Information security has three basic attributes viz., Availability, Confidentiality, and Integrity, and the effectiveness of computer security policies depend on the efficacy of the methods by which these three attributes are sought to be implemented and/or strengthened. Cybersecurity policies require the formulation and implementation of security access control models like the Bell-LaPadula (Bell, D.E. and LaPadula, L.J, 1973) and the Biba, (Biba, K.J.,1977) to successfully ensure availability, integrity, and confidentiality of information flows via network access.
In addition, modeling for computer security is based upon some fundamental principles like the Principle of Defense in Depth. This brief paper outlines the fundamental principles governing the Bell-LaPadula and Biba Security Access Control Models as also examines the defense in depth principle
Computer Security Attributes and Computer Security Models
Computer security access control modeling takes into consideration basic information security attributes of availability, confidentiality, and integrity. In other words, the purpose of a computer security access model is to help prevent unauthorized alteration (Integrity), disclosure (Confidentiality) and to a lesser extent, loss of access to computer resources and data (Availability). Depending on requirements by the government and public corporations doing business, a variety of models have been developed over the years. Some well-known ones are the Bell-LaPadula (1973) and the Biba (1977).
Others are Clark-Wilson, Brewer and Nash, Graham-Denning, etc. All these have been developed to address specific issues like ensuring information availability, confidentiality, and/or integrity. Based on how the models define relationships amongst subjects, objects, permissions, and operations access control models may be classified as Discretionary Access Model, DAC, Mandatory Access Model, MAC or Role-Based Access Control Model, RBAC (Ferraiolo, D.F., Kuhn, R., and Chandramouli, R., 2003).
The Bell-LaPadula Computer Access Control Model is a Static Machine Model developed in 1973 for analyzing MLS operating systems. In this model, the ordering of information is based on various security levels and a security matrix through which permissions are defined and the flow of information from a higher level is governed by the Discretionary Security, the Simple Security, and the Star Properties. Clearances are given to users and objects are classified as per given rules.
The advantage is that system security can be easily checked by using BLP Model and its state machine model characteristics can be applied for other attributes like integrity, However, the model contains covert channels, is meant for static security levels, and its functionality of system testing is restricted to checking confidentiality.
The Biba model was developed in 1977 for ensuring the integrity of computer systems. In addition to maintaining data consistency, the model also restricts the unauthorized alteration of data and computer resources (Bishop, 2003). It has a strict restrictive integrity property which is the exact opposite of the Bell-LaPadula Model property. There are three conditions in which this property operates, viz., a simple integrity condition in which “no reading down” is enforced, the star integrity property which enforces “no write up” and the invocation property in which the subject may invoke another with lower integrity level (Balon, N., and Thabet, I., 2004). While the model has numerous dynamic policies, it has its disadvantages; it does not support the granting and revocation of authorizations nor is it able to enforce confidentiality
The Principle of Defense in Depth
The principle is one of the key contributions of the US military which developed it for ensuring that the defense is hidden from attackers and has ample time and opportunity to respond to their (adversaries’) attacks. In information security, this implies a layered security approach to modeling computer architecture and invariably envisions multi-layered security levels for defense. For example, we can develop two firewalls (one internal layer and another outside) as a more effective defense mechanism against cyber attacks instead of relying on a single firewall. Essentially, use is made of multiple layers of security as also the application of technologies at each layer that complements one another (Pereira, J.P., 2004).
Four sub-principles are envisioned in implementing the defense in depth principle to computer systems; the network infrastructure is distributed to broad base security application, multiple and parallel layers of security are built up, support infrastructure is strengthened, and data mining and data analysis of security events is continuously done to help evolve more effective and foolproof security systems. Examples of a few multiple layers of defense using various controls may be given as follows:
- Applications Layer: This may include validity controls for data entry and processing, host and network controls for guarding against possible flaws in software applications, etc
- Physical layer: The related controls help protect the organizational assets against physical threats and the assets include entire physical systems like computers, UPS, routers, switches, etc
- Distribution Layer: Two defense controls may be the usage of trusted software & distribution and the application of run-time integrity controls
Conclusion
The topic of computer security is too vast to warrant a comprehensive description in a few pages of text. The security control models described above have their merits and demerits and their actual selection for any particular computer system architecture depends on the end-use, complexity, and purpose of the same. However, the technology landscape is changing very fast and it may not be long before more innovative and fool-proof IS systems are developed to effectively tackle the growing incidences and variety of computer security violations
References
Balon, N., and Thabet, I., 2004, Biba Security Model Comparison.
Bell, D.E. and LaPadula, L.J, 1973 A mathematical model, Technical report esd-tr-278, vol. 2, The Mitre Corporation, Bedford.
Biba, K.J., 1977, Integrity considerations for secure computer systems. Technical report tr-3153, The Mitre Corporation, Bedford.
Bishop, M., 2003, Computer Security: Art and Science, Addison Wesley, Boston, MA
Defense in Depth, Design Notes, Wilson, M., 2001, Decision Support Systems Inc. Web.
Eydt, B., Security Models and Architecture, CISSP Exam Preparation Guide.
Ferraiolo, D.F., Kuhn, R., and Chandramouli, R., 2003.
Formal Security Policy Models, Siemens AG, CT IC 3, Volkmar Lotz, 2003. Web.
In Depth Defense applied to Information Systems (Memo Version 1.1), 2004. Web.
Pereira, J.P. 2004, Defense in Depth. A Strategy To Secure Federal Networks, Jupiter Networks, Inc.
Security Models and Architecture, CISSP Certification All-in-one Exam Guide, Chap 5.
Stoneburger, G., Hayden, C., and Feringa, 2004, Engineering Principles for IT Security (Rev.A). NIST.