Trabalho efectuado no âmbito do Mestrado em Estatística e Gestão de Informação, orientado pelo Prof. Doutor José Dias Coelho, e posteriormente apresentado numa Conferência efectuada em 1 de Junho de 1995, em Atenas, na "3rd European Conference on Information Systems" sob a forma de "Research in Progress", fazendo parte dos 90 trabalhos seleccionados entre mais de 600 provenientes de diversas Universidades europeias.

 

 

INFORMATION SYSTEMS SECURITY

- The Defense Model -

 

Alberto MESQUITA

J. Dias COELHO

 

            Instituto Superior de Estatística e Gestão de Informação

Universidade Nova de Lisboa

 

Abstract

 

            The importance of data protection in computerized environments is growing significantly. Yet, there are several points of view as regards computer security, rarely agreeing with each other, even in essential aspects. This is a matter of concern for Departments of Defense, namely within NATO, which has been publishing unclassified documents containing its perspective on this issue, specifying security criteria that should be taken into consideration as guidelines by hardware and software developers so that their products can be used, after certification, in military environments. These criteria provide a theoretical, abstract and organized reference that might serve as a model for practical developments. Thus, the objectives of this Research are : 1) to publicize this model, 2) to establish a link between the abstract level at which this issue is dealt with and existing technologies, 3) to  unite items from different sources in a single paper and add some personal views, 4) to develop an IS Security Evaluation Methodology based on that model.

 

            1. OVERALL VIEW OF DATA PROTECTION

 

            Until the development of computers and modern communications, information security was an important problem but one with a relatively easy solution. Flexibility and accessibility are, in general, desirable characteristics of an information system but simultaneously enemies of security. In the past, people and organizations simply had to physically protect the objects (papers, photographs, etc.) which they considered sensitive.

 

            As more people become acquainted with information technologies, as information systems get older and as more vital information is stored in computers, the known number of cases of information being misappropriated will grow, affecting the credibility of those systems, though indeed this problem is not yet a top priority for the managers of most organizations.

 

            When it is, there will be a need for a theoretical, abstract and organized model giving support to practical developments and structured analysis of the reality. Some of the questions commonly asked by those who are in the field of information technologies are :

           

            - What level of security should an organization demand of its computer system, depending on its specific environment and considering the value of its information, the characteristics of its employees, financial position, etc. ?

 

            - Which security criteria should the hardware and software developers consider so that their products might be categorised in terms of the security they offer ?

 

            - How can the security level of an existing system be evaluated, what are its weaknesses, what corrective measures should be taken and how can a specific piece of equipment be integrated into it ?

 

            Yet, there are several approaches and points of view about computer security, rarely agreeing with each other, even in essential aspects. It is highly improbable that a perfect model will be found. Reality is always much more complex than the tools available to analyse it but it would be convenient to have at least a common language among the various players and a restricted number of methodologies.

 

            This is to a great extent a consequence of the frenetic rate of evolution of information technologies ; the permanent state of change makes the evaluation of all its implications very difficult.

 

            Considering the existence of different computer environments namely, mainframes, UNIX and mid-range computers, LAN´s and stand-alone PC's, it is noticeable that each one has its own traditional perspective towards information security. However, none of those environments, including mainframes, where the problem is more acute, has a theoretical model supporting the questions presented above. The existing attempts to do so, are frequently dependent on existing technologies and therefore become obsolete in a relatively short time.

 

            The same happens with the existing legislation packages of different countries that have tried a generic and integrated approach to the information security problem. The importance of this subject is growing, namely at the European Commission as well as at the International Standards Organization that has recently produced a security model related to the layered OSI Model that, in the medium term, will probably assume a detached position.

 

            Nor has information security been a serious matter for the scientific research community. Despite its strong connections with science and technology, information security probably requires a theoretical approach more of the kind used by the social sciences. In the daily routine of the universities, there is not a great need to keep information secure : on the contrary, greater diffusion of information will lead to increased scientific output.

 

            This is, naturally, a matter of concern for the Departments of Defense, namely within NATO, which has been publishing unclassified documents containing its perspective on this issue, specifying security criteria that should be taken into consideration as guidelines by hardware and software developers, so that their products can be used, after certification, in military environments.

 

            Yet, requirements for keeping the present levels of security for traditional documentation (paper, charts, photographs), are so demanding as far as computers are concerned that no existing commercial system can, at present, satisfy them.

 

            Although, the documents just referred to are unclassified, they have a restricted circulation. The big companies have increasingly been taking the defined criteria into consideration and their products have been incorporating these requirements, but nevertheless, this model is almost unknown in the I.S. world, partly due to the level of abstraction as well as the kind of terminology used. That is a consequence of the objective of keeping the requirements and criteria independent of existing technologies. Otherwise they would have to be constantly revised or inversely, would limit new developments.

 

 

            2. THE DEFENSE MODEL SIMPLIFIED

 

            The first important consideration is that information security has to be treated as a component of security in general.

 

            Next, all objects in a wide sense should be classifiable. Papers, charts, photographs etc. are of course examples of objects, but other things are too. In a computerized environment, this concept can and should be greatly extended : files containing applications source codes, files with readable data, Database Management Systems and compiled programs are examples of the enormous diversity, each one with different security implications.

 

            That classification is expressed in military terms : Unclassified, Restricted, Confidential, Secret, Top Secret and other categories that are not relevant. These divisions can easily be adapted to the specific environments where they will be used.

 

            The importance of "people" in a defense set-up is also an essential aspect and has recently been receiving more attention in non-military situations. Even the most secure computerized system can be jeopardized if the individuals with access to the information are not reliable.

 

            For that purpose, countries have created, not only for military purposes, Security Departments with the responsibility of rigorously determining the credibility, or better, the clearance, that can be given to a certain person. There is an individual dossier, with periodical up-dating, where relevant security information about that individual is collected, to justify the attribution of a certain level of clearance. For example : "Mr. John Smith, cleared "Secret"".

 

            This clearance means that a certain individual, cleared to a certain level, can only have access to objects which are classified with a level equal to or less than his clearance.

 

            The concept of "need-to-know" is familiar to most people. It establishes that although certain people are cleared for access to information at a certain level of security, it does not give them the right to knowledge of all that information : only the part they need for professional reasons.

 

            The two previous concepts produce the requirement for security softwares not only to control the access of a certain individual cleared to a certain level to a classified object, comparing both levels, but also to enable the implementation and evaluation of its need-to-know.

 

            One of the main characteristics of this model is based on the conviction that the level of security that a system should have is directly dependent on the disparity between the lowest level of individual clearance operating with that system and the highest level of classified information stored. That disparity can exist but the greater the difference is, the greater are the security requirements. The determination of that level considers the existence of risk indexes with a series of details and basically produces tables. As an example, a simplified table is given referring to a system where the application developers and maintainers do not have sufficient clearance and the applications are not protected against the introduction of corrupted software.

 

	Maximum Data Sensitivity
	UNCLAS	RESTR	CONF	SECRET	TOPSEC
UNCLAS	C1	B1	B2	B3	*
RESTR	C1	C2	B2	B2	A1
CONF	C1	C2	C2	B1	B3
SECRET	C1	C2	C2	C2	B2
TOPSEC	C1	C2	C2	C2	C2
Minimum Clearance of Users

 

 

            Crossing the maximum data sensitivity with the minimum clearance of system users produces a series of "classes", characterized by predefined security requirements, which the computer systems must fulfil in order to be considered secure.

 

            The asterisk indicates that computer protection for environments with this risk index is considered to be beyond the state of current technology.

 

            These classes are grouped in 4 divisions represented by the letters A through D and the associated number indicates a relative position of that class inside the division. The different divisions are also ordered from A to D, A being the most demanding one. Within each division the lowest number (1) of a class stands for the one with the least requirements. In general terms, it can be stated that each class presents all the security requirements of the previous one plus some new ones.

 

            Explicitly : A1 > B3 > B2 > B1 > C2 > C1 > D

 

            As stated before, 6 security requirements have been defined that represent separate areas of analysis, allowing a precise definition of the characteristics of a specific class :

 

            - Security Policy : A system should have an explicit and well-defined security policy enforced by the system itself and defined in terms of the threats, risks and objectives of the organization as a consequence of  laws, regulations and external rules independent of the use of computers. A security policy should reflect the general security policy from which it emanates.

 

            - Marking : Objects must have intrinsically associated labels containing their security classification as well as their modes of access (create, change, delete and others ) by the potential users.

 

            - Identification : Individual subjects have to be identified. All access to information should be mediated, based on who is accessing the information and his/her clearance.

 

            - Accountability : An audit system should exist, recording and keeping all relevant events in a selective and secure way,  allowing the  reconstitution and analysis of security violations. 

 

            - Assurance : A computer system should contain hardware and software mechanisms typically embedded in the operating system that can be positively and independently evaluated with clear documentation in order to assure that the 4 previous requirements are met.

 

            - Continuous Protection : The previous defined hardware and software mechanisms should be continuously protected throughout the computer system´s life-cycle against unauthorized changes. No computer system can be considered really secure if the mechanisms that enforce the security policy are themselves subject to subversion.

 

            A simplified description of the four Divisions will be presented considering that a more enlarged version, namely of the classes, would follow a structure based on the previously defined requirements.

 

            Division D - Minimal Protection

            This division contains only one class. It is reserved for those systems that have been evaluated but failed to meet the requirements of a higher class.

 

            Division C - Discretionary Protection

            The Classes of this Division  provide protection based on the concept of need-to-know and auditing capabilities of the subjects and their actions.

 

            Division B - Mandatory Protection

            One of the main characteristics of this Division has to do with the need to preserve the integrity of the classification labels of the different objects and the capability to use them to ensure protection based on the comparison between an individual's clearance and the classification of the object he/she intends to have access to. These labels are carried with the major data structures in the system. The Security Policy model in which the system is based should be provided by its developer, who must also demonstrate that a mechanism mediating all accesses from people to objects has been implemented.

 

            Division A - Verified Protection

            This Division is characterized by the use of formal verification methods in order to assure that the mechanisms responsible for the implementation of discretionary (need-to-know) and mandatory (clearance vs. classification) security can effectively protect the information stored and processed by the system. Extensive documentation is required to demonstrate that the system meets all the requirements throughout its design, development and implementation.

 

            Based on this Defense Model, which has been presented in simplified terms, an enormous amount of work has to be done with the purpose of linking these high-level concepts to more pragmatic considerations. A significant part of that work is still to be done.

 

 

 

 

 

            3. OBJECTIVES OF THE RESEARCH IN PROGRESS

 

            - to publicize the Information Systems Security Defense Model,

            - to establish a link between the abstract level at which this issue is dealt with and existing technologies,

            - to  unite items from different sources in a single paper and add some personal views,

            - to develop an Information Systems Security Evaluation Methodology based on that model.