Formal Security Models and SharePoint
A security model is an abstract layer to security that provides multiple levels of security in which a user cannot read or manipulate data through the user of tiers. Security models are based on principles of creating multiple levels of objects and subjects, by which there can be a conceptual approach made to securing SharePoint.
Bell-LaPadula (BLP) Security Model
BLP is a security model that relies on the overlying concept of state machine concepts, and focuses mostly on the C on the CIA triad.
By leveraging the concept of state machines is that a machine change can only occur at discrete points in time and that when the state of a machine can only be altered by a state transaction.
This allows the environment to capture itself in its initial state where it is considered healthy and secure, and repeatedly capture the snapshots of the machine which are its states. This allows analysis of machine as to whether a state transaction has placed the machine in a insecure state, and ensures that the machines starts securely, commit actions securely, and allow objects to be manipulated in a secure state.
The way that the model works is:
- No reading from lower levels to upper levels
- No writing from upper levels to lower levels
Data can move between various levels, however how this data is moved is defined by transition functions. These functions ensure that the initial security state of the data is maintained, and the destination security state can also be considered concerned.
There are three multi-level properties that exist in he BLP model:
Discretionary Security Property (DS) specify the discretionary access control by using an access matrix
Simple Secure Property (SS) transition function that states that a subject trying to access an object at higher level is not permitted
Star Property transition function that states that a subject trying to write down to an object at a lower level is not permitted
Leveraging this particular security model means that a user will not be able to push or pull various objects beyond their related security levels. This is particuarlly helpful within organizations that must maintain a classification system, since users will not able to write sensitive information where other users whom don’t meet the classification standard would be able to read it, as well users that are at a lower level are not able to directly access information that is beyond there classification level.
Biba Security Model
The Biba security model is in essence the opposite of the BLP system, since it promotes no reading down and no writing up. The transition functions of the Biba system are:
- Simple Integrity A subject at a high level of integrity is not able to read the objects that exist at a low level of integrity
- Star Integrity A subject cannot write objects from a lower level of integrity to a higher level of integrity
The way that the Biba model functions is on the concept that objects which spawn from a lower level of integrity can’t be pushed to a higher level which might pollute a higher level of integrity. By insuring that information can only travel from higher levels of integrity to those at a lower level, safeguarding the environment.
Clark-Wilson (C-W) Security Model
The Clark-Wilson model focuses on the I on the CIA triad. To promote the integrity of the environment, the Clark-Wilson model focuses on two main objectives:
- Internal and external consistency
- Managing changes for users, unauthorized users should make no changes and authorized users should not make unauthorized changes
The central portion that builds the C-W model is the need for consistency, as stated in the above there are two types of consistency that exist:
- Internal Consistency Security policies of the operating system that are related to SharePoint
- External Consistency Internal state of the system as it related to end-users that are controlled by either SharePoint or other software products.
There are two main operations that provide the basis for the C-W model:
Separation Of Duties (Promotes External Security) By having a true separation of duties for users, it can be ensured that not one person has complete control over a system and that there are always failover mechanisms that are in place
Well-Formed Transactions (Promotes Internal Security) Data or data processes is never directly controlled by users, however they have access to applications that can manipulate these assets. It is important to note that the user will never have access to the data directly.