Commercial Security

In a landmark paper, Clark and Wilson[#ClarkWilson##1#] put forward some basic ideas on commercial security that were intended to be the basis of a commercial security evaluation criteria, similar to the Orange book used by the military to evaluate systems for military applications. The basis of the Clark-Wilson model is the idea that the information in a commercial system represents a model of some aspect of the enterprise that owns the information. If the data is a stock list, for an inventory system, or if the data is a set of ledgers in an accounting system, then both of these have a physical representation which they can be checked against. The actual stock can be counted, and the money held by the company can be checked to see if they match against the data in the computer system. A commercial enterprise is likely to be more concerned that the information represents a true picture of reality than some of the information is disclosed in some way. Of course every enterprise needs to keep some information secret, but, Clark and Wilson argue that the integrity of the information is more important than its confidentiality in most commercial systems. They note that an important mechanism used in commercial security is that of <#772#> separation of function<#772#>. This means no single person is allowed to carry out a function, or sequence of functions, that will result in an undetected fraud. For instance, no one person would be allowed to enter new stock into the system as well as check out stock. This person might be tempted to adjust both entries. Similarly, the accounts receivable clerk and the accounts payable clerk are two separate functions. In this way, at least two people must get together to commit a fraud. Any one person committing a fraud would be found out as soon as the stock or account information is balanced. On a computer system, the information can be reconciled very quickly and frequently. To provide the <#773#> separation of function<#773#> Clark and Wilson propose two components in a commercial system. First there are a number of data sets which contain high integrity information. This information has been reconciled and is, as far as possible, a true representation of the actual physical system it is modeling. Processing of this information is carried out by high integrity processes which always leave the data in a similar state of high integrity. There will be a number of functions which can operate on a single data set. Various people will be allowed to invoke particular functions on particular data sets. Careful examination of which functions and which data sets a single person has access to will ensure that the separation of function principle is maintained. A special function is required to turn a non-integrity data set into a high integrity data set. Once a data set has integrity, the condition that executing a function with a high integrity data set results in a high integrity data set ensures that the information cannot be corrupted. Once the system is started with high integrity data then the system will continue to run with high integrity data. The careful reader will have realized that this assumption depends on being able to build processing functions with integrity guarantees. Of course it is currently very difficult and very expensive to produce such software, and no existing commercial system carries such guarantees. A final component of the system is a function that doesn't modify the data, it merely checks its integrity. This function is used by the security officer to ensure that the system is running correctly. Of course the security officer will not have access to any of the usual functions that will modify the data sets. It can be seen that the Clark-Wilson model requires a three dimensional access control model: people, functions, and data. This will require a two stage access control function in which a persons right to invoke a function object is checked first. Then the right of that function object, used by that person, has to access a particular data object has to be checked. This can still be handled by either a capability system, in which a person is issued with [function - data set] capabilities; or by access control lists, with both functions and data having access lists.