Database Reference
In-Depth Information
•
Maintainability
, which is the ability to un-
dergo modifications and repairs.
< secret < top secret sensitivity classifica-
tion, and
•
Sc
<=
Oc
where the <= relationship is a sub-
set relation of sets.
BACKGROUND
The Bell LaPadula (BLP) model (1975)
forms the fundamental architectural idea behind
guarantee of secrecy in MLS. The Biba model by
the Mitre Corporation (1997) is used to protect
integrity: BLP's no-read-up and no-write-down
properties are inverted to the no-write-up and no-
read-down rules. Today, Oracle's Label Security
and DB2's LabelAccess Control are contemporary
examples of this security model.
The most widely used access control model
is the role-based access control (RBAC) model.
This section will briefly summarize various prop-
erties of NIST's RBAC model as pointed out by
Sandhu et al. (2000). The notion of
scalability
is
multi-dimensional. RBAC does not define the
degree of scalability implemented in a system
with respect to the number of roles, number of
permissions, size of role hierarchy, or limits on
user-role assignments, etc.
As RBAC is based on permissions that confer
the ability to do something on holders of the per-
mission, it does not contain
negative authoriza-
tions
(prohibitions). The
nature of permissions
is
not specified in the RBAC model itself. Permis-
sions can be either fine-grained or coarse-grained
and may also be customized. The exact nature of
permissions is determined by the application.
Moreover, RBAC does not specify the ability
of a user to select which roles are activated in a
particular session. The only requirement is that
it should be possible to allow a user to activate
multiple roles simultaneously. It does not matter if
the user is able to explicitly activate roles or if all
roles are automatically activated by the system.
While security obviously encompasses the
requirements of the CIA triad this article will
focus on the mechanism of access control (AC)
as this addresses both confidentiality and—to
some extent—integrity. Database security was
addressed in the 1960s by introducing
mandatory
access control
(MAC), driven mainly by military
requirements. Today,
role-based access control
(RBAC) is the commonly used access control
model in commercial databases.
There is a difference between trusting a person
and trusting a program. For instance, Alice gives
Bob a program that Alice trusts. Since Bob trusts
Alice he trusts the program. However neither of
them is aware that the program contains a Tro-
jan. This security threat leads to the introduction
of MAC. In MAC, the system itself imposes an
access control policy and object owners cannot
change that policy. MAC is often implemented in
systems with mulitlevel security (MLS). In MLS
information objects are classified in different
levels and subjects are cleared for levels.
The
need-to-know
principle, also known from
the military, stipulates that every subject receives
only the information required to perform its task.
To comply with this principle, it is not sufficient
to use sensitivity labels to classify objects. Every
object is associated with a set of compartments.
Subjects are classified according to their security
clearance for each given area/compartment.
Classification labels are of the form (
Ss
,
Sc
)
where
Sr
is a sensitivity and
Sc
a set of
compartments. (
Os
,
Oc
) dominates (
Ss
,
Sc
) if
(
Ss
,
Sc
)<=(
Os
,
Oc
).
This <= relation is true when
RBAC Constraints
•
Ss
<=
Os
where the <= relationship here is
with respect to the classified < sensitive
Since permissions are organized into tasks by using
roles, conflicts of interests are more evident than
Search WWH ::
Custom Search