Multilevel Access Control
Multilevel access control models combine several of the access control models.
- Used when simpler access control models aren’t robust enough
- Used by military and government
The Bell-LaPadula Model
The Bell-LaPadula model implements a combination of discretionary and mandatory access controls (DAC and MAC) and is primarily concerned with the confidentiality of the resource in question.
- generally, MAC takes precedence over DAC
- two security models define how information can flow to and from the resource
- The Simple Security Property
- level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to access it
- summarized as no read up
- The * Property (Star Property)
- anyone accessing a resource can only write (or copy) its contents to another resource classified at the same level or higher
- “no write down”
- The Discretionary Security Property
- requires use of an access matrix to enforce discretionary access control
- The Simple Security Property
The Biba Model
The Biba model of access control is primarily concerned with protecting the integrity of data, even at the expense of confidentiality.
- more important to keep people from altering it than viewing it
- 2 security rules that govern
- exact opposite of Bell-LaPadula
- The Simple Integrity Axiom
- The level of access granted to an individual must be no lower than the classification of the resource.
- Access to one level does not grant access to lower levels
- no read down
- The * Integrity Axiom (Star Integrity Axiom)
- Anyone accessing a resource can only write its contents to a resource classified at the same level or lower
- no write up
The Brewer and Nash Model
The Brewer and Nash model, aka Chinese Wall model, is an access control model designed to prevent conflicts of interest.
- considers the subject’s recent history and the roles the subject is fulfilling
- used in industries with sensitive data
- financial, medical, legal
- 3 main resource classes:
- Objects: Resources, such as files or information, pertaining to a single organization
- Company groups: All objects pertaining to an organization
- Conflict classes: All groups of objects concerning competing parties
Example
Commercial Law Firm
- firm represents competing individuals and companies
- individual lawyer needs has access to files for multiple clients, that could cause conflict of interest
- so with this model, the level of access dynamically changes based on the materials previously accessed
Clark-Wilson Model
The Clark-Wilson model considers three things together as a set: the subject, the object, and the kind of transaction the subject is requesting to perform upon the object.
- requires a matrix that allows only transaction types against objects to be performed by a limited set of trusted subjects
Noninterference Models
Noninterference models use security domains (sets of subjects) such that members in one domain cannot interfere with (interact with) members in “another domain.”
- e.g., Gogun-Meseguer
Graham-Denning Model
The Graham-Denning model uses a matrix to define allowable boundaries or sets of actions involved with the secure creation, deletion and control of subjects, and the ability to control assignment of access rights.