A Security models is a hypothetical abstraction of a system, simplified to enable analysis of certain aspects of the system without the complexity and details of the entire system being analyzed. A security model is a model that deals with security policy.
Security models can be formal, intended for mathematical analysis to assist in the verification that a system complies with a specific policy, or they can be informal, serving to illustrate and simplify the assessment of a system without the rigor of a proof.
You will not often hear people say a project can’t proceed because it doesn’t meet the requirements of the Bell-LaPadula (BLP) model or some other model. The security models, once familiar in name to every schooled security professional for decades, have since been largely relegated to textbooks. But regardless of how old-school these models are, the underlying intent behind their design and purpose is to improve security, and the need to improve security has never been stronger than it is today.
Although these models are not applicable as is to modern information systems, studying them provides a powerful foundation for the security professional. The structured approach of codifying security requirements in a security model can help reduce ambiguity and potential misunderstanding as to what, exactly, a security architecture is trying to accomplish. It distills the essential requirements into clear rules and analyzes the design to ensure that those rules are adhered to at every step in the process. Ensuring that a security architecture conforms to a well-designed security model greatly strenghtens it.
Different Roots, Different Emphasis, Similar Goal
Interestingly, the differences of emphasis between models can be attributed to each model’s origin. Security models developed to address the concerns of the military and government emphasize confidentiality as the prime objective. Meanwhile, models designed for commercial entities might focus on the integrity of the data as key to preventing fraud or misleading financial reporting.
Note The security professional should have some understanding of the U.S. military’s early adoption of computer technology and the development of information systems security practice. The U.S. Department of Defense’s theoretical work in computing laid the basis for many of the systems security practices implemented in commercial systems today.
In the military world, all information is tagged with a classification that reflects the sensitivity to disclosure of that information, e.g. unclassified, confidential, secret, or top secret. To further reduce the risk of disclosure, the principle of need-to-know is implemented through compartmentalization. An item (or portions of an item) may be assigned to more than one compartment. So, an item’s security level consists of a classification and a set (possibly empty) of compartments.
The general structure of military information classification is that an individual is not permitted access to an item unless he has clearance at a level equal to or higher than the sensitivity classification of the item and has the need-to-know to have been granted access to every compartment to which the item has been assigned.
The different models have been designed to address specific objectives, be they confidentiality, integrity, or conflicts of interest (segregation of duties). Keep this in mind as you read the following sections that discuss the models. This can guide you in designing your own security model for your specific situation. The end goal is to improve security, with emphasis on the aspect that best suits your needs.
Related Product : EC-Council Certified Incident Handler | ECIH v2
Primer on Common Model Components
In examining security models, it is helpful to understand some concepts common across many security models, particularly finite state machines and lattices.
A finite state machine is a conceptual computer that can be in one of a finite number of states. The computer implements a state transition function that determines the next state, given the current state and the next input, and that can, optionally, produce output. In this model, evaluating the confidentiality-integrity-availability (CIA) properties of each state can ensure the system operates in a secure manner.
A lattice is a finite set with a partial ordering. A partial ordering is a binary relation that is reflexive, anti-symmetric, and transitive that need not apply to all, or any, pairs of items. Reflexive means that each item in the set is related (i.e. equal) to itself. Anti-sym- metric means that if a R b, and b R a, then a and b are the same. Transitive means that if a R b, and b R c, then a R c.
To put this in concrete mathematical terms, security levels form a partial ordering.
For example,
(Secret, STELLAR WIND) > (CONFIDENTIAL, ?)
Note, however, (Top Secret, NUCLEAR) and (Secret, GAMMA) have no relative ordering; they are not comparable.
More formally, a security level a dominates security level b, if the classification of a is greater than the classification of b, and the set of compartments of b is a subset of the compartment set of a.
In short, a lattice security model does the following:
- Defines a set of security levels
- Defines a partial ordering of that set
- Assigns every subject (e.g. user or process) and object (e.g. data) a security level
- Defines a set of rules governing the operations a subject can perform on an object based on the relationship between the security levels of the subject and object
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
