Chapter 1: Introduction
Fall 2021
Cp 633
Slide #7-*
Chapter 8: Hybrid Policies
Covers section 8.1, 8.1.1, 8.1.4, 8.1.5, 8.2, 8.1.2, 8.3, 8.4,8.5
Overview
Chinese Wall Model
Clinical Information Systems Security Policy
ORCON
RBAC
Cp 633
*
Fall 2021
Cp 633
Slide #7-*
Overview
Chinese Wall Model
Focuses on conflict of interest in business, and supports confidentiality and integrity.
CISS (Clinical Information Systems Security ) Policy
Combines integrity and confidentiality
ORCON (DRM)
Combines mandatory, discretionary access controls
RBAC
Bases controls on job function
Cp 633
*
Fall 2021
Cp 633
Slide #7-*
Chinese Wall Model
Problem:
Tony advises American Bank about investments
He is asked to advise City Bank about investments
Conflict of interest to accept, because his advice for either bank would affect his advice to the other bank
Cp 633
Fall 2021
Cp 633
Slide #7-*
Organization
Organize entities into “conflict of interest” classes
Control subject’s accesses to each class
Control writing to all classes to ensure information is not passed along in violation of rules
Allow sanitized data to be viewed by everyone
Cp 633
Fall 2021
Cp 633
Slide #7-*
Definitions
Objects: items of information related to a company
Company dataset (CD): contains objects related to a single company
Denoted as CD(O)
Conflict of interest class (COI): contains datasets of companies in competition
Denoted as COI(O)
Assume: each object belongs to exactly one COI class
Cp 633
Fall 2021
Cp 633
Slide #7-*
Example
Bank of
America
Citibank
Bank of the
W
est
Bank COI Class
Shell Oil
Union ’76
Standard Oil
ARCO
Gasoline Company COI Class
Cp 633
Fall 2021
Cp 633
Slide #7-*
Temporal Element
Suppose that Anthony was first working on bank’s A portfolio and later he was transferred to bank’s B portfolio.
He can use his previous knowledge against bank’s A interests.
To prevent this, if Anthony reads any CD in a COI, he can never read another CD in that COI
Because it is possible that information learned earlier may allow him to make decisions later
Let PR(S) (previously read) be set of objects that S has already read.
Cp 633
Fall 2021
Cp 633
Slide #7-*
CW-Simple Security Condition
Subject s can read object o iff either condition holds:
There is an o such that s has accessed o and CD(o) = CD(o)
Meaning s has already read something in o’s dataset
For all o O, o PR(s) COI(o) ≠ COI(o)
Meaning s has not read any objects in o’s conflict of interest class,
e.g Tony can read one CD in bank COI and one CD in gasoline COI. However, he can not read two bank CDs.
Rule above ignores sanitized data (see below)
Initially, PR(s) = , so initial read request is granted
Cp 633
Fall 2021
Cp 633
Slide #7-*
Sanitization
Public information may belong to a CD
As is publicly available, no conflicts of interest arise
So, public (sanitized) information should not affect ability of analysts to read
Typically, all sensitive data are removed from such information before it is released publicly (called sanitization)
Add third condition to CW-Simple Security Condition:
3. o is a sanitized object
Cp 633
Fall 2021
Cp 633
Slide #7-*
Writing among COIs
Anthony and Susan work in same trading house
Anthony can read Bank 1’s CD, and Gasoline’s 1 CD
Susan can read Bank 2’s CD, and same Gasoline’s 1 CD
If Anthony could write to Gasoline’s 1 CD, he can write info about Bank 1’s CD and Susan can read it
Hence, indirectly, she can read information from Bank 1’s CD, and this makes a clear conflict of interest
Then, if subject is permitted to write, it can not read more than one CD.
Cp 633
Fall 2021
Cp 633
Slide #7-*
CW-*-Property in Chinese Wall policy
s can write to o iff both of the following hold:
The CW-simple security condition permits s to read o; and
For all unsanitized objects o, if s can read o, then CD(o) = CD(o)
Previous rules say that s can write to an object if all the (unsanitized) objects it can read are in the same company dataset (CD)
There is also aggressive CW model, but it is beyond our scope (covers additional COI situations through investments).
Cp 633
Fall 2021
Cp 633
Slide #7-*
Compare CW to Bell-LaPadula (B-LP)
Fundamentally different
CW has no security labels, but B-LP does
CW has notion of past accesses, but B-LP does not
Bell-LaPadula can capture CW state at any moment of time
Each (COI, CD) pair gets security category
Two clearances, S (sanitized) and U (unsanitized)
U dom S by defintion
Subjects are assigned clearance for compartments without multiple categories corresponding to CDs in same COI class
Cp 633
Fall 2021
Cp 633
Slide #7-*
Comparison of CW to Bell-LaPadula
Consider the implementation of Chinese Wall policy in investment company which advices clients on two Conflict of Interest classes Gold and Food (at this moment we look in unsantized data).
Each COI has two company datasets G1, and G2 and F1 and F2 respectively
G1,F2
G2, F1
G2, F2
G1, F1
G1
G2
F1
F2
0
Cp 633
Fall 2021
Cp 633
Slide #7-*
Comparison of CW to Bell-LaPadula with sanitization
Consider the BLP implementation of CW policy in investment company which advices clients on two Conflict of Interest classes with company datasets (a,b,c) and (s,e,u,n).
Cp 633
Fall 2021
Cp 633
Slide #7-*
Compare to Bell-LaPadula
Bell-LaPadula cannot track changes over time
Susan becomes ill, Anna needs to take over
C-W history lets Anna know if she can access the CDs.
No way for Bell-LaPadula to capture this
Access constraints change over time
Initially, subjects in C-W can read any object and constraints grow as subject accesses more objects
Bell-LaPadula constrains set of objects that a subject can access without respect to time.
Security officer in BLP can’t clear all subjects for all categories initially, because this violates C-W-simple security condition due to COI.
Cp 633
Fall 2021
Cp 633
Slide #7-*
Compare Chinese Wall to Clark- -Wilson model covers integrity, so it considers only access control aspects
If “subjects” and “processes” are interchangeable, a single person could use multiple processes to violate CW-simple security condition (i.e. to read multiple CDs from single COI class).
However this would still comply with Clark-
If “subject” is a specific person and includes all processes the subject executes, then Chinese Wall policy is consistent with Clark- .
Cp 633
Fall 2021
Cp 633
Slide #7-*
Clinical Information Systems Security Policy
Intended for medical records
Conflict of interest is not critical problem here.
Instead: patient confidentiality, authentication of records and annotators, and assurance that record has not been changed by error are critical.
Entities:
Patient: subject of medical records (or agent)
Personal health information: data about patient’s health or treatment enabling identification of patient
Clinician: health-care professional with access to personal health information while doing job
Cp 633
Fall 2021
Cp 633
Slide #7-*
Assumptions and Principles
Assumes health information involves 1 person at a time
Not always true; OB/GYN involves father as well as mother
Principles derived from medical ethics of various societies, and from practicing clinicians
Cp 633
Fall 2021
Cp 633
Slide #7-*
Access to medical records
Principle 1: Each medical record has an access control list naming the individuals or groups who may read and append information to the record.
The system must restrict access to those identified on the access control list.
Idea is that clinicians need access, but no-one else. Auditors get access to copies, so they cannot alter records
Cp 633
Fall 2021
Cp 633
Slide #7-*
Access to medical records
Principle 2: One of the clinicians on the access control list must have the right to add other clinicians to the access control list.
Called the responsible clinician
Cp 633
Fall 2021
Cp 633
Slide #7-*
Access to medical records
Principle 3: The responsible clinician must notify the patient of the names on the access control list whenever the patient’s medical record is opened.
Except for situations given in statutes, or in cases of emergency, the responsible clinician must obtain the patient’s consent.
Patient must consent to all treatment, and must know of violations of security.
Leakage of information is possible if clinician unfamiliar with the patient accesses the record (intern?).
Cp 633
Fall 2021
Cp 633
Slide #7-*
Access to medical records
Principle 4: The name of the clinician, the date, and the time of the access of a medical record must be recorded. Similar information must be kept for deletions.
Record information about all accesses.
This log is needed for auditing.
Don’t delete information; update it.
Principle: Clinical information cannot be deleted from a medical record until the appropriate time has passed (eg. 8 years).
This varies with circumstances.
Cp 633
Fall 2021
Cp 633
Slide #7-*
Creation
Principle: A clinician may open a record, with the clinician and the patient on the access control list.
If a record is opened as a result of a referral, the referring clinician may also be on the access control list.
Creating clinician needs access, and patient should get it.
If created from a referral, referring clinician needs access to get results of referral.
Cp 633
Fall 2021
Cp 633
Slide #7-*
Confinement
Principle: Information from one medical record may be appended to a different medical record if and only if the access control list of the second record is a subset of the access control list of the first.
This keeps information from leaking to unauthorized users. All users have to be on the access control list.
This handles the case when clinician has access to many patient records and is also, for example, advisor to medical insurance company.
Cp 633
Fall 2021
Cp 633
Slide #7-*
Aggregation
Principle: Measures for preventing aggregation of patient data must be effective.
In particular, a patient must be notified if anyone is to be added to the access control list for the patient’s record and if that person has access to a large number of medical records.
Fear here is that a corrupt investigator may obtain access to a large number of records, correlate them, and discover private information about individuals which can then be used for nefarious purposes (such as blackmail)
Cp 633
Fall 2021
Cp 633
Slide #7-*
Enforcement
Principle: Any computer system that handles medical records must have a subsystem that enforces the preceding principles.
The effectiveness of this enforcement must be subject to evaluation by independent auditors.
This policy has to be enforced, and the enforcement mechanisms must be auditable (and audited)
Cp 633
Fall 2021
Cp 633
Slide #7-*
Compare to Bell-LaPadula
Confinement Principle imposes lattice structure on entities in model
Similar to Bell-LaPadula
CISS focuses on objects being accessed; B-LP on the subjects accessing the objects
May matter when looking for insiders in the medical environment
Cp 633
Fall 2021
Cp 633
Slide #7-*
Compare to Clark- DIs are medical records
TPs are functions updating records, access control lists
IVPs certify that:
A person identified as a clinician is a clinician;
A clinician validates, or has validated, information in the medical record;
When someone is to be notified of an event, such notification occurs; and
When someone must give consent, the operation cannot proceed until the consent is obtained
Auditing (CR4) requirement: make all records append-only, notify patient when access control list changed
Cp 633
Fall 2021
Cp 633
Slide #7-*
Originator controlled access ORCON up to here 21 Sept.
Problem: organization creating document wants to control its dissemination
Example: Secretary of Agriculture writes a memo for distribution to her immediate subordinates, and she must give permission for it to be disseminated further.
This is “originator controlled” (here, the “originator” is a person).
Cp 633
Fall 2021
Cp 633
Slide #7-*
Req uirements
Subject s S marks object o O as ORCON on behalf of organization X.
X allows o to be disclosed to subjects acting on behalf of organization Y with the following restrictions:
o cannot be released to subjects acting on behalf of other organizations without X’s permission; and
Any copies of o must have the same restrictions placed on it.
Cp 633
Fall 2021
Cp 633
Slide #7-*
DAC Fails
In ORCON case discretionary access fails since:
Owner can set any desired permissions
This makes rule 2 unenforceable
Cp 633
Fall 2021
Cp 633
Slide #7-*
Mandatory access MAC in ORCON is not sufficient
First problem: BLP category explosion
Suppose a subject s marks an object o as ORCON on behalf of organization X.
Organization X allows o to be disclosed to subjects in organization Y
Category C contains o, X, Y, and nothing else. If a subject y Y wants to read o, x X makes a copy o. Note o has category C.
If y wants to give z Z a copy, z must be in Y—by definition, it’s not.
If x wants to let w W see the document, need a new category C containing o, X, W.
Second problem: abstraction
In BLP MAC classification and categories are centrally controlled on “need to know principle”, and access controlled by a centralized policy
However, ORCON has to be controlled locally
Cp 633
Fall 2021
Cp 633
Slide #7-*
Combine MAC and DAC for ORCON
Keep in mind that object has originator and owner(s)
MAC components
The owner of an object cannot change the access controls of the object.
When an object is copied, the access control restrictions of the originator are copied and bound to the target of the copy.
DAC component
The creator (originator) can alter the access control restrictions on a per-subject and per-object basis.
Cp 633
Digital Rights Management (DRM) as ORCON
The persistent control of digital content and has several elements:
Content: information being protected
License: token describing the uses allowed for the content
Grant: part of a license giving specific authorizations to one or more entities, and (possibly) conditions constraining the use of the grant
Issuer: entity issuing the license
Principal: identification of an entity, used in a license to identify to whom the license applies, aka client
Device: mechanism used to view the content. It manages the licenses, principals and any copy of the resource.
Fall 2021
Cp633
Slide 8-*
Cp633
Example: Movie Distribution by Downloading
Content: movie itself
License: token binding playing the movie to the specific downloaded copy
Grant: movie can be played on some specific set of equipment provided the equipment is located in a given geographical area,
Issuer: movie studio
Principal: user who downloaded the movie
Device: set of equipment used to play the movie; it manages the licenses, principle, and any copies of the movie
Fall 2021
Cp 633
Slide 8-*
Cp 633
Relationships between the DRM parameters
Elements related, and the relationship must satisfy three rules:
The system must implement controls on the use of the content, constraining what users can do with the content
Encrypting the content and providing keys to authorized viewers fails this, as the users can distribute the keys indiscriminately.
The rules that constrain the users of the content must be associated with the content, not the users
The controls and rules must persist throughout the life of the content, regardless of how it is distributed and to whom it is distributed
Fall 2021
Cp 633
Slide 8-*
Cp 633
Example: Apple’s FairPlay DRM
User must authorize given computer to play iTune music.
iTunes generates globally unique number for the computer and sends it to Apple’s servers
Servers add it to list of systems authorized to play music for that user
At most 5 systems at a time can be authorized per user.
User has to obtain content using iTunes with three levels of encryption
Content is enciphered by AES with a master key
Master key is enciphered with a randomly generated user key from iTunes
iTunes sends user’s encrypted key to Apple server; stored there and in iTunes, also encrypted with additional symmetric key generated by key exchange algorithms.
Fall 2021
Cp 633
Slide 8-*
Cp 633
Example: Apple’s FairPlay DRM
Play content using iTunes
iTunes decrypts user key
iTunes uses user key to decrypt master key
iTunes uses master key to decrypt content
Note it need not contact Apple servers for authorization
Authorize new system
Apple server sends that system all user keys stored on server
Fall 2021
Cp 633
Slide 8-*
Cp 633
Example: Apple’s FairPlay DRM
Deauthorize system
System deletes all locally stored user keys
Notifies Apple servers to delete globally unique number from list of authorized computers
Copying content to another system
Cannot be decrypted without user key, which is not copied
Fall 2021
Cp 633
Slide 8-*
Cp 633
Fall 2021
Cp 633
Slide #7-*
Role based access -RBAC
Access depends on function, not identity
Example:
Allison, bookkeeper for Math Dept, has access to financial records.
She leaves.
Betty is hired as the new bookkeeper, so she now has access to those records
The role of “bookkeeper” dictates access, not the identity of the individual.
Cp 633
Fall 2021
Cp 633
Slide #7-*
Definitions
Role r: is collection of job functions
trans(r): set of authorized transactions for r
Active role of subject s: role s is currently in
actr(s)
Authorized roles of a subject s are a set of roles that s is authorized to assume
authr(s)
canexec(s, t) is true iff subject s can execute transaction t at current time
Cp 633
Fall 2021
Cp 633
Slide #7-*
Axioms
Let S be the set of subjects and T the set of transactions.
Rule of role assignment:
(s S)(t T) [canexec(s, t) actr(s) ≠ ].
If s can execute a transaction, it has a role
This ties transactions to roles
Rule of role authorization:
(s S) [actr(s) authr(s)].
Subject must be authorized to assume an active role (otherwise, any subject could assume any role)
Cp 633
Fall 2021
Cp 633
Slide #7-*
Axiom
Rule of transaction authorization:
(s S)(t T) [canexec(s, t) t trans(actr(s))].
Remember that trans(r): set of authorized transactions for r
If a subject s can execute a transaction, then the transaction is an authorized one for the role s has assumed
This implies that RBAC is a form of mandatory access control.
Cp 633
Fall 2021
Cp 633
Slide #7-*
Containment of Roles
Trainer can do all transactions that trainee can do (and then some more).
This means that trainer’s role ri contains trainee role rj, i.e. (ri > rj).
So if subject s is authorized for the role of trainer then subject s is also authorized for the role of trainee:
(s S)[ ri authr(s) ri > rj rj authr(s) ].
Cp 633
Fall 2021
Cp 633
Slide #7-*
Separation of Duty
Let r be a role, and let s be a subject such that it is authorized to perform role r, r auth(s).
Then the predicate meauth(r) (for mutually exclusive authorizations) is the set of roles that s cannot assume because of the separation of duty requirement.
Separation of duty:
(r1, r2 R) [ r2 meauth(r1)
[ (s S) [ r1 authr(s) r2 authr(s) ] ] ]
Cp 633
Break-the-Glass Policies
Motivation: when security requirements conflict, some access controls may need to be overwritten in an unpredictable manner
Example: a doctor may need access to a medical record to treat someone, yet that person is unable to give consent (without which access would be denied)
User can attempt to access the information where access should be denied. However, user can override the denial.
Controls notify some people about the override
Controls log override for later audit
Fall 2021
Cp 633
Slide 8-*
Cp 633
Fall 2021
Cp 633
Slide #7-*
Key Points
Hybrid policies deal with both confidentiality and integrity
Different combinations of these
ORCON model neither MAC nor DAC
Actually, a combination
RBAC model controls access based on functionality
Cp 633
*