Computer Security: Bell-Lapadula & Biba Models Essay

Exclusively available on Available only on IvyPanda® Made by Human No AI

Information security has three basic attributes viz., Availability, Confidentiality, and Integrity, and the effectiveness of computer security policies depend on the efficacy of the methods by which these three attributes are sought to be implemented and/or strengthened. Cybersecurity policies require the formulation and implementation of security access control models like the Bell-LaPadula (Bell, D.E. and LaPadula, L.J, 1973) and the Biba, (Biba, K.J.,1977) to successfully ensure availability, integrity, and confidentiality of information flows via network access.

In addition, modeling for computer security is based upon some fundamental principles like the Principle of Defense in Depth. This brief paper outlines the fundamental principles governing the Bell-LaPadula and Biba Security Access Control Models as also examines the defense in depth principle

Computer Security Attributes and Computer Security Models

Computer security access control modeling takes into consideration basic information security attributes of availability, confidentiality, and integrity. In other words, the purpose of a computer security access model is to help prevent unauthorized alteration (Integrity), disclosure (Confidentiality) and to a lesser extent, loss of access to computer resources and data (Availability). Depending on requirements by the government and public corporations doing business, a variety of models have been developed over the years. Some well-known ones are the Bell-LaPadula (1973) and the Biba (1977).

Others are Clark-Wilson, Brewer and Nash, Graham-Denning, etc. All these have been developed to address specific issues like ensuring information availability, confidentiality, and/or integrity. Based on how the models define relationships amongst subjects, objects, permissions, and operations access control models may be classified as Discretionary Access Model, DAC, Mandatory Access Model, MAC or Role-Based Access Control Model, RBAC (Ferraiolo, D.F., Kuhn, R., and Chandramouli, R., 2003).

The Bell-LaPadula Computer Access Control Model is a Static Machine Model developed in 1973 for analyzing MLS operating systems. In this model, the ordering of information is based on various security levels and a security matrix through which permissions are defined and the flow of information from a higher level is governed by the Discretionary Security, the Simple Security, and the Star Properties. Clearances are given to users and objects are classified as per given rules.

The advantage is that system security can be easily checked by using BLP Model and its state machine model characteristics can be applied for other attributes like integrity, However, the model contains covert channels, is meant for static security levels, and its functionality of system testing is restricted to checking confidentiality.

The Biba model was developed in 1977 for ensuring the integrity of computer systems. In addition to maintaining data consistency, the model also restricts the unauthorized alteration of data and computer resources (Bishop, 2003). It has a strict restrictive integrity property which is the exact opposite of the Bell-LaPadula Model property. There are three conditions in which this property operates, viz., a simple integrity condition in which “no reading down” is enforced, the star integrity property which enforces “no write up” and the invocation property in which the subject may invoke another with lower integrity level (Balon, N., and Thabet, I., 2004). While the model has numerous dynamic policies, it has its disadvantages; it does not support the granting and revocation of authorizations nor is it able to enforce confidentiality

The Principle of Defense in Depth

The principle is one of the key contributions of the US military which developed it for ensuring that the defense is hidden from attackers and has ample time and opportunity to respond to their (adversaries’) attacks. In information security, this implies a layered security approach to modeling computer architecture and invariably envisions multi-layered security levels for defense. For example, we can develop two firewalls (one internal layer and another outside) as a more effective defense mechanism against cyber attacks instead of relying on a single firewall. Essentially, use is made of multiple layers of security as also the application of technologies at each layer that complements one another (Pereira, J.P., 2004).

Four sub-principles are envisioned in implementing the defense in depth principle to computer systems; the network infrastructure is distributed to broad base security application, multiple and parallel layers of security are built up, support infrastructure is strengthened, and data mining and data analysis of security events is continuously done to help evolve more effective and foolproof security systems. Examples of a few multiple layers of defense using various controls may be given as follows:

  1. Applications Layer: This may include validity controls for data entry and processing, host and network controls for guarding against possible flaws in software applications, etc
  2. Physical layer: The related controls help protect the organizational assets against physical threats and the assets include entire physical systems like computers, UPS, routers, switches, etc
  3. Distribution Layer: Two defense controls may be the usage of trusted software & distribution and the application of run-time integrity controls

Conclusion

The topic of computer security is too vast to warrant a comprehensive description in a few pages of text. The security control models described above have their merits and demerits and their actual selection for any particular computer system architecture depends on the end-use, complexity, and purpose of the same. However, the technology landscape is changing very fast and it may not be long before more innovative and fool-proof IS systems are developed to effectively tackle the growing incidences and variety of computer security violations

References

Balon, N., and Thabet, I., 2004, Biba Security Model Comparison.

Bell, D.E. and LaPadula, L.J, 1973 A mathematical model, Technical report esd-tr-278, vol. 2, The Mitre Corporation, Bedford.

Biba, K.J., 1977, Integrity considerations for secure computer systems. Technical report tr-3153, The Mitre Corporation, Bedford.

Bishop, M., 2003, Computer Security: Art and Science, Addison Wesley, Boston, MA

Defense in Depth, Design Notes, Wilson, M., 2001, Decision Support Systems Inc. Web.

Eydt, B., Security Models and Architecture, CISSP Exam Preparation Guide.

Ferraiolo, D.F., Kuhn, R., and Chandramouli, R., 2003.

Formal Security Policy Models, Siemens AG, CT IC 3, Volkmar Lotz, 2003. Web.

In Depth Defense applied to Information Systems (Memo Version 1.1), 2004. Web.

Pereira, J.P. 2004, Defense in Depth. A Strategy To Secure Federal Networks, Jupiter Networks, Inc.

Security Models and Architecture, CISSP Certification All-in-one Exam Guide, Chap 5.

Stoneburger, G., Hayden, C., and Feringa, 2004, Engineering Principles for IT Security (Rev.A). NIST.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2021, October 4). Computer Security: Bell-Lapadula & Biba Models. https://ivypanda.com/essays/computer-security-bell-lapadula-amp-biba-models/

Work Cited

"Computer Security: Bell-Lapadula & Biba Models." IvyPanda, 4 Oct. 2021, ivypanda.com/essays/computer-security-bell-lapadula-amp-biba-models/.

References

IvyPanda. (2021) 'Computer Security: Bell-Lapadula & Biba Models'. 4 October.

References

IvyPanda. 2021. "Computer Security: Bell-Lapadula & Biba Models." October 4, 2021. https://ivypanda.com/essays/computer-security-bell-lapadula-amp-biba-models/.

1. IvyPanda. "Computer Security: Bell-Lapadula & Biba Models." October 4, 2021. https://ivypanda.com/essays/computer-security-bell-lapadula-amp-biba-models/.


Bibliography


IvyPanda. "Computer Security: Bell-Lapadula & Biba Models." October 4, 2021. https://ivypanda.com/essays/computer-security-bell-lapadula-amp-biba-models/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
Privacy Settings

IvyPanda uses cookies and similar technologies to enhance your experience, enabling functionalities such as:

  • Basic site functions
  • Ensuring secure, safe transactions
  • Secure account login
  • Remembering account, browser, and regional preferences
  • Remembering privacy and security settings
  • Analyzing site traffic and usage
  • Personalized search, content, and recommendations
  • Displaying relevant, targeted ads on and off IvyPanda

Please refer to IvyPanda's Cookies Policy and Privacy Policy for detailed information.

Required Cookies & Technologies
Always active

Certain technologies we use are essential for critical functions such as security and site integrity, account authentication, security and privacy preferences, internal site usage and maintenance data, and ensuring the site operates correctly for browsing and transactions.

Site Customization

Cookies and similar technologies are used to enhance your experience by:

  • Remembering general and regional preferences
  • Personalizing content, search, recommendations, and offers

Some functions, such as personalized recommendations, account preferences, or localization, may not work correctly without these technologies. For more details, please refer to IvyPanda's Cookies Policy.

Personalized Advertising

To enable personalized advertising (such as interest-based ads), we may share your data with our marketing and advertising partners using cookies and other technologies. These partners may have their own information collected about you. Turning off the personalized advertising setting won't stop you from seeing IvyPanda ads, but it may make the ads you see less relevant or more repetitive.

Personalized advertising may be considered a "sale" or "sharing" of the information under California and other state privacy laws, and you may have the right to opt out. Turning off personalized advertising allows you to exercise your right to opt out. Learn more in IvyPanda's Cookies Policy and Privacy Policy.

1 / 1