In my latest post I talk about what are security policies and what a security policy contains but how do we apply a security policy? With a security model.
A security model is used to determine how a security policy will be implemented, what users can access to the system and roles. This security model describes the entities governed by the policy, it states the rules that constitute the policy.
There are many types of security models according their scope, for example
- Capture policies for confidentiality such as Bell-LaPadula
- Capture policies for Integrity such as Biba, Clark-Wilson
- Models applied to environments with static policies such as Bell-LaPadula
- Models applied to dynamic changes of access rights such as Chinese Wall
And many others but I’ll talk about some of them.
How can we differed model from policy, easy a model is maps the goal of a policy by using data structures and techniques that are necessary to enforce the security policy.
State Machine Models
In this model the state of the machine is captured in order to verify the security of a system. Each state provides permissions to objects and access subjects, if the subject can access to the object only by mean that are concurrent then the system is secure.
For the im0lementation the developer must define what and where the states variable is, the developer then must define a secure state for each state.
Bell—LaPadu Confidentiality Model
This model was the first one to define with a multilevel security policy for the states. This is a static model which enforces the confidentiality of the model. This model focuses on ensuring that the subjects with different clearances (top secret, secret, confidential) are properly authenticated
Rules
- The simple security rule: a subject that is in a certain security level cannot read any information from a higher level.
- The star property rule: a subject in each security level cannot write information to a lower security levels.
- The strong star property rule: a subject that has read and write capabilities can only perform those functions at the same security level, nothing higher and nothing lower.
Biba Integrity Model
Unlike Bell, it enforces integrity of data. It uses lattice of integrity for this.
Rules
- simple integrity rule (no read down): it states that a subject cannot read data from a lower integrity level.
- star integrity rule (no write up): it states that a subject cannot write data to an object at a higher integrity level.
- invocation property: it states that a subject cannot invoke (call upon) a subject at a higher integrity level.
Clark—Wilson Integrity Model
This enforces the integrity of the information. This model separates between highly protected subjects named as constraint data item (CDI) and another subject that doesn’t require high level protection named unconstrained data item (UDI)
Goals
- Prevent unauthorized users from making modification (addressed by Biba model).
- Separation of duties prevents authorized users from making improper modifications.
- Well-formed transactions: maintain internal and external consistency i.e. it is a series of operations that are carried out to transfer the data from one consistent state to the other.
So, there are many models and different levels of protections for each model. So I invite you to search more by yourself and here are some useful links to address this: https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models and http://www.pearsonitcertification.com/articles/article.aspx?p=1998558&seqNum=4