Security Models
Introduction
Security model concepts are crucial to understand and standardize latest models of information security architectures and frameworks. Moreover, the models are useful to standardize a secure state and information flow transitions between classifications through security policies. In addition, they are abstract representations that provide set of rules that designers can apply on computer systems. In other words, we employ security models to enforce security policies through implementation of security concepts, processes and procedures. Furthermore, we use security tokens, capabilities, labels and related techniques to realize security objectives.
Security models employ state machine to establish secure system and information flow to control the movement of data. Besides, they apply noninterference concepts to protect actions of a subject at one level from affecting the state of systems and actions of a subject at different clearance levels.
In the following sections, we will discuss different security models inherent in an information security domain. Moreover, I will recommend techniques to easily understand and remember the models.
Security Concepts
As cybersecurity professionals and aspirants, we have to grasp and retain myriad of concepts and practices prevalent in the field. Furthermore, remembering these all concepts, models, frameworks, standards and architectures is a daunting task for most of us. This is especially true if we are planning to sit for an exam of some sort of certification. Therefore, we have to be smart enough and device effective mechanisms to help us understand and retain the concepts easily.
Remembering and understanding those aspects through analogous terms and phrases is the best strategy. We can relate them with names of places, people, things, etc. to instantly remember and decode the issue under consideration. However, there is no guarantee that this technique will work for all people. Because people follow different strategies when it comes to studying for exams and certifications. Nevertheless, this perfectly works for me when I study and I am optimist this will work with you as well.
Let us discuss some popular security models that are testable in CISSP exam and other certificates.
Bell-LaPadula Model
Bell-LaPadula Model (BLP) is mostly applicable in organizations with multilevel security policies such as military and government organizations. In multilayer security policies, entities with a given security clearance level will be able to access resources only at their clearance levels or below it.
The model is convenient to establish multilevel security policies and only protects confidentiality of data. Moreover, it restricts and prevents leakage of classified data to entities with lower clearance levels. Additionally, it is hierarchically arranged model and uses mandatory access controls (MAC) to enforce perceived security rules. The model specifies the following three security rules:
Simple Security Property (ss property)
This rule prevents a subject at a given clearance level from reading an object at a higher security clearance level. In other words, we can refer this property in short as “no read up” rule.
I am sure you know someone whose name is “Niru”. It is common name in Middle East and elsewhere. We will use the name to help us remember this security rule perfectly. For convenience, let us shorten “no read up” as “NRU”. The name of “ss property’ is “NRU”. Therefore, when you think of someone whose name is “NRU”, assume you are referring to the “Simple Security Property” of Bell-LaPadula model.
Star Property (* property) Rule
This rule strictly prevents a subject with a certain clearance level from writing to an object at a lower security clearance level. In other words, we can refer this property as “no write down” rule.
The popular film industry players such as Hollywood, Bollywood and Nollywood has been entertaining us for decades. In an unlikely scenario, I will make use of these entertainment industries to help us remember some rules of security models. To remember the “Star Property Rule” easily, let us coin our own word from “no write down” rule. Let us call it “NWD” by taking the first letters of the rule. When you remember “Nollywood”, think of “NWD” to refer the “Star Property Rule”. This analogy will stay in your memory as long as you want it.
The Discretionary Security Property
This rule requires access matrix to enforce discretionary access control (DAC) on subjects and objects. When you want to remember this rule, think the bird “duck”. If you can remember the bird, assume you are referring to “The Discretionary Security Property” of the BLP model.
We can summarize the first two security rules of BLP model as in the following diagram.
- “No read up” or “NRU” of the “Simple Security Property”, indirectly means “read down” with need-to-know Thus, a subject with “Top secret” security clearance can read “Secret” and “Secret” can read “Confidential” clearance levels. However, the other way round is not true. Meaning, subject with “Confidential” clearance level cannot read “Secret” and “Secret” cannot read “Top Secret” levels.
- “No write down” or “NWD” of the “Star Property Rule” indirectly means write up but with appropriate principles such as least privilege and need-to-know. Thus, subject with “Confidential’ security clearance can write to “Secret” and “Secret” can write to “Top Secret” levels. However, a subject with “Top Secret” security clearance cannot write to “Secret” and “Secret” cannot write to “Confidential” clearance levels.
Some Drawbacks of BLP
- It does not address covert channel attacks.
- It only focuses on ensuring confidentiality and does not address integrity concerns.
Biba Model
Similar to Bell-LaPadula, Biba model is hierarchical or lattice based and employs information flow model. However, unlike BLP model, it mainly focuses and protects integrity of data. Moreover, it is a multilevel security model and employ state machine concept. Similar to BLP model, it specifies the following rules:
Simple Integrity Property
This rule prevents compromising the integrity of information at higher clearance level from a less secure source with lower clearances. In other words, we can refer it as “no read down” rule. Furthermore, this rule prevents higher integrity processes from producing unreliable results by reading lower integrity sources.
Bear in mind that Biba is the inverse process of Bell-LaPadul model. Therefore, the analogies we established earlier in BLP will hold true but in reverse order. In other words, we shortened the “Simple Security Property” of BLP model to be “no read up” or “NRU”. When we reverse the process, we get “no read down” property of the Biba model.
Start Integrity (* Integrity) Property
This security rule prevents the corruption of more secure information by a subject with lower security clearance levels. We sometimes refer it as “no write up” property. Remember that we only need to understand the two properties of BLP model to grasp the two properties of Biba. Meaning, if we inverse the “no write down” rule of BLP, we get “no write up” rule of the Biba model.
We can diagrammatically summarize the two security rules of Biba model as follows.
- “No read down” or “NRD” of the “Simple Integrity Property”, indirectly means “read up” with need-to-know Thus, a subject with “Confidential” security clearance can read “Secret” and “Secret” can read “Top Secret” clearance levels. However, a subject with a given clearance level cannot read objects classified at lower clearance levels. Meaning, a subject with “Top Secret” clearance level cannot read “Secret” and “Secret” cannot read “Confidential” objects.
- “No write down” or “NWD” of the “Star Property Rule” indirectly means write up but with appropriate principles such as least privilege and need-to-know. Thus, subject with “Confidential’ security clearance can write to “Secret” and “Secret” can write to “Top Secret” levels. However, a subject with “Top Secret” security clearance cannot write to “Secret” and “Secret” cannot write to “Confidential” clearance levels.
Clark-Wilson Model
Clark-Wilson model primarily protects data integrity likewise Biba Model. However, this model goes deeper and argues that latticed-based models are not sufficient to achieve integrity objectives. Moreover, the model defines data items and requires each modification to occur only through controlled middleware programs or APIs.
Unlike Biba model, which allows modifications to data through security clearances only, this model establishes constrained interfaces to restrict modifications. As opposed to the subject-object based lattice-structures, the model makes its base on three-part relationship of subject-program-object.
We can literally depict the relationship as in the following diagram:
Clark-Wilson model employs two security concepts to achieve its objectives:
- Well-formed Transactions: Event if subjects have all the necessary permissions to make change to objects, they will further pass through constrained interfaces before making the modifications. This is in total contrast to the multilevel Bell-LaPadul and Biba models. Moreover, it allows subjects through the intermediary programs to make only the changes that will not affect the integrity of the data.
- Separation of Duties (SoD): The aim of this security concept is to achieve data integrity through check and balance requirements when making transactions. This will further prohibit subjects from committing transactions before gaining necessary approvals.
Brewer-Nash Model
Brewer-Nash model, sometimes referred to as “Ethical Wall” model, is a security model we primary use to avoid conflict-of-interests. Moreover, it creates security domains and applies access control policies on subjects who have insider knowledge about a given organization. Besides, the security model allows us to change access controls dynamically depending on entities historical activities.
Brewer and Nash model prevents conflict-of-interest that may arise from subjects’ insider knowledge gained through job responsibilities. Furthermore, it is applicable on a single integrated database and creates security domains to handle conflicting interests properly.
Take-Grant Model
Take-Grant model is a security model that focuses on describing the right of entities to acquire rights from one entity and grant it to another one. Moreover, it a model that controls the approaches of transferring rights from subjects to subjects or from subjects to objects.
For instance, subject(A) with the “Take” right can take a right from another subject(B) or another object(C). Similarity, subject(A) with “Grant” right can grant another subject(B) or an object(C) any right that subject(A) owns.
The Take-Grant model has two additional rules namely “Create” and “Remove” used to generate and delete rights respectively.
Goguen-Meseguer Model
Goguen-Meseguer model protects integrity objectives of data. Moreover, the model works by setting the domain of objects that a subject will have access. In addition, it is the foundation of noninterference concepts discussed earlier and applies separation of domain principles. Subjects in this model gain access to objects through predetermined security policies.
The Goreun-Meseguer model is established on automation theory and separation of domain principles. This implies that the model strictly requires subjects to undertake predetermined actions against predetermined objects. Moreover, the model prohibits subjects in one domain from interfering with subjects in another domain.
Graham-Denning Model
Graham-Denning model deals with secure creation and deletion of subjects and objects. Besides, the model establishes access control matrix to define the rights and permissions of subjects over objects. Moreover, the model contains protection rules useful to define rights and permissions subjects will have over objects.
Harrison-Ruzzo-Ullman Model
Harrison-Ruzzo-Ullman model focuses on assigning object access rights to subjects. Moreover, it defines a finite set of procedures to edit and change access rights of a subject over an object. Similar to Graham-Denning model, it employs access control matrix to facilitate the assignment and modifications of the access rights procedures.
Sutherland Model
Sutherland model focuses on ensuring integrity of data similar to Biba model. Furthermore, it works by preventing interferences to ensure security objectives of integrity. Like Bell-LaPadula and Biba models, it employs state machine and information flow models. However, unlike BLP model, the model prevents covert channel attacks.