A Comparison of Commercial and MilitarYcomputer SecurityPoliciesDavid D. Clark*- David Il. Wilson*’e*Senior Research Scientist,MIT Laboratory for Computer Sciencf**545 Technology Square, Cambridge, MA 02139Director, Information Security Servicesl Ernst & whinneY2000 National City Center, Cleveland, OH44114ABSTRACTMostdiscussions ofcomputersecurity focus on control of disclosure.In Particular, the U.S. Department ofDefense has developed a set of criteriafor computermechanisms toprovidecontrolof classifiedinformation.However,for thatcoreofdataprocessingconcernedwithbusinessoperationandcontrol ofassets,theprimarysecurityconcernisdataintegrity.This paper presents a policyfor data integrity based on commercialdata processing practices, and comparesthe mechanisms needed forthis policywith the mechanisms needed to enforcethelatticemodelforinformationsecurity.We argue that a lattice modelisnotsufficient tocharacterizeintegrity policies,andthat distinctmechanismsareneeded toControldisclosure and to provide integrity.INTRODUCTIONAny discussion ofmechanisms toenforce computer security must involve aparticularsecuritypolicythatspecifies the security goals the systemmust meetand thethreats itmustresist. For example,thehigh-levelsecurity goals most often specified arethatthe systemshouldpreventunauthorizeddisclosure or theft ofinformation, should prevent unauthorizedmodification of information,and shouldprevent denial of service.Traditionalthreatsthat must be countered aresystem penetration byunauthorizedpersons,unauthorizedactions byauthorized persons, and abuse of specialprivileges by systemsprogrammers andfacility operators. Thesethreats maybe intentional or accidental.Imprecise or conflicting assumptionsaboutdesiredpoliciesoften confusediscussionsof computersecuritymechanisms.In particular, in comparingcommercialand militarysystems, amisunderstandingaboutthe underlyingpolicies the two are trying to enforceoftenleads todifficulty inunderstanding the motivation for certainmechanisms that have been developed andespoused by one 9rouP ortheother.Thispaperdiscussesthe militarysecuritypolicy, presents asecuritypolicyvalidin manycommercialsituations,and thencomparesthe twopolicies to reveal important differencesbetween them.The military security policy we arereferring to is a set of policies thatregulatethecontrol ofclassifiedinformation within the government.Thiswell-understood,high-levelinformationsecurity policy isthat all classifiedinformationshall beprotectedfromunauthorizeddisclosureordeclassification.Mechanisms used toenforcethis policy include themandatory labeling of all documents withtheirclassification level, and theassigning ofuseraccesscategoriesbased ontheinvestigation(or“clearing”) of all persons permitted touse this information. During the last15 to 20 years, considerable effort hasgoneinto determining which mechanismsshould be used to enforce this policywithin a computer.Mechanisms such asidentificationand authorization ofusers, generation of audit information,and association of access control labelswith all informationobjects are wellunderstood.This policyis defined intheDepartment ofDefenseTrustedcomputerSystemEvaluationCriteria[DOD], often called the“Orange Book”fromthecolor ofitscover .Itarticulates astandard for maintainingconfidentiality ofinformation and is,forthe purposes ofourpaper , the“military”informationsecurity policy.The term “military” is perhaps not themostdescriptivecharacterization ofthis policy; it is relevant toanysituation inwhich access rules forsensitive material must be enforced. Weuse the term‘military”as a concise tagwhich at least captur esthe origin ofthe policy.184CH2416-61871000010 184SOi.000 19871EEEIn the commercialenvironment,preventing disclosure “oftenimportant, but preventing ~~authorizeddata modification is usually paramount.In particular, for thatcoreofcommercial data processing that relatesto management and accounting for as sets,preventingfraud anderror istheprimary goal.This goal is addressed byenforcing the integrity rather than theprivacy of the information. For thisreason, the policy wewillconcernourselveswith isone that addressesintegrityrather thandisclosure. Wewill call this a commercial policy, incontrast tothemilitaryinformationsecurity policy. We are not suggestingthat integrity plays no role in militaryconcerns.However, to the extent thatthe Oran g e Book is the articulation ofthe militaryinformationsecuritypolicy , there is aclear difference ofemphasis in the military and commercialworlds.While the accounting principles thatare the basis of fraud and error controlare well known, there is yet no OrangeBookfor the commercial sectorthatarticulates how these policies are to beimplemented in the context of a computersystem.Thismakes it difficult toanswer thequestion of whetherthemechanisms designed to enforce militaryinformation security policies also applytoenforcingcommercial integritypolicies. It would be very nice if thesame mechanismscould meet both goals,thus enabling the commercialandmilitary world s to share the developmentcosts of the necessary mechan is m s .However, we will argue that two distinctclasses of mechanism will be required,because some of the mechanisms needed toenforcedisclosure controls andintegrity controls are very different.Therefore, the goal of this paper isto defend two conclusions.First, thereis a distinct set of s ecurity policies,related tointegrityratherthandisclosure,which are often of highestpriority inthecommercialdataprocessingenvironment . Second, someseparatemechanismsare requiredforenforcement of these policies, disjointfrom those of the Orange Book.MILITARY SECURITY POLICYThe policiesassociatedwiththemanagement ofclassifiedinformation,and the mechanisms used to enforce thesepolicies, are carefully defined and wellunderstoodwithinthe military.However,thesemechanismsarenotnecessarilywell understood inthecommercialworld,whichnormallydoesnot have such a complex requirementforcontrol ofunauthorizeddisclosure.Becausethemilitarysecurity modelprovides a good starting point, we beginwith abriefsummary ofcomputersecurity inthe con textof classifiedinformation control.The top-level goal for the controlof classifiedinformationis verysimple: classified information must notbe disclosedtounauthorizedindividuals.Atfirstglance, itappears the correct mechanism to enforcethis policy is a controloverwhichindividuals can read which data items.This mechanism,while certainly needed,is
View Full Document