MODELS OF SECURITY

Multilevel Security: Different levels of security are defined to separate subjects rigorously from objects to which they should not have access. E.g. during election process the names of candidates may not be that sensitive as compared to the voting process hence different level of security would be applied to them. So the users may be ranked by the degree of sensitivity of information to which they can have access. For this reason, military has developed extensive procedures for securing information.
A generalization of the military model of information security has also been adopted as a model of data security within an operating system. Bell and La Padula [BEL73] were first to describe the properties of the military model in mathematical notation, and Denning first formalized the structure of this model. In 2005, Bell [BEL05] returned to the original model to highlight its contribution to computer security. He observed that the model demonstrated the need to understand security requirements before beginning system design, build security into not onto the system, develop a security toolbox, and design the system to protect itself. The generalized model is called the lattice model of security because its elements form a mathematical structure called a lattice.

1. Lattice Model of Access Security: The military security model is based on a general scheme, called lattice. The dominance relation defined in the military model is the relation for the lattice. The relation is transitive and antisymmetric means ‘A’ dominates ‘B’ and ‘B’ dominates ‘C’ then ‘A’ dominates ‘C’ also but not vice versa. The largest element of the lattice is the classification

<top secret; all compartments>
and the smallest element is
<unclassified; no compartments>
these two elements respectively dominate and are dominated by all elements. Therefore, the military model is a lattice.
Another example of lattice model may be a commercial security policy with data sensitivities like public, proprietary, and internal. Public data are less sensitive than proprietary, which are less sensitive than internal. These three levels also form a lattice.
Most security specialists choose base security systems on a lattice because it naturally represents increasing degrees. Such a model may be used in military environment, commercial environments with different labels for the degrees of sensitivity etc.

2. Bell–LaPadula odel Confidentiality Model: This describes formally the allowable paths of information flow in a secure system. It’s goal is to identify allowable communication when maintaining secrecy is important. This may be employed to define security requirements for systems concurrently handling data at different sensitivity levels. This model is a formalization of the military security policy and was central to the U.S. Department of Defense's evaluation criteria.

To understand how the Bell–LaPadula model works, consider a security system with properties.
The system covers a set of subjects S and a set of objects O. Each subject s in S and each object o in O has a fixed security class C(s) and C(o). The security classes are ordered by a relation. Two properties characterize the secure flow of information: