Contrasting Privacy & Integrity Models

Information Centric Follow-on comments

There was a comment on Rich Mogull’s blog page after he posted Principles of Information Centric Security about existing models for security and integrity, and comments on novelty. I think that is worth delving into in a bit more detail.

The Bell-LaPadula model, as I understand it, defines security states and governs how data moves between these states. Its motivation was to help prevent secure information from leaking by providing handling instructions. In essence it would provide decision support for who gets to do what to the data. This is a policy model for data. If your business application is secure document management, this would embody the business rules you might choose to implement, or one of several you choose to implement.

The Clark-Wilson model, as I understand it, is about data integrity. It advocates a user, application and data set triumvirate, along with a verification process, to ensure data integrity. Data and users are authenticated, and the ‘transformational’ algorithms certified for use with certain user& data combinations. In a nutshell, once data in the system is verified for integrity, every modification is subsequently verified before the transaction is completed. If your business application airline flight scheduling, this would be a framework to ensure that all operational and logistical restraints were met prior to scheduling to ensure consistency.

Conceptually, either model could be implemented in an Information Centric manner, or it could be implemented at the Application level (typical), or it could be implemented at the network/device level (is a DLP-esque way).   Clark-Wilson bases the rules on a controlled system. We are moving to systems that are globally networked and we cannot necessarily rely upon central, organized control. Hierarchical security models with mono-directional establishment of trust do not work.

Clark-Wilson has a couple of weaknesses as by definition it implies a closed ‘system’. It relies upon certain trust relationships that may not be valid, for example, within an SOA framework. How do you ensure the integrity of the transformation model? A Rogue can simply ignore the rules of the game. ‘System’ certified relations may not be trusted, a user does not have a way of certifying the systems because there is implicit trust in the relationships as defined. Could it be augmented to fill these gaps? Probably. But this is the tit-for-tat game we have been playing at for decades.

I could make similar statements for Bell-LaPadula in non-trusted environments, and I would also recognize that Bell-LaPadula could be augmented to deal with the issues raised above. That is neither here nor there. My point is not to point out weaknesses in these two models, and these both do what they were designed to do very well. I do want to show the differences in that wrapping security and integrity up with the data, and providing that bundle enough information on defending itself from un-trusted applications, or subverted access controls.  An Inside-Out model, not Outside-In.

 

Also, on the subject of novelty:

I tend to view many things that may not be novel as revolutionary. The first plasma television picture was shown in a lab in 1970, but even in 2002 I could not have imagined having a 50 color television set hanging on my wall!  Patents for novel concepts often lapse before a genuine embodiment ever appears in front of the public. Information Centricity is not novel as discussions and papers have been made available to the public for at least a decade. That does not diminish what I consider to be a more revolutionary than evolutionary approach to security that Information Centricity provides.

“Shortly after I published my paper on ‘Fuzzy Logic’ I started to hear the murmurs and snickering in the hallways behind my back. Not just students, but professors, my own peers, thought I was a fool for seriously proposing such an idea … several years later the Japanese adopted the concept as an effective method of scheduling trains for their rail systems. I was then lauded as a genius by many ... I don’t believe either group is right in their assessment, but the answer probably lies somewhere in between”.

That quote was made by Professor Lofti Zadeh at the beginning of a lecture I had at Cal in 1998. (Or was it 1999? Perhaps my memory is a bit fuzzy as well). Fuzzy Logic was not novel at the time of adoption, but certainly revolutionary in the approach. The evolutionary changes in IT infrastructure has rendered many of our basic assumptions on trust and reliance invalid. Information Centricity turns the trust hierarchy upside down, and would fit my definition of a revolutionary approach. It has its own set of problems, but it addresses many common problems we have with confidentiality, integrity and security. Not a panacea, but a big step forward.