Multilevel Security Model

Multilevel security concepts originate from military and other hierarchical organizations
where confidentiality or security levels are used for security decisions. ​All MLS systems
incorporate two essential features: first, the system must enforce these restrictions regardless of
the actions of system users or administrators, and second, MLS systems strive to enforce these
restrictions with incredibly high reliability.

We use the term ​multilevel​ because the defense community has classified both people and
information into different levels of trust and sensitivity. These levels represent the well-known
security classifications: Confidential, Secret, and Top Secret. Before people are allowed to look
at classified information, they must be granted individual clearances that are based on individual
investigations to establish their trustworthiness. People who have earned a Confidential clearance
are authorized to see Confidential documents, but they are not trusted to look at Secret or Top
Secret information any more than any member of the general public.

These levels form the simple hierarchy shown in Figure 1. The dashed arrows in the figure
illustrate the direction in which the rules allow data to flow: from “lower” levels to “higher”
levels, and not vice versa.

When speaking about these levels, we use three different terms:

● Clearance level​ indicates the level of trust given to a person with a security clearance,
or a computer that processes classified information, or an area that has been physically
secured for storing classified information. The level indicates the highest level of
classified information to be stored or handled by the person, device, or location.
 ● Classification level​ indicates the level of sensitivity associated with some information,
like that in a document or a computer file. The level is supposed to indicate the degree
of damage the country could suffer if the information is disclosed to an enemy.
● Security level​ is a generic term for either a clearance level or a classification level.

In the United States, the defense community usually describes a multiuser system as operating in
a particular mode. For the purposes of this discussion, there are three important operating modes:

● Dedicated mode​ – all users currently on the system have permission to access any of
the data on the system.
● System high mode​ – all users currently on the system have the right security clearance
to access any data on the system, but not all users have a need to know all data.
● Multilevel mode​ – Not all users currently on the system are cleared for all data stored
on the system. The system must have an access control mechanism that enforces MLS
restrictions.

The most widely recognized approach to MLS is the Bell-LaPadula security model. The model
effectively captures the essentials of the access restrictions implied by conventional military
security levels. Most MLS mechanisms implement Bell-LaPadula or a close variant of it. The
Bell-LaPadula model enforces MLS access restrictions by implementing two simple rules: the
simple security property and the *-property.

Simple Security Property: ​A subject can read from an object as long as the subject’s security
level is the same as, or higher than, the object’s security level. This is sometimes called the no
read up property.
*-Property: ​A subject can write to an object as long as the subject’s security level is the same as
or lower than the object’s security level. This is sometimes called the no write down property.

Despite strong support from the military community and a strong effort by computing vendors
and computer security researchers, MLS mechanisms failed to provide the security and
functionality required by the defense community. First, security researchers and MLS system
developers found it to be extremely difficult, and perhaps impossible, to completely prevent
information flow between different security levels in an MLS system. A second problem was the
virus threat: when we enforce MLS information flow we do nothing to prevent a virus introduced
at a lower clearance level from propagating into higher clearance levels. Finally, the end user
community found a number of cases where that the Bell-LaPadula model of information flow did
not entirely satisfy their operational and security needs.
Multilateral Security Model

Multilateral security concepts define security policies according to rule sets. They can
express security rules between individuals or roles along the same "level". Multilateral
security is concerned with the implementation of security between various actors (users,
computer systems, processes) that might very well be on the same MLS clearance
level.

Multilateral Security means taking into consideration the security requirements of all
parties involved. It also means considering all involved parties as potential attackers.
This is especially important for open communication systems, as one cannot expect the
various parties to trust each other. Consequently, the requirements that have to be
fulfilled in order to achieve Multilateral Security are particularly high for public
communications networks that are intended for universal use. One of the main aims of
security of any organisation is not only prevent information “down” a hierarchal order
(Multilevel) but also to stop the leak “across” the departments.

There are (at least) three different models of how to implement access controls and
information flow controls in a multilateral security model.
• Compartmentation, used by the intelligence community.
• Chinese Wall model, which describes the mechanisms used to prevent conflicts of
interest in professional practice.
• BMA model, developed by the British Medical Association to describe the information
flows permitted by medical ethics.
Each of these has potential applications outside its field of origin.

1. Compartmentation and Lattice model - Codewords are a way of expressing

access control groups, and can be dealt with using a variant of BellLaPadula,
called the lattice model. • As an illustration, suppose we have a codeword, say,
‘Crypto’. • Someone cleared to ‘Top Secret’ would be entitled to read files
 classified ‘Top Secret’ and ‘Secret’, but would have no access to files classified
‘Secret Crypto’ unless he or she also had a crypto clearance.
2. Chinese Wall method - The second model of multilateral security is the Chinese
Wall model, developed by Brewer and Nash. • Its name comes from the fact that
financial services firms such as investment banks have internal rules designed to
prevent conflicts of interest, which they call Chinese Walls. A typical rule is that
“a partner who has worked recently for one company in a business sector may
not have access to the papers of any other company in that sector. ” • So an
advertising copywriter who has worked on, say, the Shell account, will not be
allowed to work on any other oil company’s account for some fixed period of
time. It also introduces the concept of separation of duty into access control – A
given user may perform transaction A or transaction B, but not both
3. The BMA model - Perhaps the most important, interesting, and instructive
example of multilateral security is found in medical information systems. • People
are arguing about whether privacy norms will have to be radically revised as
genetic data become widely available. This raises the issue of how one can
construct a security policy in which the access control decisions are taken not by
a central authority (as in Bell-LaPadula) or by the system’s users (as in
discretionary access control) but by the data subjects. The BMA model includes
various access control aspects.