Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7. Hybrid Policies

Published byErick Gardner Modified over 7 years ago

Similar presentations

Presentation on theme: "Chapter 7. Hybrid Policies"— Presentation transcript:

1 Chapter 7. Hybrid Policies
Kim Sang Wook Database Lab.

2 Contents 7.1. Chinese Wall Model
7.2. Clinical Information Systems Security Policy 7.3. Originator Controlled Access Control 7.4. Role-Based Access Control

3 7.1. Chinese Wall Model Refers equally to confidentiality and integrity Involves conflict of interest in business Definitions The Objects (O) of the database are items of information related to a company. A Company dataset (CD) contains objects related to a single company. A Conflict of interest (COI) class contains the datasets of companies in competition.

4 7.1. Chinese Wall Model CW-Simple Security Condition, Preliminary Version: S can read O if and only if either of the following is true. 1. There is an object O’ such that S has accessed O’ and CD(O’) = CD(O). 2. For all objects O’, O’ ∈ PR(S) ⇒ COI(O’) ≠ COI(O).

5 7.1. Chinese Wall Model CW-Simple Security Condition: S can read O if and only if any of the following holds. 1. There is an object O’ such that S has accessed O’ and CD(O’) = CD(O). 2. For all objects O’, O’ ∈ PR(S) ⇒ COI(O’) ≠ COI(O). 3. O is sanitized object.

6 7.1. Chinese Wall Model CW-*-Property: A subject S may write to an object O if and only if both of the following conditions hold. 1. The CW-Simple security condition permits S to read O. 2. For all unsanitized objects O’, S can read O’ ⇒ CD(O’) = CD(O).

7 7.1.1. Bell-LaPadula and Chinese Wall Models
Fundamentally different Subjects in the Chinese Wall model have no associated security labels Notion of “past accesses” is central to the Chinese Wall model’s controls.

8 7.1.2. Clark-Wilson and Chinese Wall Models
The Clark-Wilson deals with aspects of integrity (validation and verification, access control). The Chinese Wall model deals exclusively with access control.

9 7.2. Clinical Information Systems Security Policy
Definitions A patient is the subject of medical records, or an agent for that person who can give consent for the person to be treated. Personal health information is information about a patient’s health or treatment enabling that patient to be identified. - “medical record” A clinician is a health-care professional who has access to personal health information while performing his or her job.

10 7.2. Clinical Information Systems Security Policy
Access Principles Each medical record has an access control list naming the individuals or groups who may read and append information to the record. One of the clinicians on the access control list (called the responsible clinician) must have the right to add other clinicians to the access control list. The responsible clinician must notify the patient of the names on the access control list whenever the patient’s medical record is opened. The name of the clinician, the date, and the time of access of a medical record must be recorded.

11 7.2. Clinical Information Systems Security Policy
Creation Principle: A clinician may open a record, with the clinician and the patient on the access control list. Deletion Principle: Clinical information cannot be deleted from a medical record until the appropriate time has passed. Confinement Principle: Information from one medical record may be appended to a different medical record if and only if the access control list of the second record is a subset of the access control list of the first.

12 7.2. Clinical Information Systems Security Policy
Aggregation Principle: Measures for preventing the aggregation of patient data must be effective. Enforcement Principle: Any computer system that handles medical records must have a subsystem that enforces the preceding principles.

13 7.2.1. Bell-LaPadula and Clark-Wilson Models
Bell-LaPadula Model Focus on the subjects accessing the objects. There are more subjects than security labels. Clinical Information System model Focus on the objects being accessed by the subjects. There are more patients, and medical records, than clinicians.

14 7.2.1. Bell-LaPadula and Clark-Wilson Models
The Clark-Wilson model provides a framework for the Clinical Information System model. CDIs – the medical records and their associated access control lists. TPs – the function that update the medical records and their access control lists. IVPs A person identified as a clinician is a clinician. A clinician validates, or has validated, information in the medical record. When someone is to be notified of an event, such notification occurs. When someone must give consent, the operation cannot proceed until the consent is ontained.

15 7.3. Originator Controlled Access Control
ORGCON or ORCON: A subject can give another subject rights to an object only with the approval of the creator of that object. Discretionary access controls (DACs) The owner of an object can set any permissions desired. Mandatory access controls (MACs) Multiplying this by several thousand possible relationships and documents creates an unacceptably large number of catagories. This requires a central clearinghouse for categories.

16 7.3. Originator Controlled Access Control
A solution is to combine features of the MAC and DAC models. The rules are The owner of an object cannot change the access controls of the object. When an object is copied, the access control restrictions of that source are copied and bound to the target of the copy. The creator (originator) can alter the access control restrictions on a per-subject and per-object basis.

17 7.4. Role-Based Access Control
Definitions A role is collection of job functions. Each role r is authorized to perform one or more transactions. The set of authorized transactions for r is written trans(r). The active role of a subject s, written actr(s), is the role that s is currently performing. The authorized roles of a subject s, written authr(s), is the set of roles that s is authorized to assume. The predicate canexec(s, t) is true if and only if the subject s can execute the transaction t at the current time.

18 7.4. Role-Based Access Control
Axioms Let S be the set of subjects and T the set of transactions. The rule of role assignment is (∀s ∈ S) (∀t ∈ T) [ canexec(s, t) → actr(s) ≠ ∅ ]. Let S be the set of subjects. Then the rule of authorization is (∀s ∈ S) [ actr(s) ⊆ authr(s) ]. Let S be the set of subjects and T the set of transactions. The rule of transaction authorization is (∀s ∈ S) (∀t ∈ T) [ canexec(s, t) → t ∈ trans(actr(s)) ].

19 7.4. Role-Based Access Control
The forms of these axioms restrict the transactions that can be executed. This suggests that RBAC is a form of mandatory access control. The axioms state rules that must be satisfied before a transaction can be executed. Discretionary access control mechanisms may further restrict transactions. Examples If role ri contains role rj, we write ri > rj. Using our notation, the implications of containment of roles may be expressed as (∀s ∈ S) [ ri ∈ authr(s) ∧ ri > rj → rj ∈ authr(s) ] For two roles r1 and r2 bound by separation of duty: (∀s ∈ S) [ r1 ∈ authr(s) → r2 ∉ authr(s) ]

20 7.4. Role-Based Access Control
Definition Let r be a role, and let s be a subject such that r ∈ authr(s). Then the predicate meauth(r) (for mutually exclusive authorizations) is the set of roles that s cannot assume because of the separation of duty requirement. Putting this definition together with the above example, the principle of separation of duty can be summarized as (∀ r1, r2 ∈ R) [ r2 ∈ meauth(r1) → [ (∀s ∈ S) [ r1 ∈ authr(s) → r2 ∉ authr(s) ] ] ]

Download ppt "Chapter 7. Hybrid Policies"

Similar presentations

1 cs691 chow Hybrid Policies CS691 – Chapter 7 of Matt Bishop.

1 cs691 chow Hybrid Policies CS691 – Chapter 7 of Matt Bishop.
1 ISA 662 Information System Security Hybrid Policies Chapter 6 from Bishop ’ s book.

1 ISA 662 Information System Security Hybrid Policies Chapter 6 from Bishop ’ s book.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #7-1 Chapter 7: Hybrid Policies Overview Chinese Wall Model Clinical Information.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #7-1 Chapter 7: Hybrid Policies Overview Chinese Wall Model Clinical Information.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #7-1 Chapter 7: Hybrid Policies Overview Chinese Wall Model Clinical Information.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #7-1 Chapter 7: Hybrid Policies Overview Chinese Wall Model Clinical Information.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
1 Hybrid Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 23, 2004.

1 Hybrid Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 23, 2004.
Computer Security Hybrid Policies

Computer Security Hybrid Policies
User Domain Policies.

User Domain Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.

Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Similar presentations

Ads by Google