8. The Means of Cybersecurity: Access Control 207 gambling or drug use, etc. Some special TS clearances also require the subject to undergo a psychiatric evaluation and a polygraph examination (i.e., a lie detector test). Most cyber operators need a TS clearance in order to do their jobs. Once cleared, subjects have access to information on a need-to-know basis. This means they can only access information relevant to their job duties—they do not automatically have access to all the information at their level. This is a control that mitigates the risk of data leaks. There are two competing and contradictory models for how access to information in a MLS ideally should be managed. Both have non-intuitive aspects. The Bell-LaPadula model (named after the two researchers that defined it) is concerned with the confidentiality of information. It states that subjects should only be able to read information at their clearance level and below. This makes sense. A subject with an S clearance should be able to read information classified U, C, and S, but not TS. However, it also stipulates that a subject should not be able to write information below his level of clearance. The reason is because if a TS subject composes a S document, some TS information might “leak” because the subject’s mind contains a jumble of sensitive information that cannot be neatly parsed into TS and S. Therefore, in the Bell-LaPadula model, a subject can only write documents at or above his clearance level. This is known as the high-water mark principle. The highest level of information that a subject is exposed to sets the bar, and no writing is permitted beneath that level to prevent information leakage—a confidentiality concern. The Bell-LaPadula model is sometimes summarized as, “No read up, no write down.” A researcher named Biba devised an alternative MLS model that comes to opposite conclusions. The Biba model is concerned with the integrity of information. This model states that a subject should not be able to write information above his classification level. This makes sense because he is not authorized to know information at that level, so his ability to compose it is suspect. The Biba model also stipulates that a subject should not be able to read any information below his classification level. The reason for this is that the lowest level of information that a subject is exposed to “pollutes” him with potentially misleading or incomplete information. This is known as the low-water mark principle. Therefore, to prevent polluting information at higher levels—an integrity concern—he is not permitted to write above the lowest level he has been exposed to. The Biba model is sometimes summarized as, “No write up, no read down.” Table 8.3 summarizes both MLS models. While it makes for an interesting academic debate, it is impossible to satisfy both concerns simultaneously, so in the real world compromises are made to appropriately handle sensitive data.
RkJQdWJsaXNoZXIy MTM4ODY=