Security

Model
Definition

• Security models of control are used to determine how

security will be implemented, what subjects can access the
system, and what objects they will have access to.
• Simply stated, they are a way to formalize security policy.
Security models of control are typically implemented by
enforcing integrity, confidentiality, or other controls.
Information Flow Model

• The Information Flow model is an extension of the state

machine concept and serves as the basis of design for both
the Biba and Bell-LaPadula models.
• The Information Flow model consists of objects, state
transitions, and lattice (flow policy) states.
• The real goal of the information flow model is to prevent
unauthorized, insecure information flow in any direction.
• This model and others can make use of guards. Guards allow
the exchange of data between various systems.
Noninterference Model

• The Noninterference model as defined by Goguen and

Meseguer was designed to make sure that objects and
subjects of different levels don’t interfere with the objects
and subjects of other levels.
• The model uses inputs and outputs of either low or high
sensitivity.
• Each data access attempt is independent of all others and
data cannot cross security boundaries.
Confidentiality

• Although the preceding models serve as a basis for many security

models that were developed later, one major concern is
confidentiality.
• Taken the example from U.S. Government entities such as the U.S.
Department of Defenses (DoD) are concerned about the
confidentiality of information.
• The DoD divides information into categories to ease the burden of
managing who has access to what levels of information.
• DoD information classifications are sensitive but unclassified (BU),
confidential, secret, and top secret. One of the first models to
address the needs of the DoD was the Bell-LaPadula model.
Integrity

• Integrity is one of the basic elements of the security triad

along with confidentiality and availability.
• Integrity plays an important role in security because it can
verify that unauthorized users are not modifying data,
authorized users don’t make unauthorized changes, and
that databases balance and data remains internally and
externally consistent.
• Although governmental entities are typically very concerned
with confidentiality, other organizations might be more
focused on the integrity of information.
Integrity

In general, integrity has four goals:

1. Prevent data modification by unauthorized parties.
2. Prevent unauthorized data modification by authorized
parties.
3. Must reflect the real world.
4. Must maintain internal and external consistency.
Integrity

Two security models that address secure systems for the aspect of
integrity include Biba and Clark-Wilson.
Other Security Models

A security model defines and describes what protection mechanisms are to be

used and what these controls are designed to achieve. These security models
include:
• Graham Denning Model → This model uses a formal set of protection
rules for which each object has an owner and a controller.
• Harrison-Ruzzo-Ullman Model → This model details how subjects and
objects can be created, deleted, accessed, or changed.
• Lattice model → This model is associated with MAC. Controls are applied
to objects and the model uses security levels that are represented by a
lattice structure. This structure governs information flow. Subjects of the
lattice model are allowed to access an object only if the security level of
the subject is equal to or greater than that of the object. Every subset has
a least upper bound and a greatest lower bound.