Information Security

CBS3002

MODULE : 3

CONFIDENTIALITY POLICY
 MODULE - 2
• Confidentiality policies

• Integrity policies

• Hybrid policies

• Non-interference

• Policy composition

• International standards.
 CONFIDENTIALITY POLICIES
Introduction:

Confidentiality policies emphasize the

protection of confidentiality.

The importance of these policies lies in part

in what they provide, and in part in their role in
the development of the concept of security
 CONFIDENTIALITY POLICIES
Goals of Confidentiality Policies:
• A confidentiality policy, also called an
information flow policy, prevents the
unauthorized disclosure of information.
• Unauthorized alteration of information is
secondary.
EXAMPLE:
• The navy must keep confidential the date on
which a troop ship will sail.
• If the date is changed, the redundancy in the
systems and paperwork should catch that change.
 CONFIDENTIALITY POLICIES
• The term “governmental” covers several
requirements that protect citizens’ privacy.
• In USA the Privacy Act requires that certain
personal data be kept confidential.
• Income tax returns are legally confidential and are
available only to the Internal Revenue Service or
to legal authorities with a court order.
• The principle of “executive privilege” and the
system of non-military classifications suggest that
the people working in the government need to
limit the distribution of certain documents and
information
 CONFIDENTIALITY POLICIES
There are 3 main types of Classic Security Models. 

1.) Bell-LaPadula 

2.) Biba

3.) Clarke Wilson Security Model

1.) Bell-LaPadula 
 CONFIDENTIALITY POLICIES
1.) Bell-LaPadula: 
• This Model was invented by Scientists David Elliot
Bell and Leonard .J. LaPadula.

• Thus this model is called the Bell-LaPadula Model.

• This is used to maintain the Confidentiality of Security.

• Here, the classification of Subjects(Users) and

Objects(Files) are organized in a non-discretionary
fashion, with respect to different layers of secrecy.
CONFIDENTIALITY POLICIES
 1.) Bell-LaPadula: 

• SIMPLE CONFIDENTIALITY RULE:

Simple Confidentiality Rule states that
the Subject can only Read the files on the Same
Layer of Secrecy and the Lower Layer of Secrecy but
not the Upper Layer of Secrecy, due to which we
call this rule as NO READ-UP. 
• STAR CONFIDENTIALITY RULE:
Star Confidentiality Rule states that
the Subject can only Write the files on the Same
Layer of Secrecy and the Upper Layer of Secrecy but
not the Lower Layer of Secrecy, due to which we
call this rule as NO WRITE-DOWN 
 1.) Bell-LaPadula:

• STRONG STAR CONFIDENTIALITY RULE:

Strong Star Confidentiality Rule is highly
secured and strongest which states the Subject
that   can Read and Write the files on the Same
Layer of Secrecy only and not the Upper Layer of
Secrecy or the Lower Layer of Secrecy, due to
which we call this rule as NO READ WRITE UP
DOWN 
 1.) Bell-LaPadula:

Bell-LaPadula Model (1973 and 1975)

• Corresponds to military style classifications.
• Has influenced the development of many other
models, including computer security technologies.

Simplest Type of Confidentiality Classification

 1.) Bell-LaPadula:
• The four security levels are arranged with the most
sensitive at the top and the least sensitive at the
bottom.
• The higher the security clearance, the more sensitive
the information.
• A subject has a security clearance.
- Claire’s security clearance is C, and Thomas’ is TS.
• An object has a security classification.
- The security classification of the Electronic Mail
Files is S.
- The security classification of the Telephone List
Files is UC.
 1.) Bell-LaPadula:
• The goal of the Bell-LaPadula security model is to
prevent read access to objects at a security
classification higher than the subject’s clearance.
• The Bell-LaPadula security model combines
mandatory and discretionary access controls.
• “S has discretionary read (write) access to O”
means that the access control matrix for S and O
corresponding to the discretionary access control
component contains a read (write) right!
– If mandatory controls are not present, S
would be able to read (write) O.
 1.) Bell-LaPadula:
• Let L(S) = ls be the security clearance of subject S, and let
L(O)=lo be the security classification of object O.
- Simple Security Condition, Preliminary Version: S can
read O if and only if lo ≤ ls, and S has discretionary read
access to O.
- In Diagram: Claire & Clarence cannot read personnel
files but Tamara & Sally can read the activity log files.
- If Tamara decides to copy the contents of the personnel
files into the activity log files and set the discretionary access
permissions appropriately, Claire could then read the
personnel files.
- Thus, Claire is able to read the files at a higher level of
security.
- However, a second property prevents this!
 1.) Bell-LaPadula:
-Property (Star Property), Preliminary Version:
S can write O if and only if ls ≤ lo and S has
discretionary write access to O.
 Integrity Policies
INTRODUCTION:
• An inventory control system may function
correctly if the data it manages is released; but it
cannot function correctly if the data can be
randomly changed.
• So integrity rather than confidentiality, is key.
• Integrity policies focus on integrity rather than
confidentiality, because most commercial and
industrial firms are more concerned with
accuracy than disclosure
 Integrity Policies
Goals of Integrity Policy:
• Commercial requirements differ from military
requirements in their emphasis on preserving data
integrity.
• Lipner - identifies five requirements:
(1). Users will not write their own programs, but
will use existing production programs and
databases.
(2). Programmers will develop and test programs on a
nonproduction system; if they need access to actual
data, they will be given production data via a special
process, but will use it on their development system
 Integrity Policies
(3). A special process must be followed to install a
program from the development system onto the
production system.

(4). The special process in requirement 3 must be

controlled and audited.

(5). The managers and auditors must have access

to both the system state and the system logs
that are generated.
 Integrity Policies
• These requirements suggest several principles of
operation:

• First comes separation of duty

• Next comes separation of function

• Last comes auditing

 Integrity Policies
(1) Separation of Duty:
The principle of separation of duty states that if two
or more steps are required to perform a critical
function, at least two different people should perform
the steps.
• Moving a program from the development system to the
production system is an example of a critical function.
• Suppose one of the application programmers made an
invalid assumption while developing the program.
• Part of the installation procedure is for the installer to
certify that the program works “correctly,” that is, as
required
 Integrity Policies
(2) Separation of function:
• Developers do not develop new programs on
production systems because of the potential threat
to production data.
• Similarly, the developers do not process production
data on the development systems.
• Depending on the sensitivity of the data, the
developers and testers may receive sanitized
production data.
• Further, the development environment must be as
similar as possible to the actual production
environment
 Integrity Policies

(3) Auditing:
• Commercial systems emphasize recovery and
accountability.
• Auditing is the process of analyzing systems to
determine what actions took place and who
performed them.
• Hence, commercial systems must allow extensive
auditing and thus have extensive logging.
• Logging and auditing are especially important
when programs move from the development
system to the production system
 Integrity Policies

(1) Biba Integrity Model

(2) Clark Wilson Integrity Model

Integrity Policies
Integrity Policies
Integrity Policies
 Hybrid Policies

• Few organizations limit their security objectives

to confidentiality or Integrity only; most desire
both, in some mixture.
 Hybrid Policies

• It describes policies that involve a conflict of

interest in business, and is as important.

• When an entity has some confidential

information with it, and company does not want
to disclosure that information within its
company, it makes use of Chinese wall policy.
 Chinese Wall Model

WHY Chinese Wall Model ?

• Chinese Wall Model which addresses a Conflict of
Interest Problem.
• Chinese Wall Model is NOT an Integrity policy,
BUT an access control Confidentiality policy.
IDEA:
• You are able to access any information you want
from any company BUT once you access that
information, you are NO longer allowed to access
information from another company within that
class of companies.
 Chinese Wall Model
• The Security policy builds on three levels of
Abstraction.
(1) Objects: such as files. Objects contain
information about only one company.

(2) Company Groups: collect all objects

concerning a particular company.

(3) Conflict Classes: cluster the groups of

objects for competing companies. That means
contain the CDs of companies in competition.
 Chinese Wall Model
For Example:
• consider the following conflict classes:
{Dialog, Mobitel, Airtel}
{Central Bank, HNB,HSBC}
{Microsoft}.
RULE (1). Simple Access Control Policy:
A subject may access information from any company as
long as that subject has never accessed information from
a different company in the same conflict class.
For Example:
If you access a file Dialog, you subsequently
will blocked from accessing any files from Mobitel or Airtel.
 Chinese Wall Model

• Simple Security Rule:

A Subject S can read an object O only if
- O is in the same DS as an object already
accessed by S.
- S has not read any objects in COI.
 Chinese Wall Model

You are FREE to access files from companies

in any other conflict class.

Notice that permission change DYNAMICALLY.

The access rights that any subject enjoys

depends on the history of past accesses.
 Chinese Wall Model
• Chinese wall model is mainly on Conflicts of Interest (COI)
• COI - conflict classes contains CDs of competitive
companies.
(1) Principle: Users should not access the confidential
information of both a client organization and
one or more of its competitors.
(2) How it works:
- Users have no "wall" initially.
- Once any given file is accessed, files with competitor
information become inaccessible.
- Unlike other models, access control rules change
with user behaviour.
Chinese Wall Model
 Chinese Wall Model
• A Wall is defined by a set of rules that ensures no
subject from one side of the wall can access
objects on the other side of the wall.
Chinese Wall Model
Chinese Wall Model
 Chinese Wall Model
RULE -2: Star Property

A Subject S can write an object O only if

- S can read O according to Simple Security Rule
- S can write an object if all the objects it can
read are in the same dataset.
 Chinese Wall Model
• Example:
Alice & Bob work in same company
- Alice can read objects in Citybank's CD and shell's
CD
- Bob can read objects in Bank of America's CD and
shell'sCD.
- If Alice could write (Information from Citybank's
object) to object in shell's CD then Bob can read it.
- Hence Bob can indirectly read information from
City Bank.
Why Hybrid Security?
- The Chinese wall model is an improvement on Bell
LaPadula and Biba because it provides confidentiality and
integrity of data,
whereas,
- Bell LaPadula provides confidentiality,
- Biba provides integrity alone
 Bell-LaPadula and Chinese Wall Models
• To emulate the Chinese Wall model using Bell-
LaPadula,
- we assign a security category to each (COI,
CD) pair.

• We define two security levels,

S (for sanitized) and U (for unsanitized).
By assumption, S dom U.
Bell-LaPadula and Chinese Wall Models
Bell-LaPadula and Chinese Wall Models

• The Bell-LaPadula Model cannot emulate

the Chinese Wall model faithfully
Non-interference and policy
composition - Overview
Composition of Policies
ISSUES
Example
Analysis
Same Polices
Different Policies
Example
Non- Interference Models