Information Flow Model
The model describes how information may flow in a secure system. Both Bell-LaPadula and Biba use this model.
Chinese Wall Model
AKA Brewer-Nash was designed to address risks inherent with employing consultants working within banking and financial institutions, by prohibiting one person such as consultants from accessing multiple conflict of interest categories (COIs). It requires that COIs be identified so that once a consultant gains access to one COI, they cannot read or write an opposing CoI.
Noninterference Model
Ensures data at different security domains remain separate from one another. Covert channel communication does not occur because the information cannot cross security boundaries. Each data access attempt is independent and has no connection with any other data access attempt.
Take-Grant
The Take-grant Protection Model contains rules that govern the interactions between subjects and objects and permissions subjects can grant to other subjects. The rules include: take, grant, create and remove. Each subject and object would be represented on a graph.
Access control matrix
An access control matrix is a table that defines access permissions between specific subjects and objects. The rows shows the capabilities of each subject; each row is called a capabilities list. The columns show the ACL for each object or application
Zachman Framework for Enterprise Architecture
Provides six frameworks for providing information security, asking what, how, where, where, when and why and mapping those frameworks across rules including planner, owner, designer, builder, programmer and user. These frameworks and roles are mapped to a matrix (table)
Graham-Denning Model
The Graham-Denning Model has three parts: objects, subjects and rules. It provides a more granular approach for interaction between subjects and objects. There are eight rules.
- R1: Transfer Access
- R2: Grant Access
- R3: Delete Access
- R4: Read Object
- R5: Create Object
- R6: Destroy Object
- R7: Create Subject
- R8: Destroy Subject
Harrison-Ruzz-Ullman-Model
The HRU model maps subjects and objects and access rights to an access matrix. It is considered a variation to the Graham Denning Model. It has six primitive operations and considers subjects to be objects.
- Create Object
- Create Subject
- Destroy Subject
- Destroy Object
- Enter right into access matrix
- Delete right from access matrix
Modes of operations
Defining the mode of operation for an IT system will greatly assist in identifying the access control and technical requirements that system must have. There are four modes of operations:
- Dedicated – The system contains objects of only one classification label. All subjects must possess a clearance of equal to or greater than the label of the objects. Each subject must have the appropriate clearance, formal access approval, and need to know for all the information stored and processed on the system.
- System High – The system contains object of mixed labels. All subjects must posses a clearance equal to the system’s highest object.
- Compartmented – All subjects accessing the system have the necessary clearance but do not have the appropriate formal access approval, nor need to know for all the information found on the system. Objects are placed into “compartments” and require a formal (system-enforced) need to know to access. Compartmented mode systems use “technical controls” to enforce need to know.
- Multilevel – Stores objects of differing sensitivity labels, and allows system access by subjects with differing clearances. The reference monitor mediates access between subjects and objects.
