Multiple levels are key to security in open environments - Network Security

Communications News, May, 1992 by George E. Webber

Charged with increasing responsibility,

< the information

technology community has made major progress in recent years as it strives for greater functionality. Today's groundswell movement to distributed processing arguably represents technology's most significant evolutionary step. However, while network-based architectures

< offer significant performance improvements--minimizing the duplication of effort and permitting the sharing of common software, hardware and data resources--like many real-world solutions, they bring with them significant new challenges. Inherent in any move from a closed,

< centralized configuration to a spatially dispersed and readily accessible architecture are fundamental questions regarding data security. "Information confidence" has grown < into a significant obstacle to the implementation of distributed processes. Increasingly, organizations are being forced to look hard for ways to implement network solutions without compromising data security. When attempting to prevent unauthorized

< network a access, organizations dealing with low risk sensitive data can elect to employ what are known as lower-level discretionary access controls. Typically implemented as a software add-on module to an existing operating system, these measures offer various degrees of simple access control based primarily on user IDs and passwords. Easy as they are to implement, discretionary

< access controls are very vulnerable to attack through the underlying operating system. Relatively simplistic, these solutions do not really offer an effective guard against seriously motivated intruders. However, the security requirements of

< many organizations may involve the protection of high risk sensitive data and therefore extend far beyond simple protection against intruders. Many organizations must support a number of distinct user communities, each with a different level of security clearance, on parallel networks, granting each group measured access to sensitivity graded data. Furthermore, in order to maintain the < clearance structure, and hence internal security, it is necessary to insure the enforcement of a comprehensive internal network data and user security policy, as well as an integrity policy. Such policies prevent unqualified users from accessing, contaminating or transferring inappropriate data and consequently undermining the autonomous security and integrity of the network structure. For example, the so-called Bell and

<

LaPadula model stipulates that low-clearance users be prevented from reading files at sensitivity levels above their own, and reciprocally, high-clearance users be prevented from writing files to low-level security clearances. Addressing these conflicting requirements

< without significantly impacting system performance is one of the major information technology challenges of the '90s. One solution would entail simply

< running a separate network for each and every distinct user community. However, setting aside the obvious financial drawbacks associated with configuring multiple networks, physically separating the networks in this fashion would prevent the controlled exchange of data across the security echelons. There is a second solution that protects

< security and permits data exchange between user communities while offering enormous savings over the cost of installing parallel networks. Known as a trusted server, systems

< such as HFSI's XTS-200 are capable of supporting multiple levels of security (MLS) simultaneously, while at the same time implementing internal security policies to mediate the transfer of sensitive information across security levels. These systems also permit the implementation

< of a separate integrity policy which can be very effective in controlling data contamination and virus-type threats. Perhaps the greatest potential for the

< implementation of trusted MLS systems lies beyond the single network multi-level application. MLS server systems, typically hosted on minicomputers, are capable of providing secure connections between multiple MLS networks. Super servers not only allow single network

< security plurality, but further facilitate the exchange of data among an unlimited number of secure networks, permitting them to share data without compromising their respective security policies. The MLS system effectively reviews connection requests, checking user security profiles, reviews the profiles of the files being transferred, and makes a call as to what is and is not acceptable. Naturally, if the request compromises

< either policy, it is denied and a flag is raised for the system administrator. Unlike a simplistic access control configuration,

< the access and integrity controls in a trusted MLS system are an integral part of the operating system itself. It is therefore impossible to get between the operating system and the security functions to defeat the mechanism.