MODELS OF SECURITY

Multilevel Security: Different levels of security are defined to separate subjects rigorously from objects to which they should not have access. E.g. during election process the names of candidates may not be that sensitive as compared to the voting process hence different level of security would be applied to them. So the users may be ranked by the degree of sensitivity of information to which they can have access. For this reason, military has developed extensive procedures for securing information.
A generalization of the military model of information security has also been adopted as a model of data security within an operating system. Bell and La Padula [BEL73] were first to describe the properties of the military model in mathematical notation, and Denning first formalized the structure of this model. In 2005, Bell [BEL05] returned to the original model to highlight its contribution to computer security. He observed that the model demonstrated the need to understand security requirements before beginning system design, build security into not onto the system, develop a security toolbox, and design the system to protect itself. The generalized model is called the lattice model of security because its elements form a mathematical structure called a lattice.

1. Lattice Model of Access Security: The military security model is based on a general scheme, called lattice. The dominance relation defined in the military model is the relation for the lattice. The relation is transitive and antisymmetric means ‘A’ dominates ‘B’ and ‘B’ dominates ‘C’ then ‘A’ dominates ‘C’ also but not vice versa. The largest element of the lattice is the classification

<top secret; all compartments>
and the smallest element is
<unclassified; no compartments>
these two elements respectively dominate and are dominated by all elements. Therefore, the military model is a lattice.
Another example of lattice model may be a commercial security policy with data sensitivities like public, proprietary, and internal. Public data are less sensitive than proprietary, which are less sensitive than internal. These three levels also form a lattice.
Most security specialists choose base security systems on a lattice because it naturally represents increasing degrees. Such a model may be used in military environment, commercial environments with different labels for the degrees of sensitivity etc.

2. Bell–LaPadula odel Confidentiality Model: This describes formally the allowable paths of information flow in a secure system. It’s goal is to identify allowable communication when maintaining secrecy is important. This may be employed to define security requirements for systems concurrently handling data at different sensitivity levels. This model is a formalization of the military security policy and was central to the U.S. Department of Defense's evaluation criteria.

To understand how the Bell–LaPadula model works, consider a security system with properties.
The system covers a set of subjects S and a set of objects O. Each subject s in S and each object o in O has a fixed security class C(s) and C(o). The security classes are ordered by a relation. Two properties characterize the secure flow of information:
Simple Security Property. A subject ‘s’ may have read access to an object ‘o’ only
if C(o)=< C(s).
While in the military model, this property says that the security class (clearance) {hierarchy} of someone receiving a piece of information must be at least as high as the class (classification) {hierarchy} of the information.
*-Property: A subject ‘s’ who has read access to an object ‘o’ may have write access to an object p only if C(o) =<C(p). In the military model, this property says that the contents of a sensitive object can be written only to objects at least as high i.e. *-property  is  that  a  person  obtaining information at one level may pass it to people at levels no lower than the level of the information itself. So it prevents write-down, which occurs when a subject with access to high-level data transfers that data by writing it to a low-level object.
The Bell–LaPadula model is extremely conservative and ensures security even at the expense of usability or other properties.

3. Biba Integrity Model: The Bell–LaPadula model applies only to secrecy of information. To ensure the integrity of data Biba proposed a model for that prevents inappropriate modification of data. It is counter part of of the Bell–LaPadula model, sometimes also called as dual. It defines "integrity levels," as analogous to the sensitivity levels in Bell–LaPadula model. Here subjects and objects are ordered by an integrity classification scheme, denoted I(s) and I(o). The properties in this model are stated as

Simple Integrity Property: Subject ‘s’ can modify object ‘o’ iff I(s) >=I(o)
Integrity *-Property: If subject ‘s’ has read access to object ‘o’ with integrity level I(o), ‘s’ will have write access to object ‘p’ iff I(o) >=I(p).