|
|
|
Confidentiality Models Confidentiality models are used to describe what actions must be taken to ensure the confidentiality of information. These models can specify how security tools are used to achieve the desired level of confidentiality. The most commonly used model for describing the enforcement of confidentiality is the Bell-LaPadula model. It defines the relationships between objects (i.e., the files, records, programs, and equipment that contain or receive information) and subjects (i.e., the persons, processes, or devices that cause information to flow between the objects). The relationships are described in terms of the subject’s assigned level of access or privilege and the object’s level of sensitivity. In military terms, these would be described as the security clearance of the subject and security classification of the object. Subjects access objects to read, write, or read and write information. The Bell-LaPadula model enforces the lattice principle, which specifies that subjects are allowed write access to objects at the same or higher level as the subject, read access to objects at the same or lower level, and read/write access to only those objects at the same level as the subject. This prevents the ability to write higher-classified information into a lower-classified file or to disclose higher-classified information to a lower-classified individual. Because an object’s level indicates the security level of data it contains, all the data within a single object must be at the same level. This type of model is called flow model, because it ensures that information at a given security level flows only to an equal or higher level. Another type of model that is commonly used is the access control model, which organizes a system into objects (i.e., resources being acted on), subjects (i.e., the persons or programs doing the action), and operations (i.e., the process of the interaction). A set of rules specifies which operations can be performed on an object by which subjects. This type of model has the additional benefit of ensuring the integrity of information as well as the confidentiality; the flow model supports only confidentiality. Implementing Confidentiality Models The trusted system criteria provide the best guidelines for implementing confidentiality models. These criteria were developed by the National Computer Security Center and are published in the Department of Defense Trusted Computer System Evaluation Criteria (commonly referred to as the Orange Book), which discusses information confidentiality in considerable detail. In addition, the National Computer Security Center has developed a Trusted Network Interpretation that applies the Orange Book criteria to networks; the network interpretation is described in the Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria (commonly referred to as the Red Book). INTEGRITY Integrity is the protection of system data from intentional or accidental unauthorized changes. The challenge of the security program is to ensure that data is maintained in the state that users expect. Although the security program cannot improve the accuracy of data that is put into the system by users, it can help ensure that any changes are intended and correctly applied. An additional element of integrity is the need to protect the process or program used to manipulate the data from unauthorized modification. A critical requirement of both commercial and government data processing is to ensure the integrity of data to prevent fraud and errors. It is imperative, therefore, that no user be able to modify data in a way that might corrupt or lose assets or financial records or render decision-making information unreliable. Examples of government systems in which integrity is crucial include air traffic control systems, military fire control systems (which control the firing of automated weapons), and Social Security and welfare systems. Examples of commercial systems that require a high level of integrity include medical prescription systems, credit reporting systems, production control systems, and payroll systems. As with the confidentiality policy, identification and authentication of users are key elements of the information integrity policy. Integrity depends on access controls; therefore, it is necessary to positively and uniquely identify all persons who attempt access. Protecting Against Threats to Integrity Like confidentiality, integrity can be compromised by hackers, masqueraders, unauthorized user activity, unprotected downloaded files, LANs, and unauthorized programs (e.g., Trojan horses and viruses), because each of these threats can lead to unauthorized changes to data or programs. For example, authorized users can corrupt data and programs accidentally or intentionally if their activities on the system are not properly controlled. Three basic principles are used to establish integrity controls:
Need-to-Know Access Users should be granted access only to those files and programs that they need in order to perform their assigned job functions. User access to production data or source code should be further restricted through use of well-formed transactions, which ensure that users can change data only in controlled ways that maintain the integrity of data. A common element of well-formed transactions is the recording of data modifications in a log that can be reviewed later to ensure that only authorized and correct changes were made. To be effective, well-formed transactions must ensure that data can be manipulated only by a specific set of programs. These programs must be inspected for proper construction, installation, and controls to prevent unauthorized modification. Because users must be able to work efficiently, access privileges should be judiciously granted to allow sufficient operational flexibility; need-to-know access should enable maximum control with minimum restrictions on users. The security program must employ a careful balance between ideal security and practical productivity.
|