Transcription
INF3510 Information SecurityUniversity of OsloSpring 2011Lecture 8Identity and Access ManagementAudun Jøsang
Outline Identity and access management concepts Identity management models Access control models (security models)UiO Spring 2011L08 - INF3510 Information Security2
Identity & access managementIdentity Representing and entities as digital identities Managing name spaces of unique identifiers Mapping identities between domainsIdentityManagementAuthentication Registration Provisioning AuthenticationAccess Authorization Access approval AccountingUiO Spring 2011AAA:“Authentication,Authorization &Accounting”L08 - INF3510 Information SecurityAccess Control3
Four types of identity management(1)Mgmt of user IDs andcredentials on SP side(2)Mgmt of user IDs andcredentials on user side(3)Mgmt of SP IDs andcredentials on SP side(4)Mgmt of SP IDs andcredentials on user side Only type 1 & 2 are traditionally considered part of IAM Types 3,4 are discussed in Lect.9 (Net. & Com. SecurityUiO Spring 2011L08 - INF3510 Information Security4
Identity Domains An identity domain is a network realm witha name space of unique namesDomain A Management structures:– Single authority, e.g. User Ids in companynetwork– Hierarchical: e.g. DNS (Domain Name System) A single policy is normally applied in adomain Integration/federation of domainsMappingDomain B– Requires mapping of identities of same entity– Requires alignment of policiesUiO Spring 2011L08 - INF3510 Information Security5
Silo domain modelLegend:SPSP/IdP 1SP/IdP 2IdPSP/IdP 3123123Identity domain#User identifiermanaged by IdP ## Authenticationtoken managed byIdP #Service logonService provisionUiO Spring 2011L08 - INF3510 Information Security6
Silo user-identity domains SP IdP: defines name space and provides accesscredentials Unique identifier assigned to each entity Advantages– Simple to deploy, low cost for SPs Disadvantages– Identity overload for users, poor usabilityUiO Spring 2011L08 - INF3510 Information Security7
Tragedies of the Commons GuessMeNot fred 2008Oct9 TopSecret ?abcXXCommon village green OTP123 MySecret XZ&9r#/ FacePassCommon brainCommon pocketsUiO Spring 2011L08 - INF3510 Information Security8
Push towards SSO (Single Sign-On) Users don‟t want more identifiers Low acceptance of new services that require separateuser authentication Silo model requires users to provide same information tomany service providers Silo model makes it difficult to offer bundled services, i.e.from different service providers Service providers want better quality user informationUiO Spring 2011L08 - INF3510 Information Security9
Kerberos SSO Part of project Athena (MIT) in 1983.User must identify itself once at the beginning of aworkstation session (login session).Does not require user to enter password every time aservice is requested!Every user shares a password with the AS(Authentication Server)Every SP (service provider) shares a secret key with theTGS (Ticket Granting Server)Tickets are sealed (encrypted) by TGS proves to SPsthat the user has been authenticatedUiO Spring 2011L08 - INF3510 Information Security10
Kerberos – simplified versTicket GrantingServer54KerberosDatabase36666Request service2Authentication3Look-up user4Request ticket5Ticket6Service accesswith ticketWorkstation21AuthenticationServerUiO Spring 20111L08 - INF3510 Information Security11
Kerberos – Advantages and limitations First practical SSO solutionCentralized TTP (Trusted Third Party) modelUses only symmetric cryptographyRequires Kerberos clients and servers KDCOnly suitable for organisations under commonmanagement (single domain) Does not scale to very large domains Not suitable for open environments (Internet)UiO Spring 2011L08 - INF3510 Information Security12
Traditional Single Sign-On (SSO) ModelLegend:SPIdPSP 23SP 13Identity domainCentraliseduser-IdP 3#User identifierissued by IdP ##Security assertionsent by IdP #33# Authenticationtoken managed byIdP #Service logonExamples: Kerberos,UiO Spring 2011L08 - INF3510 Information SecurityService provision13
Traditional SSO Single authority/infrastructure that acts as identifier andcredentials provider Single authority authenticates users on behalf of all SPs Advantages– Well suited for SPs under single management,large private and government organisations– Good usabilitye.g. within Disadvantages– Politically difficult to implement in open environments.– Who trusts authentication by other organisations?UiO Spring 2011L08 - INF3510 Information Security14
Federated SSO modelLegend :SPFederation Domain / Circle of Trust12IdP3Identity domain#SP/IdP 12SP/IdP 23SP/IdP 3#33SSO tootherdomains#User identifierissued by IdP #Authenticationtoken managed byIdP #Security assertionsent by IdP #Service logonService provisionIdentifier mappingExamples: Liberty Alliance, SAML2.0, WS-Federation, ShibbolethUiO Spring 2011L08 - INF3510 Information Security15
Federated SSO Identity Federation– A set of agreements, standards and technologies thatenable a group of SPs to recognise user identities andentitlements from other SPs– Identifier (and credential) issuance as for the silo model– Mapping between a user‟s different unique identifiers– Authentication by one SP, communicated as securityassertions to other SPs– Provides SSO in open environmentsUiO Spring 2011L08 - INF3510 Information Security16
Federated SSO Advantages– Improved usability (theoretically)– Compatible with silo user-identity domains– Allows SPs to bundle services and collect user info Disadvantages– High technical and legal complexity– High trust requirements E.g. SP1 is technically able to access SP2 on user‟s behalf– Privacy issues– Unimaginable for all SPs to federate, multiple federated SSOs not much better than silo modelUiO Spring 2011L08 - INF3510 Information Security17
SAML identity federation protocol withsecurity token sent vie browserUser 1ClientServer 1UiO Spring 2011Server 2L08 - INF3510 Information Security18
SAML identity federation protocol withsecurity token sent through back channelUser 1ClientServer 1UiO Spring 2011Artifact 45TokenL08 - INF3510 Information SecurityServer 219
Common SSO identity modelLegend :SPDistributeduser-IdP 2SP 1322IdPDistributeduser-IdP 332Common identity domain#User identifiermanaged by IdP ##Authentication tokenmanaged by IdP ##Security assertionissued by IdP #3Service logonService provisionExample: OpenIDUiO Spring 2011L08 - INF3510 Information Security20
Common SSO identity model Single common identifier name space– E.g. based on URIs or XRis Distributed assignment of identifiers– Each IdP controls its own domain name– Registers users under domain name Whoever controls a domain name can be IdP IdPs are involved for every service access– Collect info about service accessUiO Spring 2011L08 - INF3510 Information Security21
OpenID self registrationfredbad passwordUiO Spring 2011L08 - INF3510 Information Security22
Service Access Without PasswordUiO Spring 2011L08 - INF3510 Information Security23
First Time Sevice AccessUiO Spring 2011L08 - INF3510 Information Security24
OpenID Characteristics Self registrationID Providers are not ”authorities”You can be your own ID Provider and ServerOnly supports AAL-1Not suitable for sensitive servicesTargets online services with AAL-1Open to multiple forms of abuseUiO Spring 2011L08 - INF3510 Information Security25
OpenID Business Model For ID Providers– Collection of market data– Knows who uses which service– Fragmentation of ID Provider market is a threat For Service Providers (Relying Party)– Potentially more traffic and business For users– Avoid multiple identities– Avoids typing passwords– (Must still type OpenID identifier)UiO Spring 2011L08 - INF3510 Information Security26
Microsoft‟s InfoCard modelLegend :SPIdPIdentity domainSP 1SP 233Commonuser-IdP 333#SSO tootherdomains##User identifiermanaged by IdP #Authenticationtoken managed byIdP #Security assertionissued by IdP #Service logonCardSpacewith InfoCardsUiO Spring 2011L08 - INF3510 Information SecurityService provision27
InfoCard Model Requires intelligent browser Identities called ”InfoCard” stored in the browser‟s”CardSpace” Browser automatically relays security assertions SignOn to IdP subject to phising Supports multiple IdPs ”MS.Net Passport” renamed ”MS Live Space” CardSpace is compatible with dstributed commonidentity models, e.g. OpenIDUiO Spring 2011L08 - INF3510 Information Security28
SSO automation on server or client side SSO offers single manual authenticationBut involves repeated automated authenticationsSSO is therefore a logon-automation mechanismWhere to put the automation system?– Both on server and client side: Traditional SSO Kerberos, InfoCard– On server side only: Federated SSO– On client side only: User Centric SSO Password wallets in software or hardwareUiO Spring 2011L08 - INF3510 Information Security29
User-Centric SSO Advantages––––Improved usabilityCompatible with silo identity domainsLow trust requirementsGood privacy protection Disadvantages––––Does not allows SPs to control service bundlingDoes not allow SPs to collect user informationRequires user-side software or hardwareRequires user educationUiO Spring 2011L08 - INF3510 Information Security30
SSO model suitability Federated SSO, well suited for––––Large organisationsGovernment organisationsClosely associated organisationsRelated Web service providers User-centric SSO, well suited for– Open networks– e-commerce– Unrelated Web servicesUiO Spring 2011L08 - INF3510 Information Security31
The European IDA IDABC ISA IDA: Interchange of Data between Administrations– EU Work Programme 2000 – 2004 IBAC: Interoperable Delivery of European eGovernmentServices to public Administrations, Business and Citizens– EU Work Programme 2005 – 2009 ISA: Interoperable Solutions for European PublicAdministrations– EU Work Programme 2010 – 2015 Assurance Levels 1-4 defined in IDA auth. policy of 2004. Should include Level 0 to cover non-authenticatingservices and anonymous authenticationUiO Spring 2011L08 - INF3510 Information Security32
The STORK Project 2009 - 2011 Secure idenTity acrOss boRders linKedCross-border recognition of eIDSupports mobility of citizensPilots:–––––Cross-border authentication platformSafe use of the Internet for children using eIDCross-border student mobilityCross-border online delivery of documentsChange of address with eIDUiO Spring 2011L08 - INF3510 Information Security33
Four national identity federationsHaka (Finland): Operational (Shibboleth)UiO Spring 2011FEIDE (Norway):Operational (Moria, SAML2.0)DK-AAI (Denmark):Piloting (A-Select)SWAMID (Sweden):Piloting (Shibboleth)L08 - INF3510 Information Security34
Technical shape of a federation:DistributedSPIdPSPIdPSPIdPIdPSPUiO Spring 2011 Model deployed by Haka(.fi), SWAMID (.se) andseveral other federations Pros– No single point of failure inthe message flow– Costs of federationmanagement low Cons– Hard to track errors and– Not well supported bycommercial productsL08 - INF3510 Information Security35
Technical shape of a UiO Spring 2011 Model deployed by FEIDE (.no)and WAYF (.dk) Pros– A single point where to locateproblems and introduce newfeatures– Economics of scale Cons– A single point of failure– Everyone needs to trust the IdP inthe middleL08 - INF3510 Information Security36
FEIDE (Felles Elektronisk Identitet) FEIDE is a system for Id management within theNorwegian national education sector. Users have only one username and password Users access web-services via a central log-in service Services are given what they need to know about theuser Services are not given the users password/credential,only information about the userUiO Spring 2011L08 - INF3510 Information Security37
FEIDE (continued) FEIDE have formal agreements with the schools beforethey are connected The home organizations (schools) are responsible forthe data about the users (correct and up-to-date) Home organizations decide themselves what servicestheir users should be able to access via the central log-inserviceUiO Spring 2011L08 - INF3510 Information Security38
FEIDE Technical Aspects Based on SAML 2.0 Backend authenticate users by using LDAP One central identity provider (IdP) where serviceproviders (SPs) are connected Single Sign On when going between services Single Log Out when logging out from a serviceUiO Spring 2011L08 - INF3510 Information Security39
FEIDE ArchitectureUiO Spring 2011L08 - INF3510 Information Security40
Introduction to access controlsecretPhysical Access Control:info(theme for lecture onphysical security)Logical Access Control:Logicalprotection(theme for this lecture)UiO Spring 2011L08 - INF3510 Information Security41
Introduction to access control Access Control– controls how users and systems access other systems andresources– prevents unauthorized users access to resources– prevents authorized users from misusing resources Some information assets may be accessible to all, butaccess to some information assets should be restricted. Unauthorized access could compromise– Confidentiality– Integrity– Availabilityof information assetsUiO Spring 2011L08 - INF3510 Information Security42
Basic concepts Access control terminology:– Subjects Entities requesting access to a resourceExamples: Person (User), Process, DeviceActiveInitiate the request and is the user of information– Objects Resources or entities which contains informationExamples: Disks, files, records, directoriesPassiveRepository for information, the resources that a subject triesto accessUiO Spring 2011L08 - INF3510 Information Security43
Access modes Modes of access:– What access permissions (authorizations) should subjectshave? If you are authorized to access a resource, what are youallowed to do to the resource?– Example: possible access permissions include read - observe write – observe and alter execute – neither observe nor alter append - alterUiO Spring 2011L08 - INF3510 Information Security44
Access control phases Three phases of access control1. Registration and authorization phasea. Authorise subject by defining the AC policyb. Distribute access credentials/token to subject (provisioning)c. Change authorization whenever necessary2. Authentication and approval phasea. Authenticate subjectb. Approve access as authorised by policyc. Monitor access3. Termination phaseDe-register identity / Revoke authorizationUiO Spring 2011L08 - INF3510 Information Security45
Access Control Phases Access control has a procedure component in:– Offline: registration, provisioning, authorization (only once)– Online: controlling access during operations fication Who are you?ProvisioningCan youAuthentication prove it?AuthorizationUiO Spring 2011ApprovalDe-registrationRevokeauthorizationAre youauthorized?L08 - INF3510 Information Security46
Access control and WS-Security )System owner dP –policyrequestSystem ownerPDP6decisionaccessSystem resource745requestPEPaccess requestUserauthenticationApproval ProcessS object &access typeSPAP: Policy Administration PointPEP: Policy Enforcement PointOfflinePDP: Policy Decision PointIdP: Identity ProviderOnlineUiO Spring 2011L08 - INF3510 Information Security47
Basic concepts Access control approaches:– How do you define which subjects can access whichobjects? Three main approaches– Discretionary access control (DAC)– Mandatory access control (MAC)– Role-based access control (RBAC)UiO Spring 2011L08 - INF3510 Information Security48
Basic concepts: DAC Discretionary access control: 2 interpretations:1. Access rights to an object or resource are granted atthe discretion of the owner e.g. security administrator, the owner of the resource, or theperson who created the asset DAC is discretionary in the sense that a subject with acertain access authorization is capable of passing thatauthorization (directly or indirectly) to any other subject.2. According to the Orange Book (TCSEC) DAC isimplemented as a an ACL (Access Control List) Popular operating systems use DAC, bothaccording to interpretation 1) and 2)UiO Spring 2011L08 - INF3510 Information Security49
Basic concepts: ACL Access Control Lists (ACL)– Attached to an object– Provides an access rule for alist of subjects– Simple means of enforcingpolicy– Does not scale wellO1 O2 O3 O4Subjects ACLs can be combined intoan access control matrixcovering access rules for aset of objectsObjectsS1 rw-xrS2r-rrwS3-x--xxxS4 rwUiO Spring 2011L08 - INF3510 Information Security50
Basic concepts: MAC Mandatory access control: 2 interpretations:1. A central authority assigns access privileges MAC is mandatory in the sense that users do not controlaccess to the resources they create.2. According to the Orange Book (TCSEC) MAC isimplemented with security labels Example: Security clearance and classification levels A system-wide set of rules for objects andsubjects specify permitted modes of access– (SE)Linux includes MACUiO Spring 2011L08 - INF3510 Information Security51
Basic concepts: Labels Security Labels can be assigned to subjects and objects– Represents a specific security level, e.g. “Confidential” or “Secret” Object labels are assigned according to sensitivity Subject labels are determined by the authorization policy Access control decisions are made by comparing thesubject label with the object label according to rules The set of decision rules is a security model– Used e.g. in the Bell-LaPadula and Biba models (see later)SubjectUiO Spring 2011compareL08 - INF3510 Information SecurityObject52
Basic concepts: Combined MAC & DAC Combining access control approaches:– A combination of mandatory and discretionary accesscontrol approaches is often used Mandatory access control is applied first: If access is granted by the mandatory access control rules,– then the discretionary system is invoked Access granted only if both approaches permit– This combination ensures that no owner can make sensitive information available tounauthorized users, and „need to know‟ can be applied to limit access that wouldotherwise be granted under mandatory rulesUiO Spring 2011L08 - INF3510 Information Security53
Basic concepts: RBAC Role based access control– Access rights are based on the role of the subject,rather than the identity A role is a collection of procedures or jobs that the subjectperforms Examples: user, administrator, student, etc A subject could have more than one role, and more than onesubject could have the same role– RBAC can be combined with DAC and MACUiO Spring 2011L08 - INF3510 Information Security54
Security Models Introduction In order to describe an access policy, it is necessary todescribe the entities that the access policy applies to andthe rules that govern their behaviour. A security model provides this type of description. Security models have been developed to describeaccess policies concerned with:– Confidentiality (Bell-LaPadula,Clark-Wilson,Brewer-Nash,RBAC)– Integrity (Biba, Clark-Wilson, RBAC)– Prevent conflict of interest (Brewer-Nash, RBAC)UiO Spring 2011L08 - INF3510 Information Security55
The Bell-LaPadula ModelImportant Point:The Bell-LaPadula model has its origins in themilitary‟s need to maintain the confidentialityof classified information.
Bell-LaPadula Model:Overview While working for the Mitre Corporation in the 1970s,David E. Bell and Leonard J. LaPadula developed theBell-La Padula Model in response to US Air Forceconcerns over the security of time-sharing mainframesystems. The Bell-LaPadula model focuses on the confidentialityof classified information – a Confidentiality-focussedSecurity Policy. The model is a formal state transition model of computersecurity policy that describes a set of access controlrules enforced through the use of security labels onobjects and clearances for subjects.UiO Spring 2011L08 - INF3510 Information Security57
DiagramBell-LaPadula Model:Hierarchical Security LevelsTop Secret Secret Confidential UnclassifiedUiO Spring 2011 Security levels aretypically used in militaryand national securitydomains Provide coarse-grainedaccess controlL08 - INF3510 Information Security58
Access Categories To implement the „need to know‟ principle,define a set of non-ordered categories.– Subject and objects can have a set of categories inaddition to their hierarchical security level; Example categories could be– Names of departments, such as:Development – Production – Marketing – HR Not originally part of the Bell-LaPadula modelUiO Spring 2011L08 - INF3510 Information Security59
Bell-LaPadula Model:Security Labels Each subject and object has a Security Label– Subjects have a Maximum Security Label LSM.– Subjects can use a Current Security Label LSC LSM– Objects have a fixed Security Label LO. The aim is to prevent subjects from accessingan object with a security label that isincompatible with the subject‟s security label. Subjects can chose to use a lower “current” labelthan their maximum label when accessingobjects.UiO Spring 2011L08 - INF3510 Information Security60
Bell La Padula Model:Security Labels and Domination Security labels that are assigned to subjects andobjects can consist of two components– a hierarchical level, and– a set of categories (not originally part of Bell-LaPadula) Label dominance– Let label LA (h-levelA, category-setA)– Let label LB (h-levelB, category-setB).– Then LabelA dominates LabelB iff h-levelB is less than or equal to h-levelA and category-setB is a subset of category-setA.UiO Spring 2011L08 - INF3510 Information Security61
Partial Ordering of Labels Example: Define a label L (h, c) whereh hierarchical set H {Unclassified, Secret} {U, S}c category set C {Development, Production} {D, P}(S,{D,P})Partialorderinglattice(S,P)(S,D): dominates(S, )(U,{D,P})(U,P)(U,D)(U, )UiO Spring 2011L08 - INF3510 Information Security62
Definition of label dominance Labels defined as: L (h, c), h H and c CH: set of hierarchical levels,C: set of categories Example labels: LA (hA, cA), LB (hB, cB), Dominance: LA LB iff (hB hA) (cB cA)– In case LA LB then also LA LB and LB LA Non-dominance cases: LA LB– (hB hA) (cB cA); insufficient security level– (hB hA) (cB cA); insufficient category set– (hB hA) (cB cA); insufficient level and categoryUiO Spring 2011L08 - INF3510 Information Security63
Bell-LaPadula Model:Security Properties In each state of a system the Bell-LaPadula modelmaintains three security properties:– ss-property (simple security)– * -property (star)– ds-property (discretionary security)UiO Spring 2011L08 - INF3510 Information Security64
Bell-LaPadula Model:SS-Property: No Read UpTop sSecretreadConfidentialUiO Spring 2011L08 - INF3510 Information Security65
Bell-LaPadula Model:*-Property: No Write Down Subjects working on information/tasks at a given labelshould not be allowed to write to a lower level becausethis could leak sensitive information. For example, you should only be able write to files withthe same label as your label, or you could also write to files with a higher label than yourlabel, but you should not be able to read those files.UiO Spring 2011L08 - INF3510 Information Security66
DiagramBell-LaPadula Model:*-Property: No Write DownCurrentSubjectlabelSecretwritewritewriteTop SecretSecretObjectLabelsConfidentialUiO Spring 2011L08 - INF3510 Information Security67
Bell-LaPadula label relationshipsobject labels LOABwrite accessCDCurrent Subject label LSC LOEEFread accessDominancePossible LSMGHIUiO Spring 2011L08 - INF3510 Information Security68
DiagramBell-LaPadula Model:DS Property: Matrix Entry M(i,j) satisfies current access requestObject j{write}Subject i?Access request : {subject i, object j, access write}UiO Spring 2011L08 - INF3510 Information Security69
Bell-LaPadula Model:DS Property: Matrix Entry The ds-property (discretionary security property) is aBell-LaPadula security model rule that demands that thecurrent access by subject S to object O is permitted bythe current access permission matrix M. This was the original method to enforce need-to-know inBell-LaPadula.UiO Spring 2011L08 - INF3510 Information Security70
The Biba Model for Integrity In Biba, subjects and objects have integrity labels The Biba Simple Integrity Axiom states that a subject ata given level of integrity must not read an object at alower integrity level (no read down). The Biba * (star) Integrity Axiom states that a subject ata given level of integrity must not write to any object at ahigher level of integrity (no write up). Opposite to Bell-LaPadula Combining Biba and Bell-LaPadula results in a modelwhere subjects can only read and write at their own levelUiO Spring 2011L08 - INF3510 Information Security71
The Brewer-Nash Chinese WallModel
Brewer-Nash model:Overview The Brewer-Nash model is a confidentiality model for thecommercial world.– In a consultancy-based business, analysts have to ensure thatno conflicts of interest arise in respect to dealings with differentclients.– A conflict of interest is a situation where someone in a position oftrust has competing professional and/or personal interests andtheir ability to carry out their duties and responsibilitiesobjectively is compromised or may be seen to be compromised. Rule: There must be no information flow that causes a„conflict of interest‟.UiO Spring 2011L08 - INF3510 Information Security73
Brewer-Nash model:Sanitized and Unsanitized Information Assume that a consultancy-based business hasconfidential information pertaining to individualcompanies that are its clients.– Information that can be identified as belonging to a particularcompany is deemed to be unsanitized.– Information that cannot be identified as belonging to a particularcompany is deemed to be sanitized.– Also, where information is held regarding a company but it is notconfidential (already public knowledge say), this information isnot subject to the policy implemented by this model. The Brewer-Nash model is concerned with the flow ofunsanitized information.– Sanitized information flow is not of concern in this model.UiO Spring 2011L08 - INF3510 Information Security74
Brewer-Nash model:Objects, Datasets & Conflict Classes Objects:– Individual items of information belonging to a single corporationare stored as objects;– Each object has a security label– Security labels contain information about which company theobject belongs to, and the „conflict of interest‟ class the objectbelongs to. Company datasets:– All objects which concern the same corporation are groupedtogether into a company dataset; Conflict classes:– All company datasets whose corporations are in competition aregrouped together into the same conflict of interest class.UiO Spring 2011L08 - INF3510 Information Security75
DiagramBrewer-Nash model:Example conflict classes and companiesConflict classes: A, B, CClass AClass BClass CClass B Company datasetsabcdefghiO1 O2 O3 O4 O5Objects of Company eUiO Spring 2011L08 - INF3510 Information Security76
Brewer-Nash ss-property (simple security) An analyst who has already accessed an object ofcompany e in conflict class B cannot now access anyobjects of other companies in conflict class B– Because companies in the same conflict class are in competitionwith each other. Accessing information of multiple companies inthe same conflict class would lead to a conflict of interest. The analyst can access an object of any company inconflict class A or C– Insider information about companies in class A or C does notrepresent a conflict of interest with companies in class Bbecause they are not in direct competition with each otherUiO Spring 2011L08 - INF3510 Information Security77
Brewer-Nash model:Star (*) Security Property Suppose two analysts, user 1 and user 2, have thefollowing access:– User 1 has access to information about company e in class Band company a in class A– User 2 has access to information about company d in class Band company a in class A If user 1 reads information from company e and writes itto a company a object, then user 2 has access tocompany e information. This should not be permitted because of the conflict ofinterest between company e and company d.UiO Spring 2011L08 - INF3510 Information Security78
Brewer-Nash model:Star (*) Security Property Write access is only permitted if:– access is permitted by the ss rule, and– no object can be read which is in a different companydataset from the one for which write access isrequested and contains unsanitized information. In other words, write access is granted only if noother object (with unsanitized data) can becurrently read which is in a different companydataset (in any conflict class)UiO Spring 2011L08 - INF3510 Information Security79
The Clark-Wilson Model
Clark Wilson model:Overview The Clark-Wilson Security model is an integrity model forthe commercial environment. There is an emphasis on controlling transactionprocessing. The Clark-Wilson Security model provides a formalmodel for commercial integrity– The model attempts to prevent unauthorised modification ofdata, fraud and errors.UiO Spring 2011L08 - INF3510 Information Security81
Clark Wilson model:Overview The Clark-Wilson Security model attempts to follow theconventional controls used
-Simple to deploy, low cost for SPs Disadvantages -Identity overload for users, poor usability UiO Spring 2011 L08 - INF3510 Information Security 7. Tragedies of the Commons OTP123 . -e-commerce -Unrelated Web services UiO Spring 2011 L08 - INF3510 Information Security 31. The European IDA IDABC ISA
