Classic Security Architecture Models

--Originally published at Don't Trust Humans, Trust Computers

In a past post , I talked about security policies and how are they made; but I didn’t said how they are put in action. The policies only tells you how things need to be organize and how are they suppose to function. They are the sets of rules in the system. There are some security policies that are behaviors that people need to have inside a company, and there are other policies that specify the behavior of the system. If the security policies only say how things are suppose to be, then how can we make sure they are being follow correctly? For that reason there exist security models.

asd

A security model is the representation of the security policy. The security model abstracts the goals of the policy and makes them a reality in the system, by creating the necessary code inside the system. The security model is the concrete way of how the policies are going to be fulfill in the system. Lets see the policies as the goals or the end results and the models as the way of how we are going to achieve does goals. There some very well known models, that many people use. These models are:

  • State Machine Models
    • Bell-LaPadula Model
    • Biba Model
    • Clark-Wilson Model
  • Information Flow Model
  • Noninterference Model
  • Brewer and Nash Model

State Machine Model

This model focuses by using “states” that will say if the system is secure or not. In here we check the instance of subjects accessing objects and checking if the state is safe. When we use the word state, we address it as a moment in time in the system. When a system is moving form one state to another we call it state transition. The purpose of the state machine is to always stay in safe

according to the policies. There are other models that are base in these like, the Bell-LaPadula Model, Biba Model, and the Clark-Wilson Model.

Bell-LaPadula Model

This model was created for military purposes in the 1970s. This is a multilevel security system because there are different people that will have access to different types of information within the system. A user will see information according to his/her level in the company (this case was military rank). This model is more concern about the confidentiality than anything else. Besides being base on a state machine model, it is also base in an information flow model. This model follows three key rules that are:

  • The simple security rule.- a subject that is in a certain security level cannot read any information from a higher level.
  • The property rule.- a subject that is in a certain security level cannot write any information in a lower level.
  • The strong star property rule.- a subject that has read/write permission can only perform those actions in the level he/she is in. He/she cannot use them in any high or low level.

Biba Model

The Biba model is similar to the Bell-LaPadula model, but this model focus more on the integrity rather than the confidentiality. This model was made because the Bell-LaPadula didn’t care about any else but the confidentiality of the data, and it kind of make sense because the USA military did it. But for some companies, the confidentiality was has important has the integrity of the data. This model has two important rules, that are:

  • No write up.- a subject cannot write in a higher security level.
  • No read down.- a subject cannot read from a lower security level

Clark-Wilson Model

The Clark-Wilson Model takes a similar approach as the Biba Model, in the way that, it tries to protect the integrity of the information. In here the situation that is trying to be avoid is that users that have authorizations commit unauthorized actions. For this to be avoid, user most use an interface to be able to make changes to the objects. Users can’t make changes directly to the objects. This puts an extra barrier between the users and the data.

Information Flow Model

This is model that takes care of how the information flows inside the system. Information within the system can flow in a way that it is permitted to that. The flow of information can go in various way, either from one level to another or even within the same level.

Noninterference Model

This model is completely different from the Information Flow Model, because it doesn’t care about how the data flows inside the system; instead, it focus on the operations users do within their levels. The model verifies that the operations a high level user does, do not interfere or change data in a low level user. It was made this way so, if a change was made in a high level, the low level user wouldn’t be aware of that change, and information would be more secure.

Brewer and Nash Model

In here, the main concern is that access controls can change dynamically depending on a users actions. The model is trying to protect data from been seen by users that aren’t suppose to see this data. In here we are not taking about levels, but rather more about users. Lets suppose a company is working for some companies that have certain competition in the market between them. So the users that work in the project from one company can’t see the information from the other project from the other company.

As you can see this were only some of the most knew models there exist, but it doesn’t mean that they will fit all the needs a company needs. It is important to take that in consideration, and see which model fits better to a company. And as always you can make your model according to your won needs

Stay safe

A.C.


Reference

http://media.techtarget.com/searchSecurity/downloads/29667C05.pdf