[go: up one dir, main page]
Scribd
Upload
26 views13 pages

Module 3

The document outlines various security policies including confidentiality, integrity, and hybrid policies, emphasizing their roles in protecting sensitive information. It discusses models such as the Bell-LaPadula and Biba models for enforcing confidentiality and integrity, respectively, and highlights the need for hybrid policies to balance both aspects. Additionally, it covers international standards related to information security management and evaluation criteria.

Uploaded by

sahithibrunda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views13 pages

Module 3

The document outlines various security policies including confidentiality, integrity, and hybrid policies, emphasizing their roles in protecting sensitive information. It discusses models such as the Bell-LaPadula and Biba models for enforcing confidentiality and integrity, respectively, and highlights the need for hybrid policies to balance both aspects. Additionally, it covers international standards related to information security management and evaluation criteria.

Uploaded by

sahithibrunda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Security Policies: Confidentiality policies, integrity policies, hybrid

policies, non-interference and


policy composition, international standards
Security Policies Overview
•Definition of Security Policies:
◦A security policy specifies the rules for protecting sensitive information and
resources in a system.
•Types of Policies:
◦Confidentiality Policies
◦Integrity Policies
◦Hybrid Policies
◦Non-interference and Policy Composition

•Purpose:
◦Enforce security requirements and mitigate risks.
Introduction to Confidentiality

Definition: Preventing unauthorized disclosure of information.

•Key Concept: "Who can read what?"

•Examples: Protecting classified government data, personal medical records.


Bell-LaPadula Model
•Focus: Enforcing confidentiality in multilevel systems.
•Rules:

1. A subject (user/process) cannot read data at a higher security level than their
clearance.
2. Prevents unauthorized access to classified information.

1. A subject cannot write data to a lower security level.


2. Prevents leakage of sensitive information to less secure areas.
•Applications of the BLP Model
◦Government and Military Systems: Protects classified national security information.
◦Medical Records Management: Ensures patient data confidentiality by restricting access
based on roles.
◦Financial Institutions: Secures sensitive financial transactions and customer
Limitations of Confidentiality Policies

•Does not address integrity or availability.


•Assumes a fixed classification of data and users.
Introduction to Integrity Policy

•Definition: Preventing unauthorized modification of information.


•Key Concept: "Who can write what?"
•Examples: Financial transactions, software updates.
Biba Integrity Model

•Focus: Preventing improper data modification.


•Rules:
◦Simple Integrity Property (“No Read Down”): A subject cannot read data at a lower integrity
level.
◦*-Integrity Property (“No Write Up”): A subject cannot write to a higher integrity level.
•Applications: Business and financial systems.
Clark-Wilson Model
•Focus: Well-formed transactions and separation of duties.

•Key Features:

◦Constrained Data Items (CDIs) and Unconstrained Data Items (UDIs).

◦Use of Transformation Procedures (TPs) and Integrity Verification Procedures

(IVPs).

•Applications: Industrial and commercial settings.


Hybrid Policies and Need for Hybrid Policies

•Limitations of single-focus policies.

•Hybrid security policies combine aspects of both confidentiality and integrity policies to provide

a balanced approach to information security.

•These policies are designed to protect sensitive data while also ensuring its accuracy,

consistency, and ethical access.

•Example: Healthcare systems requiring both data confidentiality and integrity.


Example: Chinese Wall Model

•Designed to prevent conflicts of interest in environments where individuals have access to

sensitive information from multiple competing organizations.

•A user can access data within one conflict-of-interest class but is restricted from accessing data

from a competing entity.

•Key Principle: Ensures that decisions are made impartially without using confidential

information from competing clients.


Chinese Wall Model
•Focus: Avoiding conflicts of interest.
•Rules:
◦Subjects can access data only if there is no conflict with previously accessed data.
•Application: Financial and legal consulting.
Brewer-Nash Model
•Similar to Chinese Wall, but with dynamic enforcement.
•Focuses on preventing data leakage in competitive environments.
Non-Interference and Policy Composition
Non-Interference

•Definition: Ensuring actions of one user do not affect another’s view of the system.
•Application: Multilevel security systems.
•Example: Preventing covert channels in a classified environment.
Policy Composition
•Combining multiple policies in a single system.
•Approaches:
◦Hierarchical Composition: Policies are layered hierarchically.
◦Parallel Composition: Policies work independently but are enforced simultaneously.
Challenges in Policy Composition
•Conflicts between policies.
•Performance overhead.
•Example: Integrating integrity and confidentiality policies in a distributed system.
International Standards
ISO/IEC Standards (International Organization for Standardization / International Electrotechnical Commission)
•ISO/IEC 27001: Information Security Management Systems (ISMS).
•ISO/IEC 15408 (Common Criteria): Evaluation of security systems.

TCSEC and ITSEC

TCSEC: Trusted Computer System Evaluation Criteria (U.S. DoD).

•ITSEC: Information Technology Security Evaluation Criteria (European Union).

Common Criteria (CC)

•Focus: Global standard for computer security certification.

•Evaluation Assurance Levels (EAL): EAL1 to EAL7.

•Applications: Certifying software and hardware products.

You might also like