Chapter 7. Hybrid Policies Kim Sang Wook 2006. 10. 18 Database Lab.

Contents 7.1. Chinese Wall Model 7.2. Clinical Information Systems Security Policy 7.3. Originator Controlled Access Control 7.4. Role-Based Access Control

7.1. Chinese Wall Model Refers equally to confidentiality and integrity Involves conflict of interest in business Definitions The Objects (O) of the database are items of information related to a company. A Company dataset (CD) contains objects related to a single company. A Conflict of interest (COI) class contains the datasets of companies in competition.

7.1. Chinese Wall Model CW-Simple Security Condition, Preliminary Version: S can read O if and only if either of the following is true. 1. There is an object O’ such that S has accessed O’ and CD(O’) = CD(O). 2. For all objects O’, O’ ∈ PR(S) ⇒ COI(O’) ≠ COI(O).

7.1. Chinese Wall Model CW-Simple Security Condition: S can read O if and only if any of the following holds. 1. There is an object O’ such that S has accessed O’ and CD(O’) = CD(O). 2. For all objects O’, O’ ∈ PR(S) ⇒ COI(O’) ≠ COI(O). 3. O is sanitized object.

7.1. Chinese Wall Model CW-*-Property: A subject S may write to an object O if and only if both of the following conditions hold. 1. The CW-Simple security condition permits S to read O. 2. For all unsanitized objects O’, S can read O’ ⇒ CD(O’) = CD(O).

7.1.1. Bell-LaPadula and Chinese Wall Models Fundamentally different Subjects in the Chinese Wall model have no associated security labels Notion of “past accesses” is central to the Chinese Wall model’s controls.

7.1.2. Clark-Wilson and Chinese Wall Models The Clark-Wilson deals with aspects of integrity (validation and verification, access control). The Chinese Wall model deals exclusively with access control.

7.2. Clinical Information Systems Security Policy Definitions A patient is the subject of medical records, or an agent for that person who can give consent for the person to be treated. Personal health information is information about a patient’s health or treatment enabling that patient to be identified. - “medical record” A clinician is a health-care professional who has access to personal health information while performing his or her job.

7.2. Clinical Information Systems Security Policy Access Principles Each medical record has an access control list naming the individuals or groups who may read and append information to the record. One of the clinicians on the access control list (called the responsible clinician) must have the right to add other clinicians to the access control list. The responsible clinician must notify the patient of the names on the access control list whenever the patient’s medical record is opened. The name of the clinician, the date, and the time of access of a medical record must be recorded.

7.2. Clinical Information Systems Security Policy Creation Principle: A clinician may open a record, with the clinician and the patient on the access control list. Deletion Principle: Clinical information cannot be deleted from a medical record until the appropriate time has passed. Confinement Principle: Information from one medical record may be appended to a different medical record if and only if the access control list of the second record is a subset of the access control list of the first.

7.2. Clinical Information Systems Security Policy Aggregation Principle: Measures for preventing the aggregation of patient data must be effective. Enforcement Principle: Any computer system that handles medical records must have a subsystem that enforces the preceding principles.

7.2.1. Bell-LaPadula and Clark-Wilson Models Bell-LaPadula Model Focus on the subjects accessing the objects. There are more subjects than security labels. Clinical Information System model Focus on the objects being accessed by the subjects. There are more patients, and medical records, than clinicians.

7.2.1. Bell-LaPadula and Clark-Wilson Models The Clark-Wilson model provides a framework for the Clinical Information System model. CDIs – the medical records and their associated access control lists. TPs – the function that update the medical records and their access control lists. IVPs A person identified as a clinician is a clinician. A clinician validates, or has validated, information in the medical record. When someone is to be notified of an event, such notification occurs. When someone must give consent, the operation cannot proceed until the consent is ontained.

7.3. Originator Controlled Access Control ORGCON or ORCON: A subject can give another subject rights to an object only with the approval of the creator of that object. Discretionary access controls (DACs) The owner of an object can set any permissions desired. Mandatory access controls (MACs) Multiplying this by several thousand possible relationships and documents creates an unacceptably large number of catagories. This requires a central clearinghouse for categories.

7.3. Originator Controlled Access Control A solution is to combine features of the MAC and DAC models. The rules are The owner of an object cannot change the access controls of the object. When an object is copied, the access control restrictions of that source are copied and bound to the target of the copy. The creator (originator) can alter the access control restrictions on a per-subject and per-object basis.

7.4. Role-Based Access Control Definitions A role is collection of job functions. Each role r is authorized to perform one or more transactions. The set of authorized transactions for r is written trans(r). The active role of a subject s, written actr(s), is the role that s is currently performing. The authorized roles of a subject s, written authr(s), is the set of roles that s is authorized to assume. The predicate canexec(s, t) is true if and only if the subject s can execute the transaction t at the current time.

7.4. Role-Based Access Control Axioms Let S be the set of subjects and T the set of transactions. The rule of role assignment is (∀s ∈ S) (∀t ∈ T) [ canexec(s, t) → actr(s) ≠ ∅ ]. Let S be the set of subjects. Then the rule of authorization is (∀s ∈ S) [ actr(s) ⊆ authr(s) ]. Let S be the set of subjects and T the set of transactions. The rule of transaction authorization is (∀s ∈ S) (∀t ∈ T) [ canexec(s, t) → t ∈ trans(actr(s)) ].

7.4. Role-Based Access Control The forms of these axioms restrict the transactions that can be executed. This suggests that RBAC is a form of mandatory access control. The axioms state rules that must be satisfied before a transaction can be executed. Discretionary access control mechanisms may further restrict transactions. Examples If role ri contains role rj, we write ri > rj. Using our notation, the implications of containment of roles may be expressed as (∀s ∈ S) [ ri ∈ authr(s) ∧ ri > rj → rj ∈ authr(s) ] For two roles r1 and r2 bound by separation of duty: (∀s ∈ S) [ r1 ∈ authr(s) → r2 ∉ authr(s) ]

7.4. Role-Based Access Control Definition Let r be a role, and let s be a subject such that r ∈ authr(s). Then the predicate meauth(r) (for mutually exclusive authorizations) is the set of roles that s cannot assume because of the separation of duty requirement. Putting this definition together with the above example, the principle of separation of duty can be summarized as (∀ r1, r2 ∈ R) [ r2 ∈ meauth(r1) → [ (∀s ∈ S) [ r1 ∈ authr(s) → r2 ∉ authr(s) ] ] ]