|
A security model is a mathematical, or logical,
expression of a set of security policies. It is a diagrammatic,
schematic, or tabular construct of the rules derived from
security policies that deals with security levels (of information,
of people, and of processes), and the interplay between the
various types of security levels. The interplay takes place
in accordance with well defined rules, which determine whether
information should be allowed to flow, or be restricted, whenever
a person or a process tries to access the information.
A security model takes security policies as input, and develops
mathematical formulae and relationships between the objects.
These formulae and relationships are built into data structures
and mapped according to the policy requirements. After the
security policies have been written, and the security models
are ready as part of the Enterprise Security Architecture
(ESA), the process of writing program code or procuring vendor
solutions, can begin.
A system can be secure only if its security model is based
on logically sound premises as the security features are built
into operating systems, database systems, applications, etc,
on the basis of their security models. Further, the user has
to ensure that the system is appropriately configured to get
the full benefit of its security model, since default settings
usually constitute a 'low security' version of the model.
There are several well-known security models, such as the
Bell-LaPadula model and the Biba model. These models represent
certain standard concepts for controlling accessibility, integrity,
etc, of information systems.
The Bell-LaPadula model is meant for information systems,
where secrecy is of prime importance. On the other hand, the
Biba model is suitable where integrity is more important.
For example, if a timetable for passenger trains is to be
made available online, then thousands of people should be
able to access the database, often simultaneously. There would
be no need for confidentiality, but there would be the highest
possible need for integrity in the system.
In the above example, the data should never get corrupted
(intentionally or accidentally), either at its primary storage
location, or at the terminals where it is displayed, or even
during intermediate stages of processing or transit through
networks. Stringent requirements of integrity have to be met,
despite the huge volumes of public network access at high
speeds and in various processed formats. Evidently, an integrity
model, rather than an access control model, will be used for
building and operating this railway timetable.
An ESA usually has different security models co-operating
within the system. For example, an enterprise may have several
databases, built on different security models.
Security models have many benefits. Principally, they establish
benchmarks, and ensure optimum utilisation of resources, by
incorporating the right kinds of security for different bodies
of information. This happens at the machine level, network
level, and enterprise level.
Since there is never a single model that can meet all kinds
of security requirements, 'best fit' solutions have to be
designed, based on organisational requirements.
The Concept
All information security models use the terminologies of 'subject'
and 'object.'
A 'subject' is an entity, such as a person, process, or device,
which accesses or uses information from the system. An 'object'
is the information, or a piece of a larger body of information,
which is accessed by a 'subject.' An 'object' may be a 'subject'
in another situation or context, and vice versa.
Types of Security Models
The important types of information security models are Access
control models, Integrity models, State machine models, Information
flow models and Non-interference models.
Different types of information security models use different
philosophies for looking at subjects and objects, and also
for grouping and classifying them, and for controlling their
interactions.
A specific model, which may be a well-known model or a model
designed for a particular organisational environment, usually
has features from different types of information models. For
example, the Bell-LaPadula model is largely an access control
model, but it is also based on the state machine model.
Access control models
Access control models use sets of rules, which permit or deny
access for a subject to an object. This ensures that information
does not fall into wrong hands. The process involves a subject
requesting for an object. The permission or denial of access
to the object depends upon the 'right' that the subject possesses.
Access control models can be broadly classified into Mandatory
access control (MAC) and Discretionary access control (DAC).
Mandatory access control models use the concept of 'labels,'
which describe the confidentiality level (or security clearance)
of a subject or an object. Access is then controlled as per
the labels (or confidentiality levels/security clearances).
Discretionary access control models enable the owners of system
resources to specify the subjects, and the rights of the subjects
to objects. 'Discretionary access control' enables rights
to be assigned as per the discretion (or choice) of the owner
of the resource. It provides the owner with a degree of flexibility
in exercising access control.
For example, Windows 2000 provides discretionary access control
though Active Directory (AD) and Access Control Lists (ACLs).
Similarly, Linux also provides discretionary access control.
The important access control models are Access matrix model,
Take-Grant model and Bell-LaPadula model.
Integrity models
Integrity models focus on reliability, consistency, and correctness
of data. This is achieved by protecting data from modification
by unauthorised users, protecting data from unauthorised modification
by authorised users, and maintaining consistency of data.
Integrity models ensure that data remains in the same state.
In other words, the desired state of data should not undergo
any change; either with malicious intent, or by mistake or
due to events beyond the control of a user.
Integrity models classify data into integrity levels, and
provide appropriate integrity protection between and within
the different levels.
The important integrity models are Biba integrity model and
Clark-Wilson integrity model
State machine model
The state machine model captures the current state of a system,
and compares it with the state at a later time, to determine
if there has been a security violation in the interregnum.
It looks at users, states, state commands, and outputs. It
depicts a transition from one state to another, as a state
variable.
A state machine model considers a system to be in a secure
state, when there is not a single instance of security breach
at the time of state transition. In other words, a state transition
should occur only by intent, otherwise it is a security breach.
Information flow models
Information flow models deal with controlling the flow of
information, so as to ensure that there are no leakages during
the movement of data.
Leakages need to be prevented, whether information is flowing
within a security level, or between different levels. Usually
this is done by permitting flows only in specified directions,
since a leakage is nothing but a flow in an unwanted direction.
The components of information flow models are objects (class,
value), state transitions (modifications from current state),
lattice (flow policy)
An example of an information flow model is the Sutherland
model.
Non-interference model
Developed by Goguen and Meseguer in 1982, the non-interference
model keeps activities at different security levels separated
from each other, instead of permitting restricted flows between
them. This model minimises leakages that may occur through
covert channels, by maintaining complete separation (non-interference)
between security levels.
A user at a higher security level cannot interfere, in any
way, with the activities at a lower level. As a result, the
lower level cannot possibly get any information from the higher
level.
One of the major limitations of the non-interference model
is the premise that a lower-level input cannot, by itself,
generate a higher-level output. This assumption is often incorrect.
For example, a cryptographic process can transform a low-security
data into high-security data.
|
