Conventional approaches to computer securit,y lia.ve concentrated on defining securit.y in t,erms of a.ccess t,o resources implemented by locally imposed and ma,naged constraints on simple access modes (e.g., read and write) to system resources (e.g., files a.nd direct,ories). It is now becoming accept,ed t,hat. tellis view of security is inadequa.te for ma.na.giug securit,y in a federation of administrative domains where local policies may conflict with global object,ives and some negot,iation is required to adjust multiple loca.1 policies in order to prevent loca.1 policy conflicts from hindering the achievement of a globa. policy. This new securit.y requirement demands not so much new implementation technology as new concepts t,o be elabora.ted. We shall argue that issues of security policy need to be derived from understanding the wa.y that responsihility and a.uthority work in an ent,erprise, a.nd that t,he conventiona. appr0a.A of giving priorit.y t.0 modelling resource protection in terms of subjects, objects aud rules, formalising these in a. ‘securit.y policy’ and espetting the result automa.tically t.0 achieve orga.nisational security objectives, is to misrllltlerst,antl any legitimate local agency the seci1rit.y syst.em may ha.ve as a global agency. 1 A Perspective on Computer Security Modelling 1.1 Old Security Paradigms There have been a number of import.a.nt. and influential milestones in the development. of secure syst,ems ‘The use of the word ‘paradigm’ (as a noun) in t.he t.it.le is the only such use in this paper. Our unrlerstandiilgof the nse of the word in a philosophical cont,ext leads ns t.o prefer the phrase ‘conceptual model’ (e.g., of securit.y) inskad. 01993 ACM O-89791-635-2 $1.50 processiug classified dat,a. \\:t, will loosely refer to t.liis application doma.in as military st:curit,y. Oue of t.he most importa.nt, milcst.ones has I>et>n t.he realisat.ion t.1ia.t it is possible t.0 produce se0lrit.y models which are a.pplicable to a wide class of secure syst.ems. The semina.1 work in t,his area. is t.ha(, of Bell aud LaPatlula [Bell and LaPa.tlula. 19761. Most milit.ary secure syst.tWls clevelopctl sint‘ the late 1970’s have beeu t-lesigntxl ailtl built lo 111~ spiril. of t,lie Bell and La.Patlula (13LP) model. if 1101 t.0 t.llt? let,t.er. BLP has beeu beueficial iu a numl~er of ways. It. has given a. very clear requiremcul. for system tl~Vt+ opers a.nd eva,luat.ors. It has had a posit,ive iuflueuce in ensuring that experience gained from developing one system could be applied to auot.her. It. 1la.s facilit.at,ed the development, of formal t,ools for assessing securit,y, and so on. However t,llere have been problems wit.11 syst,ems based ou BLP. not. t Ilc ltxast of these being the discovery, in many suppost~dl~ st’cure colnput,el syst,ems, of coverl. chauut~ls: t.hat is. meaus of comniuuicat,iou which violate 1,lit? st,curity policy 1,111 were not. foreseen iu t.hc sccurily spWifica(.iolr. In cflict ( t.lie securit.y specifcat ion was uuill)lt~ t.0 support t.he stat.ed securit.y policy. This has not. hithcrt,o. ca.usetl the founda.t.ion of BLP t.o be challenged. but it has caused work t.0 be uiidert,akeu ou refiuing t.he model. Since the original papers I,)Hell and LaPadula there ha.ve been a number of at.t.empts t,o produce more general models which take iut.0 accouut systern l)ropert,ies such as covc‘rt. chauuels. Tuo \Vt:ll ktiown examples arr t.hr Iioniiltc~rft~rellct~ ulotlt?l of Ciogucu aud hlesegucr [GogucW alit1 hltxegut,r l!%‘L] and Sut,lierlautl’s work based ou possible \vorltls scmant.ics [Sutherland 19861. We ca.n summa.rise hot,11 motlt4s t,y saying t,liat. t.hey t,ry to t.ake iut,o account, iuformatiou flow bet.ween two subjecb uo ma.tter how it. arises. whereas BLP is confined to cow.t,ra.int,s espressed iu t.t,rms of conlpouPnt,s 7 its date appear, and nodcc is given that copying is by pmdssion Of the Association for Computing Machinery. To copy othcwise, cw 10 republish, requires a fee and/or specific permission. of the system state, such as files or direct,ories. Nevertheless, despite the undoubted progress made by Goguen and Meseguer, Sutherla.nd, a.11d others, there still are considerable problems in building secure systems and verifying that they satisfy so1ne stated security model. Dobson and McDer1nid [Dobson and McDermid 19891 h ave argued at lengt,h that these problems are inherent in the nature of the models so far chosen; that the problems could only be overcome by choosing more appropriate bases for the models; and they outlined a more appropriate (enterprise-oriented) basis for security models. This paper summarises the concepts embodied in the new security paradigs and explains some implications for secure syst,em design and project mana.gement,. 1.2 Current State of Computer Security The following table, recently int.roduced a,t the Computer Security Founda.tions Workshop IV [LaPadula and Williams 19911, shows the a.mount of investigation that has been done in va.rious aspects of computer security modelling. As the table shows, there has been a lot of work done on how to define t,he internal requirements and rules of opera,tion of a. secure systeln, based 1na.inly 011 the models ment,ioned before. More recent work has examined sec11rit.y a.s a. system property rather than as a property of a. syst,eni component, thus allowing discussion of how t.o compose a. system with a certain securit,y property from a. set of components with known properties; this is indicated by the indication of elaboratioll of system objectives and design. But, as LaPa.dula and Williams point, out, there is still much work to be done in underst.anding wlla.t ‘security 1neans to the enterprise (a.s opposed t,o what property of a system is meant by t,he t.erm ‘secure’). In particula.r, the problem of relat.ing syst,eni objectives (‘secure’) to ma.na.gement or orga11isat.iona.l objectives (‘security’) cannot be a.ddressed purely in terms loca.1 to the descript,ion of t.11e system, such as components of systein state. In terms of this taxonomy, our work addresses in some detail the first stage of elaboration, which specifies what is to be achieved by a.11 informationprocessing enterprise, aa important. co1~ipo11e1it of which is a secure coinputing syst,em. In this pa.per we sha.11 discuss a. 11umber of other issues tlla.t we have to underst,and before we can begin to crea.te adequa.te new concept.ual models of sec11rit.y which take account of t,lie structure of t,lie enterprise. Specifically, the concepts of responsibilit~y and obligation, causation and consequence, authorisation, conversation or excha,nge (of va.luable resources) a.ll need to be examined before t.he a.bstra.ct concept of security can be characterised; a.nd, in addit,ion, t,he idea of informat,ion needs to be analysed before tl1e concept of informat~ion securit,y can. In this short. pa.per it. is not of course possible t,o do justice t,o all t,hese difficult concepts; we shall merely indicate wha.t seem to be the most relevant features and supply references to papers which ta.ke the va.rious matt,ers up in more det,ail. We sliall in the paper explain our terms by consiclering the following case of a, securit.y brea.ch, which we take to be the pa.ra.digm case for our paper: A client entrusts her* money to a bank. An untrustwortlly bank clerk who is entitled under proper a.ut horisation t,o t ransfel money from one account. t,o a11ot,lier makes an u1iauthorised t.ransfer of t.lie money from the client.‘s account. to his own. Due t.o an oversight by t.11e ba.nk’s int.ernal auclit.or, t.11is una.ut,horised transfer was never tlet.ect.ed, and t,l1e client, lost. her money. What seems t.0 be importa.nt. in this case is that. the breach ca.11 be see11 in t.erms 11ot. only of t.hat aspect, of security relat,ed t.0 ‘iw uiiauthorisetl access.’ but, also hat. aspect, relat.ed t,o ‘110 violat.ion of duty of care’ a11tl t.11a.t aspect, relat.ed t.0 ‘no possibility of coiiscc~uent.ial loss’. Carefully defined use of terms could perllaps 1ea.d to t.hese distinct,ions being made in t.erlns such a.s ‘securit,y’, ‘t,rust’ and ‘safety’ respectively; but. a.ll these terms a.re already overloadrd, and i11 any ca.se we would probably informally use the term securit,y indiscrimina.tely to refer t,o some misbure of them a.ll when we cha.ra,ct.erise t.lie l)alllc as being ‘insecure. as it. clearly is. It, ma.y be a side effixct of t lie discussion out.linetl in t.11is ppw that, the dist ilictioll hint.etl a.t. above can he made clearer. bu1 for tlw Inonlenl \re sl1all assume t.hat, t.lie term ‘sec11rity’ tloes intlcwl cmt,aiii e1ement.s of all t.hree aspects. Tl1e rest, of t.11is paper is st.ruct,uretl as follows. Section 2 discusses issues of causality and consequence, t,lius i1idica.t~i11g tlie diKere11ce bet,wecaii ‘no possibilit,y of undesired behavior (a. causal not.ion) and ‘no undesired behavior results in loss’ (a consequent,ial notion). Sect.ion 3 discusses obligat.ions and responsibilit.ies (which can be further divitletl into causal and collsequential responsibilities), t,lle idPa lwiilg that. where here is ii0 ‘c1ut.y of care t.0 prot.ect’ iiivol\etl. a. wcurit,y breach cannot. Ix said to occur. Scct,ion .1 looks
[1]
D. Elliott Bell,et al.
Secure Computer System: Unified Exposition and Multics Interpretation
,
1976
.
[2]
John E. Dobson,et al.
Information and Denial of Service
,
1991,
Database Security.
[3]
James P. Titus,et al.
Security and Privacy
,
1967,
2022 IEEE Future Networks World Forum (FNWF).
[4]
Alan Burns,et al.
On the Meaning of Safety and Security
,
1992,
Comput. J..
[5]
John A. Zachman,et al.
A Framework for Information Systems Architecture
,
1987,
IBM Syst. J..
[6]
John E. Dobson.
Elicitation and Representation of a Security Policy for a Telecommunications Application
,
1992,
ICSE 1992.
[7]
John E. Dobson,et al.
Security Models and Enterprise Models
,
1988,
Database Security.
[8]
J. Meseguer,et al.
Security Policies and Security Models
,
1982,
1982 IEEE Symposium on Security and Privacy.