LectureNote6-CommercialSecurity-Lipner

LectureNote6-CommercialSecurity-Lipner - AUTHORIZATION &...

Info iconThis preview shows pages 1–7. Sign up to view the full content.

View Full Document Right Arrow Icon
C OMMERCIAL S ECURITY A UTHORIZATION A CCESS C ONTROL D ISCRETIONARY A CCESS C ONTROL HRU M ODEL OF A UTHORIZATION S YSTEM M ANDATORY A CCESS C ONTROL L ATTICE B ASED A CCESS C ONTROL M ODELS C OMMERCIAL S ECURITY CS 556 - Computer Security - c c 2009 Colorado State University – 101 / 124
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Is Commercial Security Different? A UTHORIZATION A CCESS C ONTROL D ISCRETIONARY A CCESS C ONTROL HRU M ODEL OF A UTHORIZATION S YSTEM M ANDATORY A CCESS C ONTROL L ATTICE B ASED A CCESS C ONTROL M ODELS C OMMERCIAL S ECURITY CS 556 - Computer Security - c c 2009 Colorado State University – 102 / 124 Commercial firms rarely grant access on the basis of “clearances”. While this can be modeled using BLP it requires a large number of categories and security levels. It is difficult to control the proliferation of categories and security levels as the creation of categories and levels are decentralized.
Background image of page 2
Is Commercial Security Different? A UTHORIZATION A CCESS C ONTROL D ISCRETIONARY A CCESS C ONTROL HRU M ODEL OF A UTHORIZATION S YSTEM M ANDATORY A CCESS C ONTROL L ATTICE B ASED A CCESS C ONTROL M ODELS C OMMERCIAL S ECURITY CS 556 - Computer Security - c c 2009 Colorado State University – 103 / 124 Problem of information aggregation is insiduos. Commercial firms usually allow a limited amount of (innocuous) information to become public but keep a large amount of (sensitive) information confidential. By aggregating the innocuous information one can deduce much sensitive information. Preventing this requires the model to track what questions have been asked.
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Lipner’s Integrity Model A UTHORIZATION A CCESS C ONTROL D ISCRETIONARY A CCESS C ONTROL HRU M ODEL OF A UTHORIZATION S YSTEM M ANDATORY A CCESS C ONTROL L ATTICE B ASED A CCESS C ONTROL M ODELS C OMMERCIAL S ECURITY CS 556 - Computer Security - c c 2009 Colorado State University – 104 / 124 Relevant in the commercial sector Tries to control the production program Integrity of the object is of prime importance
Background image of page 4
Requirements in Production Program A UTHORIZATION A CCESS C ONTROL D ISCRETIONARY A CCESS C ONTROL HRU M ODEL OF A UTHORIZATION S YSTEM M ANDATORY A CCESS C ONTROL L ATTICE B ASED A CCESS C ONTROL M ODELS C OMMERCIAL S ECURITY CS 556 - Computer Security - c c 2009 Colorado State University – 105 / 124 Users will not write their own programs, but will use existing production programs and databases. Programmers will develop and test programs on a nonproduction system. If they need access to actual data, they will be given production data via a special process, but will use it on their development system.
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Requirements (cont’d) A UTHORIZATION A CCESS C ONTROL D ISCRETIONARY A CCESS C ONTROL HRU M ODEL OF A UTHORIZATION S YSTEM M ANDATORY A CCESS C ONTROL L ATTICE B ASED A CCESS C ONTROL M ODELS C OMMERCIAL S ECURITY CS 556 - Computer Security - c c 2009 Colorado State University – 106 / 124
Background image of page 6
Image of page 7
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 05/29/2010 for the course CS 556 taught by Professor Staff during the Spring '08 term at Colorado State.

Page1 / 24

LectureNote6-CommercialSecurity-Lipner - AUTHORIZATION &...

This preview shows document pages 1 - 7. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online