full citation on the first page. To copy otherwise, to these policies: storage of data on laptops. Of the 570 data republish, to post on servers or to redistribute to lists, requires prior specific breaches reported to the Open Security Foundations DAT- permission and/or a fee. NSPW’09, September 8–11, 2009, Oxford, United Kingdom ALOSSdb in 2008, 116 (20%) were attributed to information Copyright 2010 ACM 978-1-60558-845-2/09/09 ...$10.00. stored on laptops that were stolen, resulting in an aggregate We formalize each of the requirements that define laissez- loss of 2.6 million individual records [18].1 faire sharing in Section 2, presenting each requirement with USB sticks are another example of a mechanism for shar- its economic analog. As we present each requirement we ing and transporting data that is attractive for its flexibil- describe how email-based file sharing fares in meeting it. ity when compared to overly-restrictive file sharing systems. In Section 3 we detail an ongoing effort to layer laissez- Alas, USB memory sticks are easily lost and pose a growing faire email-based sharing on top of Windows folder sharing. malware threat [27], yet when Beautement et al. interviewed We explain how the underlying architecture and deployment 17 employees of both HP Labs and Merrill Lynch about their choices of desktop/workstation file systems impose barriers use of USB memory sticks, all reported using them [2]. The that interfere with our attempts to overlay a laissez-faire participants from Merrill Lynch reported using these sticks model. In Section 4 we discuss how users’ circumvention of for the purpose of transporting information. file sharing technologies that fail to meet these laissez-faire A particularly dangerous workaround for access control requirements drives an evolutionary process away from cen- restrictions is to share a password or other credential for an tralized access control. We discuss further related work in authorized account (e.g., your own) with the intended dele- Section 5 and conclude in Section 6. gate. In interviews with students and technology workers by Weirich and Sasse, participants reported sharing passwords when they deemed it necessary to complete their work [30]. The temptation to circumvent policy that overly restricts 2. DEFINING LAISSEZ-FAIRE SHARING productivity can also be seen in the U.S. nuclear weapons complex. Tober and Hoffman’s book on the Wen Ho Lee Laissez-faire sharing is defined by five properties – own- case [28, p. 294] quotes a weapons physicist explaining ways ership, freedom of delegation, transparency, dependability, “to circumvent some laws we thought were too restrictive, and minimization of friction – which we will now define in to get some work done.” detail. After introducing the definition of each property we Even when secrets of national security are at risk, the will discuss its analog in economics and work an example, costs of access controls that fail to meet the needs of knowl- examining how email-based file sharing fares in achieving edge workers may outweigh the benefits. The fundamental the desired property. assumption of many security practitioners, “that the risk of Ownership inadvertent disclosure outweighs the benefits of wider shar- The owner of a document, initially the individual ing” was faulted by the National Commission on Terrorist who creates it or first introduces it into a sharing Attacks Upon the United States (a.k.a. The 9-11 Commis- system, must not be required to sacrifice rights in sion) in its investigation of why the U.S. intelligence commu- order to add the file into the system. nity failed to discover the 9/11 plot [17]. It concluded that In a market economy, private property rights provide an these “Cold War assumptions are no longer appropriate.” incentive for production: the introduction of goods into the We are not the first to observe the connection between economic system through labor. When individuals do not central planning in economies and in information sharing enjoy the fruits of their labor underground markets inevitably systems. Jimmy Wales, co-founder of Wikipedia, reports emerge to compete with those that are officially sanctioned. being influenced by Nobel Economics Laureate Friedrich In file systems, similar competition exists among prescribed Hayek’s classic essay The Use of Knowledge in Society [8], in file sharing mechanisms and unsanctioned mechanisms. In- which Hayek argues that centrally-planned economies were formation workers may have the opportunity to store their inherently inefficient because only individuals “on the spot” work on a file system local to their device, a portable storage (or at the “endpoints”, in the networking parlance used by device, the shared file system provided by their organization, Wales) maintained the local knowledge necessary to make or even systems external to the organization for which they decisions [13, 23]. Hayek’s arguments have made Wales wary are working. These individuals are less likely to choose to of attempts to change Wikipedia in ways that would “cen- introduce a document into a prescribed file sharing system tralize something that can be left decentralized” [23], includ- if doing so necessitates forfeiting rights, such as the right ing access control. to easily access the file from the location or device of their We argue that Hayek’s arguments for moving control to choosing. For example, if the owner of a file cannot access the endpoints is not only applicable to open systems like a file share from home, or if remote access is especially bur- Wikipedia, but can be applied more generally to include densome, he or she may instead store the file on a USB drive, closed systems as well.