• Choose a category
• All
• Classic-Fiction

For example, if you’re authorized to access Secret information, you aren’t allowed to access Top Secret information, nor are you allowed to write to the system at a level lower than the Secret level. This creates upper and lower bounds for information storage. This process is illustrated in Figure 6.11. Notice in the illustration that you can’t read up or write down. This means that a user can’t read information at a higher level than they’re authorized to access. A person writing a file can’t write down to a lower level than the security level they’re authorized to access.

FIGURE 6.11 The Bell La-Padula model

The process of preventing a write down keeps a user from accidentally breaching security by writing Secret information to the next lower level, Confidential. In our example, you can read Confidential information, but because you’re approved at the Secret level, you can’t write to the Confidential level. This model doesn’t deal with integrity, only confidentiality. A user of Secret information can potentially modify other documents at the same level they possess.

To see how this model works, think about corporate financial information. The chief financial officer (CFO) might have financial information about the company that needs to be protected. The Bell La-Padula model would keep them from inadvertently posting information at an access level lower than their access level (writing down), thus preventing unauthorized or accidental disclosure of sensitive information. Lower-level employees wouldn’t be able to access this information because they couldn’t read up to the level of the CFO.

The main thing to remember about the Bell La-Padula model is that it interacts with every access—allowing it or disallowing it.

The Biba Model

The Biba model was designed after the Bell La-Padula model. The Biba model is similar in concept to the Bell La-Padula model, but it’s more concerned with information integrity, an area that the Bell La-Padula model doesn’t address. In this model, there is no write up or read down. In short, if you’re assigned access to Top Secret information, you can’t read Secret information or write to any level higher than the level to which you’re authorized. This keeps higher-level information pure by preventing less reliable information from being intermixed with it. Figure 6.12 illustrates this concept in more detail. The Biba model was developed primarily for industrial uses, where confidentiality is usually less important than integrity.

FIGURE 6.12 The Biba model

Think about the data that is generated by a researcher for a scientific project. The researcher is responsible for managing the results of research from a lower-level project and incorporating it into his research data. If bad data were to get into his research, the whole research project would be ruined. With the Biba model, this accident couldn’t happen. The researcher wouldn’t have access to the information from lower levels: That information would have to be promoted to the level of the researcher. This system would keep the researcher’s data intact and prevent accidental contamination.

The Biba model differs from Bell La-Padula in the implementation of a lattice of integrity levels that allows information to flow downward but not upward.

The Clark-Wilson Model

The Clark-Wilson model was developed after the Biba model. The approach is a little different from either the Biba or the Bell La-Padula method. In this model, data can’t be accessed directly: It must be accessed through applications that have predefined capabilities. This process prevents unauthorized modification, errors, and fraud from occurring. If a user needs access to information at a certain level of security, a specific program is used. This program may only allow read access to the information. If a user needs to modify data, another application would need to be used. This allows a separation of duties in that individuals are granted access only to the tools they need. All transactions