CISSP Notes: Security Models: Access Control Models

As part of my intent on finally going after my CISSP, I thought I'd occassionally post these notes up as tutorials for those interested (occassionally basically means I have no idea how often I'll do this based on time and schedule). Today, I decided to take a look at some of the security models that are used in the industry to create security policies and to develop new security products and appliances. Many of these security models are theoretical and tend to deal with access controls.

Access controls provide necessary rules and structure that details how and if subjects will be allowed utilize resources. Sometimes this can also detail any interactions between users and resources and necessary protocols to follow.Basically, an access control model (or security model) allows us to detail how resources will be accessed, that the method of accessing the resources is a safe and secure method, and to help the overall security of the system. (Remember that there is no such thing as 100% security but we can mitigate it as much as possible and make it more difficult for those who challenge the secure environment we create).

While the security model shows us how to implement our security procedures and rules, the state machine model looks at the system's present state and determines continually ensures that the system is in a secure state. The secure state is achieved through compliance to the security model. The security Models that I will look at are:

- Bell-LaPadula

- Biba

- Clark-Wilson

- Non-interference

- Chinese Wall (sometimes referred to as Brewer and Nash)
Keep in mind that not all models will work with all situations. Many of these models were developed with military needs in mind.

Bell-LaPadula Model

Developed in the 1970s for the US military, it deals with senstive information being accessed by those who shouldn't have access. This model specifically deals with the complexity of subjects having multiple levels of clearance for different information types and different classifications. Simply put: confidentiality.

Basically, the system looks at the subjects clearance level for a particular object. If they have an equal level or higher clearance they can look at the object. If not, they are denied access. The model looks at factors such as the subject itself, the object (resource), type of access (read-write, read only, write only) and designated security levels for both subjects and objects.

To help with control of the confidentiality of information, there are two main rules to the BLP:

1. No read up: a subject cannot read information at a higher security level. (simple confidentiality)

2. No write down: a subject cannot alter information at a lower security level. (prevents declassification of material)

While developed for the military this model may have some benefits for commercial enterprises since recent security surveys indicate that theft of proprietary information is the number 1 attack in computer and network security breaches.

Biba Model

One of the models that deals with integrity, this model was based on the BLP but was targetted more to commercial endeavours than military. Military organizations are big on confidentiality and security; commercial enterprises, however, are often more concerned with integrity and ensuring that information hasn't been altered when going from one point to another.

While fundamentally covering many of the same areas, the rules are "reversed":

1. No write up: a subject cannot alter information at a higher security level (integrity)

2. No read down: a subject cannot read information at a lower security level (integrity: prevents resources at higher levels from being altered based on information at lower levels)

Again, while this was developed with commercial enterprises in mind, this might benefit some aspects of the military.

Clark-Wilson Model

Like the Biba Model, this is an integrity based type of security model. How this model achieves its security is slightly different: it uses what is referred to as a lattice. (basically, a matrix with boundaries for upper and lower levels). In order for subjects to be able to access and/or alter resources (objects) they will have to do this through a program. It strikes me as similar to a *nix operating system, where the kernel is seperated from the various applications (commands) and the user can only alter something through the use of those commands rather than direct access to the object (kernel).

While Biba only deals with integrity and specifically, unauthorized modification of information, Clark-Wilson goes further with authorized subjects making "bad" modifications of information and maintaining consistency.

This would work well for many accounting type firms (perhaps something that Arthur Anderson should look into.. .. )

Non-interference model

This model is also sometimes referred to as the Goguen and Meseguer model, named after the creators of the model. It is often used where there are multiple levels of security, this ensures that what a subject does at one security level will not have an impact on subjects at other security levels.

Access Control Matrix Model

A favourite of mine, we actually see this one easily in a variety of environments. This one uses a simple two-dimensional to determine necessary access for subjects. Subjects are placed in the rows while the access is listed in the column.

Code:
Subject		File 1		File 2
Joe		Read,Write	No Access
Sally		Write		Full Control
Bobby		Full Control	Read
I've used this method to develop necessary controls in Windows NT and 2000. Sometimes old fashion pencil and paper (or word document) can help develop a necessary and yet simple security model.

Chinese Wall (aka Brewer and Nash Model)

This model is an interesting one in that it monitors subjects' actions and based on those actions (and previous activity) dynamically assigns access controls. This is to avoid issues of conflict of interest. Evidentally this particular model works best in political environments, where politicians lose access to private sector positions for that exact reason.



This is a start for now. I will add more CISSP notes as time permits and if there is interest. If you have questions or comments, do not hesitate to ask or PM me.


References/Resources:

Security Models and Architecture
Security Models -- PDF
Security Architecture and Models -- PDF
Security Models