Mandatory Access Controls in the commercial world

[Randall Atkinson]

From:  randall at uvaarpa.Virginia.EDU (Randall Atkinson)

% The TCSEC security criteria's popularity and widespread acceptance
% have given MAC another connotation -- that of a codification of the
% familiar, U.S.-government, hierarchical security classifications: Top
% Secret, Classified, and Unclassified.  Government policy prohibits
% users of a lower classification from viewing work of a higher
% classification.  Conversely, users at a high classification may not
% make their work available to users at a lower classification: one can
% neither ``read up'' nor ``write down.'' There are also compartments
% within each classification level, such as NATO, nuclear, DOE, or
% project X.  Access requires the proper level and authorization for all
% compartments associated with the resource.  The MAC group is defining
% interfaces for such a mandatory mechanism.  It's not as confusing as
% it sounds, but outside of the DoD it is as useless as it sounds.

I disagree.  The mechanisms described here are indeed useful
in the commercial world.  For example, an insurance company happens to
own and operate both a bank and a savings & loan and a lot of customers
of the banks are owner-members of the insurance firm.  The firm is legally
obligated not to permit the bank/s&l to have access to information on
a customers insurance information or the fact that he/she is a member-owner
of the insurance firm without explicit written permission from the individual
whose records we are concerned with here.  But the insurance agency may
legally access the information in the bank/s&l on its customers.  This
is analgous to the workers at the insurance firm being in a different 
compartment than the workers at the bank or s&l.  Similarly, a bank teller 
would normally be able to access one level of information and a loan officer 
or branch manager a different level of information.  Please note 
that my example is real-world rather than one I'm making up.

Similarly, firms engaged in product development of one sort or another,
for example making computer systems, frequently have projects with different
sensitivites and areas of access.  Often the goal is deliberately
restrict and compartmentalise information about actual costs or profit
margin or future plans or two groups with competing approaches to solving
customer needs.  The management will find it useful to control information
access both horizontally and vertically.

Certainly the restrictions on write-down and read-up are essential
to having a viable security system.  It is possible and desirable to
talk in terms of having both vertical levels of access and horizontal
compartmentalisation without actually using DoD's official classifications
whatever they might be.  I trust the POSIX draft doesn't talk in terms
of Unclassified, Secret, and Top Secret as that would be inappropriate.


Randall Atkinson
randall at virginia.edu
Opinions are those of the author.

Volume-Number: Volume 20, Number 68