Security Models

Security models help us to understand the sometimes-complex security mechanisms in information systems. Security models illustrate simple concepts that we can use when analyzing an existing system or designing a new one.

In this section we describe the time-honored concepts of confidentiality, integrity, and availability (known together as CIA, or the CIA Triad), and access control models.

Confidentiality

Confidentiality refers to the concept that information and functions should be accessed only by authorized subjects. This is usually accomplished through several means, including

check.png Access and authorization: Ranging from physical access to facilities containing computers, to user account access and role-based access controls, the objective here is to make sure that only those persons with proper business authorization are permitted to access information.

check.png Vulnerability management: This includes everything from system hardening to patch management and the elimination of vulnerabilities from web applications. What we’re trying to avoid here is any possibility that someone can attack the system and get to the data.

check.png Sound system design: The overall design of the system excludes unauthorized subjects from access to protected data.

check.png Sound data management practices: The organization has established processes that define the use of the information it manages or controls.

These characteristics work together to ensure that secrets remain secrets.

Integrity

Integrity refers to the concept that information in a system will arrive correctly and maintain that correctness throughout its lifetime. Systems housing the information will reject attempted changes by unauthorized parties or unauthorized means. The characteristics of data whose integrity is intact are:

check.png Completeness

check.png Timeliness

check.png Accuracy

check.png Validity

Some of the measures taken to ensure data integrity are

check.png Authorization: This refers to whether data has proper authorization to enter a system. The integrity of a data record includes whether it should even be in the system.

check.png Input control: This includes verifying that the new data entering the system is in the proper format and in the proper range.

check.png Access control: This is used to control who (and what) is permitted to change the data.

check.png Output control: This includes verifying that the data leaving the system is in the proper format.

All of these steps help to ensure that the data in a system has the highest possible quality.

Availability

Availability refers to the concept that a system (and the data within it) will be accessible when users want to use it. The characteristics of a system that determine its availability include:

check.png Resilient hardware design: Features may include redundant power supplies, network adaptors, processors and other components. These help to ensure that a system will keep running even if some of its internal components fail.

check.png Resilient software: The operating system and other software components need to be designed and configured to be as reliable as possible.

check.png Resilient architecture: We’re talking big picture here. In addition to resilient hardware design, we would suggest that other components have redundancy including routers, firewalls, switches, telecommunications circuits, and whatever other items may otherwise be single points of failure.

check.png Sound configuration management and Change Management processes: Availability includes not only the components of the system itself, but is also reliant on good system management practices. After all, availability means avoiding unscheduled downtime, which is often a consequence of sloppy configuration management and Change Management practices.

instantanswer.eps The CIA Triad includes the top three principles of information protection: Confidentiality, Integrity, and Availability.

Access Control Models

Models are used to express access control requirements in a theoretical or mathematical framework that precisely describes or quantifies real access control systems. Common access control models include Bell-LaPadula, Access Matrix, Take-Grant, Biba, Clark-Wilson, Information Flow, and Non-interference.

instantanswer.eps Bell-LaPadula, Access Matrix, and Take-Grant models address confidentiality of stored information. Biba and Clark-Wilson address integrity of stored information.

Bell-LaPadula

Published in 1973, the Bell-LaPadula model was the first formal confidentiality model of a mandatory access control system. (We discuss mandatory and discretionary access controls in Chapter 4.) It was developed for the U.S. Department of Defense (DoD) to formalize the DoD multilevel security policy. As we discuss in Chapter 6, the DoD classifies information based on sensitivity at three basic levels: Confidential, Secret, and Top Secret. In order to access classified information (and systems), an individual must have access (a clearance level equal to or exceeding the classification of the information or system) and need-to-know (legitimately in need of access to perform a required job function). The Bell-LaPadula model implements the access component of this security policy.

Bell-LaPadula is a state machine model that addresses only the confidentiality of information. The basic premise of Bell-LaPadula is that information can’t flow downward. This means that information at a higher level is not permitted to be copied or moved to a lower level. Bell-LaPadula defines the following two properties:

check.png Simple security property (ss property): A subject can’t read information from an object that has a higher sensitivity label than the subject (also known as no read up, or NRU).

check.png *-property (star property): A subject can’t write information to an object that has a lower sensitivity label than the subject (also known as no write down, or NWD).

Bell-LaPadula also defines two additional properties that give it the flexibility of a discretionary access control model:

check.png Discretionary security property: This property determines access based on an Access Matrix — more on that model in the following section.

check.png Trusted subject: A trusted subject is an entity that can violate the *-property but not its intent.

tip.eps A state machine is an abstract model used to design computer programs; the state machine illustrates which “state” the program will be in at any time.

Access Matrix

An Access Matrix model, in general, provides object access rights (read/write/execute, or R/W/X) to subjects in a discretionary access control (DAC) system. An Access Matrix consists of access control lists (columns) and capability lists (rows). See Table 9-1 for an example.

/Table 9-1

Take-Grant

Take-Grant systems specify the rights that a subject can transfer to or from another subject or object. These rights are defined through four basic operations: create, revoke, take, and grant.

Biba

cross-reference.eps Published in 1977, the Biba integrity model (sometimes referred to as Bell-LaPadula upside down) was the first formal integrity model. Biba is a lattice-based model that addresses the first goal of integrity: ensuring that modifications to data aren’t made by unauthorized users or processes. (See Chapter 6 for a complete discussion of the three goals of integrity.) Biba defines the following two properties:

check.png Simple integrity property: A subject can’t read information from an object that has a lower integrity level than the subject (also called no read down).

check.png *-integrity property (star integrity property): A subject can’t write information to an object that has a higher integrity level than the subject (also known as no write up).

Clark-Wilson

cross-reference.eps Published in 1987, the Clark-Wilson integrity model establishes a security framework for use in commercial activities, such as the banking industry. Clark-Wilson addresses all three goals of integrity and identifies special requirements for inputting data based on the following items and procedures (see Chapter 6 for more on the three goals of integrity):

check.png Unconstrained data item (UDI): Data outside the control area, such as input data.

check.png Constrained data item (CDI): Data inside the control area. (Integrity must be preserved.)

check.png Integrity verification procedures (IVP): Checks validity of CDIs.

check.png Transformation procedures (TP): Maintains integrity of CDIs.

The Clark-Wilson integrity model is based on the concept of a well-formed transaction, in which a transaction is sufficiently ordered and controlled so that it maintains internal and external consistency.

Information Flow

An Information Flow model is a type of access control model based on the flow of information, rather than on imposing access controls. Objects are assigned a security class and value, and their direction of flow @md from one application to another or from one system to another — is controlled by a security policy. This model type is useful for analyzing covert channels, through detailed analysis of the flow of information in a system, including the sources of information and the paths of flow.

Non-interference

A Non-interference model ensures that the actions of different objects and subjects aren’t seen by (and don’t interfere with) other objects and subjects on the same system.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.217.254.118