Mandatory Access Control
Mandatory Access Control ( MAC) ( " mandatory access control required " ) describes a system- specific, rule-based access control strategy: 242 and is a generic term for concepts for controlling and managing access rights, especially on IT systems. Decisions about access permissions are not only based on the identity of the actor ( user, process ) and the object ( resource to be accessed ) like, but due to additional rules and properties (such categorizations, labels and code words ). Unlike other security models such as the discretionary DAC model or the role-based RBAC Model: 242 f are special functions incorporated into the IT system and the application programs that access, use and conversion of information only under the respective concept permit required conditions.
- 3.1 Compartment or Lattice model
- 3.2 Chinese Wall - Brewer - Nash
- 4.1 Clark Wilson
- 4.2 BMA model ( British Medical Association)
Areas of application
Models of Mandatory Access Control are intended to ensure the security of information from unauthorized access and system technical force. The protection of information related to confidentiality and integrity.
One feature is the implementation of access control in IT systems. Furthermore, the security models can be used analogously in organizational forms, processes and in building technology.
Especially in the area of the military such access systems are needed, where it is sensitive information concerning warfare, but also in the field of government, while it is here to provide information regarding technology, politics, foreign trade, communications engineering. See also classified. Another application are patient data in the healthcare industry, for example in the patient card.
There are two types of MAC concepts:
- In the simplest (and also partly historical ) case, the multi-level security systems, such systems form from the model of protection levels. For more information, see the Multi-Level Security Systems section.
- In the complex case, the multilateral security models, such systems are not only a vertical layout in protection levels, but an association (English lattice ) consisting of several levels of protection and code words (English " labels" ). For more information, see Multilateral security models section.
Multi-level security systems
The multi-level security systems (MLS ) (English: multi- level security or even multiple levels of security) correspond to the original form of Mandatory Access Control, which was described in the 1970s. In most implementations were used on mainframes in the military or security area. To date, this type of mandatory access control is the most widespread. In the MLS systems of access is always mapped using the model of protection levels. Each object ( resource to be accessed ) is assigned a protection level. The individual protection classes divide the objects in " strata" (vertical layout ). The term " vertical" refers to the flow of information and means that information readily may only flow within layers. A secret information should not be public. Each subject ( actor, users) is now also a protection level assigned ( trust). A subject can not access an object in another layer when the protection level of the subject ( the clearance of a person ) is at least as high as the protection level of the object ( for example, the level of secrecy of a document ). Access security refers to the top-down and bottom-up flow of information.
Bell LaPadula
The Bell - LaPadula model deals with the confidentiality of the data. It should not be possible to read information a higher protection level or to transfer information a higher protection level to a lower level of protection. Systems based on the Bell - LaPadula principle, were mainly used when data are subject to certain confidentiality. The classic Bell - LaPadula systems were replaced by Lattice - or compartment - based systems.
Biba
The Biba model represents a reversal of the Bell - LaPadula model: This information is not protected from reading, but from tampering by unauthorized persons. The Biba model puts an emphasis on the integrity of the data. There is one hand used in the information technology, eg, as a countermeasure for attacks on security systems such as firewalls, on the other hand also in military systems, where it is fundamentally important that a command in the command chain can not be modified and therefore passed an incorrect statement will.
LOMAC
Low -Water Mark Mandatory Access Control is a variation of the Biba model, which allows high-integrity subjects have read access to objects of lower integrity. It is lowered the integrity of the reading subject, so that it can no longer write access to objects with high integrity. LOMAC systems are implemented mainly in chroot applications such as honeypot.
Multilateral security models
The concept of multilateral security models used for safety systems that not only do top-down or bottom-up considerations, such as the Bell - LaPadula or Biba model, but specify the access rights on the basis of segments. Such systems form a federation (English lattice ) consisting from several levels of protection and code words (English " labels" ). Technically both protection levels and code words are represented as labels. This results in a horizontal access system ( the codewords ), the additional vertical properties ( protection levels ). Access to protected information is secret not only possible with a ranking but it must all protection levels and code words are fulfilled. If user A has read access to the classification strictly confidential, he can read information on the classification. But the same user does not have access to data as strictly confidential (Code Word: crypto ) are classified. In order to clarify the complex situation, these systems are also referred to as policy-based security models or rule-based security systems.
Compartment or Lattice model
Also referred to as Lattice model or Compartment ( in German: Association or category). The compartment model is based on the Bell - LaPadula model, expands the number of hits to codewords and thus forms a lattice ( Lattice ). It describes " admissible and inadmissible information channels between subjects ": 272 The Lattice model was described in 1993 by Ravi S. Shandu and 1976 by Dorothy E. Denning. If user A has read access to the classification as strictly confidential and classifying confidential, he can read information on the classification. But the same user does not have access to data that are classified as Strictly Confidential ( crypto ). Only if the user has access to the classifications strictly confidential and Krypto, he can access to the data.
In principle, the model is a combination of protection levels with the principle of necessary knowledge (English: Need to know principle) is: Objects are divided both vertically ( protection level ) and horizontally ( by subject ). Subjects are assigned per property, the area of a protection level. A file can be accessed only if the requirements of both control systems are met. Main attention is paid to an information flow control. It should not be possible to ensure that confidential information is passed to untrusted people.
Chinese Wall - Brewer - Nash
The term Chinese Wall has its origins in the financial sector and referred to certain rules that are intended to prevent a conflict of interest is brought about (see also Chinese Wall ( finance ) ). The IT system is intended to prevent "undue exploitation of insider knowledge in the handling of bank or stock exchange transactions " or the disclosure of company-specific insider information on competing companies by a consultant. 260
Other security models
Clark Wilson
Clark -Wilson model describes the integrity of commercial, non-military systems and is a variation of the classic MAC approach. Practically every major computer processes data based on the Clark -Wilson model.
BMA model ( British Medical Association)
The BMA model was described in 1996 by Ross Anderson. The model combines the Clark -Wilson model properties with the Bell - La Padula security model. The BMA model is an access model that has been developed for the protection of medical data. The BMA model is generally applicable to all data that are subject to the Privacy Policy. In 1996, the model of the European Medical UEMO organization was taken over. The BMA model is not central, but decentralized created. The policy will be determined by the patient.
Principle of necessary knowledge
The principle of necessary knowledge (engl: need -to-know principle) provides an alternative to safety class model: Here, the objects are " horizontal", divided into subject areas; each subject, the matters shall be assigned, for which he or she would be responsible. Depending on the specification now has a subject that wants to access an object belonging either all or at least one subject area, which is associated with the object. Thus, the distribution range of information is severely limited, control of information flow is facilitated.
The advantage of this security concept is that the individual actors only the rights are granted, they need to do their job. Thereby, the risk of misuse of applications is minimized by exploiting security vulnerabilities.
This means for example that an application that does not require authorization for network access, this receives no rights. This has the consequence that an attacker who wants to exploit a vulnerability, the program can not abuse to establish network connections.
Disadvantages
The disadvantage of this concept is the complexity of the configuration, there must be determined for each application, the access permission need thereof.