Merging Models: Integrity, Dynamic Separation of Duty, and Trusted Data Management

One of the most important responsibilities of a database management system (DBMS) is maintaining the integrity of data. Traditional database integrity mechanisms have evolved in DBMSs to fulfill this need, including transaction management to maintain consistent results when requests execute concurrently and explicitly asserted integrity constraints to limit the values deemed legal. DBMSs also provide access controls that limit who is permitted to modify data. Despite these controls, however, DBMSs are still vulnerable to integrity violations due to users modifying data in unexpected ways or abusing their access authorizations for fraudulent or malicious purposes. Recent work in generalized integrity models, such as the Clark-Wilson model [Clark 1987, Clark 1988] and separation of duty models [Sandhu 1988, Badger 1989], provides new approaches for addressing these additional integrity needs. This paper interprets the Clark-Wilson model in the context of a DBMS, in general, and of a trusted relational DBMS, in particular. It presents a layered policy for Clark-Wilson integrity and dynamic separation of duty, that can augment the conventional database integrity capabilities of a commercial trusted DBMS and can coexist with its existing policies. Building on existing models, our dynamic separation of duty model defines a general control structure and dynamic authorization capabilities. Clark-Wilson integrity and separation of duty are realized in the policy as interpreted in terms of DBMS objects and their interrelationships.

[1]  Dan Thomsen,et al.  Role-Based Application Design and Enforcement , 1990, Database Security.

[2]  Z. G. Ruthberg,et al.  National Computer Security Conference Proceedings (11th): A Postscript: Computer Security--Into the Future, 17-20 October 1988 , 1988 .

[3]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[4]  Steven B. Lipner,et al.  Non-Discretionery Controls for Commercial Applications , 1982, 1982 IEEE Symposium on Security and Privacy.

[5]  Ravi Sandhu,et al.  Transaction control expressions for separation of duties , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[6]  Theodore M. P. Lee,et al.  Using mandatory integrity to enforce 'commercial' security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[7]  Simon R. Wiseman,et al.  The Control of Integrity in Databases , 1990, DBSec.

[8]  John A. McDermid,et al.  The Structure of Permissions: A Normative Framework for Access Rights , 1991, DBSec.

[9]  Jackson Wilson Views as the security objects in a multilevel secure relational database management system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[10]  Lee Badger A model for specifying multi-granularity integrity policies , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[11]  Simon R. Wiseman,et al.  A 'new' security policy model , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[12]  R. Sandhu Transformation of access rights , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[13]  Paul A. Karger,et al.  Implementing commercial data integrity with secure capabilities , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[14]  Selim G. Akl,et al.  Views for Multilevel Database Security , 1986, 1986 IEEE Symposium on Security and Privacy.

[15]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.