Security Models
Security models help us to understand the sometimes-complex security mechanisms in information systems. Security models illustrate simple concepts that we can use when analyzing an existing system or designing a new one.
In this section we describe the time-honored concepts of confidentiality, integrity, and availability (known together as CIA, or the CIA Triad), and access control models.
Confidentiality
Confidentiality refers to the concept that information and functions should be accessed only by authorized subjects. This is usually accomplished through several means, including
Access and authorization: Ranging from physical access to facilities containing computers, to user account access and role-based access controls, the objective here is to make sure that only those persons with proper business authorization are permitted to access information.
Vulnerability management: This includes everything from system hardening to patch management and the elimination of vulnerabilities from web applications. What we’re trying to avoid here is any possibility that someone can attack the system and get to the data.
Sound system design: The overall design of the system excludes unauthorized subjects from access to protected data.
Sound data management practices: The organization has established processes that define the use of the information it manages or controls.
These characteristics work together to ensure that secrets remain secrets.
Integrity
Integrity refers to the concept that information in a system will arrive correctly and maintain that correctness throughout its lifetime. Systems housing the information will reject attempted changes by unauthorized parties or unauthorized means. The characteristics of data whose integrity is intact are:
Completeness
Timeliness
Accuracy
Validity
Some of the measures taken to ensure data integrity are
Authorization: This refers to whether data has proper authorization to enter a system. The integrity of a data record includes whether it should even be in the system.
Input control: This includes verifying that the new data entering the system is in the proper format and in the proper range.
Access control: This is used to control who (and what) is permitted to change the data.
Output control: This includes verifying that the data leaving the system is in the proper format.
All of these steps help to ensure that the data in a system has the highest possible quality.
Availability
Availability refers to the concept that a system (and the data within it) will be accessible when users want to use it. The characteristics of a system that determine its availability include:
Resilient hardware design: Features may include redundant power supplies, network adaptors, processors and other components. These help to ensure that a system will keep running even if some of its internal components fail.
Resilient software: The operating system and other software components need to be designed and configured to be as reliable as possible.
Resilient architecture: We’re talking big picture here. In addition to resilient hardware design, we would suggest that other components have redundancy including routers, firewalls, switches, telecommunications circuits, and whatever other items may otherwise be single points of failure.
Sound configuration management and Change Management processes: Availability includes not only the components of the system itself, but is also reliant on good system management practices. After all, availability means avoiding unscheduled downtime, which is often a consequence of sloppy configuration management and Change Management practices.
Access Control Models
Models are used to express access control requirements in a theoretical or mathematical framework that precisely describes or quantifies real access control systems. Common access control models include Bell-LaPadula, Access Matrix, Take-Grant, Biba, Clark-Wilson, Information Flow, and Non-interference.
Bell-LaPadula
Published in 1973, the Bell-LaPadula model was the first formal confidentiality model of a mandatory access control system. (We discuss mandatory and discretionary access controls in Chapter 4.) It was developed for the U.S. Department of Defense (DoD) to formalize the DoD multilevel security policy. As we discuss in Chapter 6, the DoD classifies information based on sensitivity at three basic levels: Confidential, Secret, and Top Secret. In order to access classified information (and systems), an individual must have access (a clearance level equal to or exceeding the classification of the information or system) and need-to-know (legitimately in need of access to perform a required job function). The Bell-LaPadula model implements the access component of this security policy.
Bell-LaPadula is a state machine model that addresses only the confidentiality of information. The basic premise of Bell-LaPadula is that information can’t flow downward. This means that information at a higher level is not permitted to be copied or moved to a lower level. Bell-LaPadula defines the following two properties:
Simple security property (ss property): A subject can’t read information from an object that has a higher sensitivity label than the subject (also known as no read up, or NRU).
*-property (star property): A subject can’t write information to an object that has a lower sensitivity label than the subject (also known as no write down, or NWD).
Bell-LaPadula also defines two additional properties that give it the flexibility of a discretionary access control model:
Discretionary security property: This property determines access based on an Access Matrix — more on that model in the following section.
Trusted subject: A trusted subject is an entity that can violate the *-property but not its intent.
Access Matrix
An Access Matrix model, in general, provides object access rights (read/write/execute, or R/W/X) to subjects in a discretionary access control (DAC) system. An Access Matrix consists of access control lists (columns) and capability lists (rows). See Table 9-1 for an example.
Take-Grant
Take-Grant systems specify the rights that a subject can transfer to or from another subject or object. These rights are defined through four basic operations: create, revoke, take, and grant.
Biba
Simple integrity property: A subject can’t read information from an object that has a lower integrity level than the subject (also called no read down).
*-integrity property (star integrity property): A subject can’t write information to an object that has a higher integrity level than the subject (also known as no write up).
Clark-Wilson
Unconstrained data item (UDI): Data outside the control area, such as input data.
Constrained data item (CDI): Data inside the control area. (Integrity must be preserved.)
Integrity verification procedures (IVP): Checks validity of CDIs.
Transformation procedures (TP): Maintains integrity of CDIs.
The Clark-Wilson integrity model is based on the concept of a well-formed transaction, in which a transaction is sufficiently ordered and controlled so that it maintains internal and external consistency.
Information Flow
An Information Flow model is a type of access control model based on the flow of information, rather than on imposing access controls. Objects are assigned a security class and value, and their direction of flow @md from one application to another or from one system to another — is controlled by a security policy. This model type is useful for analyzing covert channels, through detailed analysis of the flow of information in a system, including the sources of information and the paths of flow.
Non-interference
A Non-interference model ensures that the actions of different objects and subjects aren’t seen by (and don’t interfere with) other objects and subjects on the same system.