|
|
|
Separation of Duties To ensure that no single employee has control of a transaction from beginning to end, two or more people should be responsible for performing it — for example, anyone allowed to create or certify a well-formed transaction should not be allowed to execute it. Thus, a transaction cannot be manipulated for personal gain unless all persons responsible for it participate. Rotation of Duties Job assignments should be changed periodically so that it is more difficult for users to collaborate to exercise complete control of a transaction and subvert it for fraudulent purposes. This principle is effective when used in conjunction with a separation of duties. Problems in effectively rotating duties usually appear in organizations with limited staff resources and inadequate training programs. Integrity Models Integrity models are used to describe what needs to be done to enforce the information integrity policy. There are three goals of integrity, which the models address in various ways:
The first step in creating an integrity model for a system is to identify and label those data items for which integrity must be ensured. Two procedures are then applied to these data items. The first procedure verifies that the data items are in a valid state (i.e., they are what the users or owners believe them to be because they have not been changed). The second procedure is the transformation procedure or well-formed transaction, which changes the data items from one valid state to another. If only a transformation procedure is able to change data items, the integrity of the data is maintained. Integrity enforcement systems usually require that all transformation procedures be logged, to provide an audit trail of data item changes. Another aspect of preserving integrity relates to the system itself rather than only the data items in the system. The system must perform consistently and reliably — that is, it must always do what the users or owners expect it to do. National Computer Security Center Report 79–91, “Integrity in Automated Information Systems” (September 1991), discusses several integrity models. Included are five models that suggest different approaches to achieving integrity:
The Biba Model The first model to address integrity in computer systems was based on a hierarchical lattice of integrity levels defined by Biba in 1977. The Biba integrity model is similar to the Bell-LaPadula model for confidentiality in that it uses subjects and objects; in addition, it controls object modification in the same way that Bell-LaPadula controls disclosure. Biba’s integrity policy consists of three parts. The first part specifies that a subject cannot execute objects that have a lower level of integrity than the subject. The second part specifies that a subject cannot modify objects that have a higher level of integrity. The third part specifies that a subject may not request service from subjects that have a higher integrity level. The Goguen-Meseguer Model The Goguen-Meseguer model, published in 1982, is based on the mathematical principle governing automatons (i.e., a control mechanism designed to automatically follow a predetermined sequence of operations or respond to encoded instructions) and includes domain separation. In this context, a domain is the list of objects that a user can access; users can be grouped according to their defined domains. Separating users into different domains ensures that users cannot interfere with each other’s activities. All the information about which activities users are allowed to perform is included in a capabilities table. In addition, the system contains information not related to permissions (e.g., user programs, data, and messages). The combination of all this information is called the state of the system. The automaton theory used as a basis for this model predefines all of the states and transitions between states, which prevents unauthorized users from making modifications to data or programs. The Sutherland Model The Sutherland model, published in 1986, approaches integrity by focusing on the problem of inference (i.e., the use of covert channels to influence the results of a process). This model is based on a state machine and consists of a set of states, a set of possible initial states, and a transformation function that maps states from the initial state to the current state. Although the Sutherland model does not directly invoke a protection mechanism, it contains access restrictions related to subjects and information flow restrictions between objects. Therefore, it prevents unauthorized users from modifying data or programs. The Clark-Wilson Model The Clark-Wilson model, published in 1987 and updated in 1989, involves two primary elements for achieving data integrity — the well-formed transaction and separation of duties. Well-formed transactions, as previously mentioned, prevent users from manipulating data, thus ensuring the internal consistency of data. Separation of duties prevents authorized users from making improper modifications, thus preserving the external consistency of data by ensuring that data in the system reflects the real-world data it represents. The Clark-Wilson model differs from the other models that are subject and object oriented by introducing a third access element — programs — resulting in what is called an access triple, which prevents unauthorized users from modifying data or programs. In addition, this model uses integrity verification and transformation procedures to maintain internal and external consistency of data. The verification procedures confirm that the data conforms to the integrity specifications at the time the verification is performed. The transformation procedures are designed to take the system from one valid state to the next. The Clark-Wilson model is believed to address all three goals of integrity.
|