Integrity Models

Within the scope of of information systems there is a baseline need for data integrity. When thinking practically about how, for example, a commercial database ought to employ effective security measures, it is important to consider different integrity models based on what is needed and how the organization operates. Information systems have become critical in every facet of modern society and thus database security for organizations must be taken seriously as a countermeasure for corruption, loss of data, or other serious. Database security is concerned with the three security principles: preserving confidentiality, integrity, and availability of the data. When selecting a security model one needs to find a balance between those three principles.

There are plenty of different security models and policies to design a database around, and each differs in accordance with the needs of their organization. For example, the military will have different database security requirements than a commercial organization selling goods and services. The former relies heavily on the preserving confidentiality (see the Bell-LaPadula model), while the latter is concerned most with preserving integrity (e.g. fraud and errors, see the Clark-Wilson model). Here, I would like to discuss two more integrity models that are employed for different reasons: The Brewer and Nash model as a specific application for preventing conflicts of interest, and the Graham-Denning model as a general outline to build on.

The Brewer and Nash security model, introduced in their paper The Chinese Wall Security Policy provides access controls that can change dynamically as needed. Chinese Wall is a term that is used when describing an information barrier within an organization. These information barriers are used to prevent lateral movement where data exchanges or communications take place – some which may lead to conflicts of interest. This will explain why the Brewer and Nash model holds the nickname, Chinese Wall, as one of it’s primary design functions is to help prevent conflicts of interest. In this model, a ‘wall’ is used to segregate data types and dynamic rules are used so that users are only allowed to access data that is not in conflict with data they have previously accessed.

As a broad example of how the Brewer and Nash model works, once a user accesses data from company A, they will no longer have access to data from company B, as there is a conflict of interest that exists between them. The Brewer and Nash model enables one to limit the access of data of specific user’s to prevent what I think of as ‘cross contamination’ between clients. Perhaps a more clear example is this: imagine a security firm which performs security work for many different organizations all over the world. If one employee of the security firm has full access to all of the data worldwide, then they may be able to use these privileges in an unauthorized way. By constructing informational walls, this model prevents the security consultant working with one organization from accessing sensitive data belonging to a different one.

The Graham-Denning model, first outlined in Protection: Principles and Practice, is an example of an access matrix model. There are three principle components that exist within this model: a set of passive objects, a set of active subjects (processes and domains), and a set of rules or rights which govern the manipulation of the objects and subjects. Objects are defined as files, devices, or other entities that are related to an operating system. The Graham-Denning model defines exactly how objects and subjects will interact based on a set of rules. To summarize, this model proposes eight primitive protection rules: (1) creating an object or (2) creating a subject, (3) deleting an object or (4) deleting a subject, (5) providing read access rights or (6) grant access rights, and (7) providing delete access rights or (8) transfer access rights. Because of the general nature of access matrix models like the Graham-Denning model, there are many ways this model may take shape in implementation.

For more information:

Brewer, D. F., & Nash, M. J. (1989, May). The Chinese Wall Security Policy. In Proceedings. 1989 IEEE Symposium on Security and Privacy (pp. 206-214). IEEE.

Ge, X., Polack, F., & Laleau, R. (2004). Secure Databases: An Analysis of Clark-Wilson Model in a Database Environment. Notes on Numerical Fluid Mechanics and Multidisciplinary Design Active Flow and Combustion Control 2018, 234-247.

Graham, G. S., & Denning, P. J. (1972, May). Protection: Principles and Practice. In Proceedings of the May 16-18, 1972, Spring Joint Computer Conference (pp. 417-429). ACM.

Landwehr, C. E. (1981). Formal Models for Computer Security. ACM Computing Surveys, 13(3), 247-278.

Security Architecture and Design/Security Models. (n.d.).