CSSLP Tutorial: Security models dictate how a system will enforce security policy.
There are several security model types. So, depending on which we decide to choose, our system architecture can then reflect the security policy and the mechanisms to support that policy. The ones that are listed are just a couple out of the many others in the world that others have created. This set are just a few of the better known models. They are the Bell-Lapadula, Biba Integrity Model and the Clark-Wilson commercial model.
CSSLP Tutorial: The Bell-Lapadula is a better known model
That most people find makes the most sense. Since we are in a confidentiality-driven world and this particular model was developed for the US government to protect US secrets, then it fits in nicely with our expectation of what a security model system should look like. There are three basic rules involved. There’s plenty of other, periphery rules and information with this model. However, distilling it down to the most basic and important rules or properties, there’s three that exhibit the essence for what this model is about. The first rule is called the simple security property (SSP). The simple security property says “no read up”, meaning that if a person is classified at secret level, they are not to read the top secret level. It’s a level above their paygrade. This is in accordance with what we’d expect that the individual wouldn’t be able to read information above their boundary. We are used to working in environments that enforce confidentiality, so this property makes sense.
CSSLP Tutorial: The second rule or property of the Bell-Lapadula model is
The *-security property and that states basically “no write down”. This means a top secret clearance person cannot take a top secret file and reclassifying it as a secret file. It prevents from making an upper level person making secrets available to those who are below. This again enforces confidentiality.
CSSLP Tutorial: The third rule or property for the Bell-Lapadula is the strong * property.
This says “no read/ write either up or down”. In other words, stay where you are and there’s not any reading , writing for levels that are other than your own. The Bell-Lapadula makes sense to most people in its properties because we’re used to working in confidentiality environments. There’s other working environments which may not enforce the same thing, so we’d have to use a different model for those differing environments.
The confidentiality model is the Bell-Lapadula and although it is quite good, doesn’t satisfy every need of every business out there. Let’s take the Bell-Lapadula model and flip it on its head, to discuss a completely different model which is called the Biba Integrity model. The big thing about the Biba model is that the goal is totally and completely different. It’s goal is integrity. We will enforce integrity rather than confidentiality in this system.
CSSLP Tutorial: The Biba Security Model is designed to protect the integrity of the knowledge base.
The first rule is “no read down”. Reading down is untrusted. Information at a lower level is not as trustworthy as information at a higher level. In other words, it’s like reading a second-grader’s response to a newsworthy item as compared to a Cabinet member’s response. No disrespect on the second-grader, but most kids at that age haven’t travelled much and have a more limited viewpoint on a topic. Whereas, the Cabinet member might be reflecting on the nation’s foreign policy, our fiscal policy, and just the knowledge base alone of that Congress does as compared to the Executive function and the Judicial function and so what role would they play in the issue. So, the Cabinet member shouldn’t read the second grader’s responses as if they are all factual and base their decision solely on that one piece of news. This is what is meant by the “no read down” and the lower level of security clearances not being as trustworthy of information as the higher levels’ knowledge base.
The *-integrity axiom is like the *security property on the previous level but it says “no write up”.This means that the lower level of intelligence shouldn’t be reclassifying files at a higher security clearance than what they are at. So, if you are at the secret level of clearance, you should not be reclassifying files as top secret because it is a level above what your clearance level is. It’s all about protecting the information, keeping the data accurate and ensuring its integrity. There’s a third property or rule referred to as the invocation property. This property says there’s no read nor write up. It is pretty close to what was the strong * property in the Bell-Lapadula model. It doesn’t enforce what you can do down. It’s merely a “no read or write up”. So you at a secret level cannot read at top secret file, nor may you reclassify a file and write it for a higher level than what you already work at. So, the Bell-Lapadula is for protecting secrets and protecting confidentiality while the Biba is about maintaining and protecting the integrity of the data.
CSSLP Tutorial: The first commercial model that we’re going to talk about is the Clark-Wilson model.
There’s other ones available, but we’re going to focus on the Clark-WIlson model.This model is an integrity model where it enforces well-formed transactions throughout the use of the access triple. In other words, keep people out of your stuff or they’ll break them. So, to prevent other people from accessing your trusted resources directly, force them through a trusted interface.For example, when we go to Amazon and make a purchase. Does the company make their database directly to the buyer? Are we given the password and then we can inadvertently remove the item off of their inventory? Not very likely. They instead give a front application that forces the user to interface with it. This keeps the user away from the back end and away from your trusted resource. Something called an API or application programming interface, does this exact job, of preventing the users from interacting directly with the back end application. The definition for Clark-Wilson Model is that it enforces well-formed transactions through the use of the access triple.
CSSLP Tutorial: The access triple is the user, interface, and the backend database or data item we are wanting to protect.
There are rules to help protect the trusted resource and keep it away from the untrusted elements. You can see how there’s a separation of duties and a prevention of conflict of interest. This model helps to reduce or prevent altogether, an abuse of power. There’s three integrity goals when using this model. First, is the prevention of unauthorized users from making modification of the application or of the system you are building. Second, is the prevention of authorized users making improper modifications. Third, is that there is a maintained internal and external consistency so as to reinforce separation of duties.The purpose of this third model, the Clark-WIlson is that it enforces integrity by preventing the user to come into direct contact with the program. Regardless of which security policy (and so then which model we choose), as we are building our system architecture, there is another element of system design that we have to think about. That design element is to what degree do we want our system to provide. We have to think about access control models.
Some systems are designed to be more user-friendly and promoting sharing. Other systems are designed more to protect confidentiality of information and reduce sharing of information. Depending on what are ultimate goals are for the system will help us to discern which type of access control model we will choose.There are three that are discussed here. The first is the DAC, which is the Discretionary Access Control. The second is the MAC or Mandatory Access Control and the third is Role-Based Access Control. Depending on your goals, you might choose one of these three.
CSSLP Tutorial: The first access control model we will discuss is the DAC,
Which is discretionary access control system. This like what any client-based operating systems would be like, for example, your windows system application. The security of the object depends on the discretion of the object’s owner. Security can be a little concerning with this model, but the idea is that it’s designed for an environment that promotes sharing. It’s meant to be used in that environment where it’s easy to use. The DAClist is an identity based system. You are given the user account based on your identity, based on who you are. You get an account like LaraG or LGossage where the user account is tied to the identity of the individual. Like with windows having multiple users on one application and each username is according to their actual name. Windows isn’t the only one because there are versions of this same concept in Linux and Minix and so on.
CSSLP Tutorial: Instead of an environment of sharing, there are other working environments.
For example, in a more secure environment where the security system is protecting confidentiality, then there is the Mandatory Access Control (MAC), These systems are used by the government or those systems that need to enforce a higher level of confidentiality than what the DAC can provide. The heart and soul of this element is labels. So, when a user object in a MAC environment is created, they get a label. So, if a person has secret level of clearance and there’s a folder with the label Top Secret, we wouldn’t expect the lower level clearance to have access to that higher level folder. So, the decision as to accessing the data in a mandatory-controlled environment is based on labels. The subject’s label must dominate the object’s label. So, it prevents from someone to access files that are above their level of intelligence clearing. The labels of the MAC system are rigid and a part of a formalized process. It is the OS that compares the labels and makes the decisions.
Another environment which is good for enforced rights and such are what’ called the role-based access control (also known as RBAC’s). The RBAC helps us with what’s known as privilege or authorization creep. Privilege creep is the gradual accumulation especially as related to information technology, of access rights. For example, when a database administrator has an identified permission or right that continues even though that administrator is finished with that particular project. As a metaphor, a custodial staff member has a key – key A for unlocking and cleaning in building A. Then, finished that project and goes on to get key B for unlocking and cleaning in building B. Then goes on with key C and uses that for cleaning in building C. So, the custodian has three keys even though only needs the last one, since that’s the building he’s currently working. The missed step is in retrieving the keys A and B back from him.
The same thing can happen when you have users in an environment. This would be when the database administrator of database A is working on that and to avoid this creep problem, when finished need to then have their credentials revoked for database A since finished on that specific project. As opposed to using identity based access control as in the DAC, the role-based system ties the account you are able to access to what the function you serve in the organization. So, with that particular function gets a set of rights and permissions specific to that role. SInce they are tied to the role cannot be change person by person. Instead, the person gets a new role, then they get a new role account with a new set of permissions and privileges. There wouldn’t be the heaped or accumulation of rights which is what would happen in an identity – based setup of accounts.
CSSLP Tutorial: So those are the three main security models discussed with the Bell-Lapadula, the Biba Integrity Model and the Clark-Wilson model.
Then, there are three access control models. They are the DAC, MAC and RBAC. The DAC is where the security is at the discretion of the owner. The MAC is where security decisions are based on labels. The RBAC is a good means to provide a high-end tight security as well as preventing authorization creep . So those are the security models I would consider when I am designing a system.