The traditional multi-level secure (MLS) mandatory access control is based on the Bell-LaPadula model, which is described in David E. Bell and Leonard J. LaPadula, Computer Security Model: Unified Exposition and Multics Interpretation, Technical Report ESD-TR-75-306, The MITRE Corporation, Bedford, Mass., HQ Electronic Systems Division, Hanscom AFB, Mass., June (1975). In the Bell-LaPadula model, each subject or object is tagged with a <sensitivity_level(SL), categories_set(CS)>tuple. All such tuples in a system form a partial-order relation set where <SL1, CS1>≧<SL2, CS2>IFF SL1≧SL2 and CS1⊃CS2. Information can flow from a source to a destination only if tagdestination≧tagsource. The source or destination can be either a subject or object. Therefore, a subject can read an object only if tagsubject≧tagobject. A subject is usually a person or an application running on behalf of a person. The sensitivity level associated with a subject reflects the degree of trust placed in the subject. The categories set associated with the subject specifies the categories of objects the subject has a need to know or to access. A subject's sensitivity level is also called the subject's clearance.
An object can be a data storage element such as a file or a data transportation apparatus such as a network connection. The sensitivity level associated with an object indicates how sensitive the data contained in that object are or the magnitude of the damage incurred by an unauthorized disclosure of the data. The categories set associated with the object specifies the categories to which the data belong.
The traditional MLS model has been in practice since before computers came into wide existence. The MLS model is easy to understand and facilitates easy access control decisions based on the model by simply comparing two tags. Thus, the MLS model provides a basis for quantification of the risk associated with allowing subjects access to objects. If the tags associated with a subject and an object correctly reflect the subject's trustworthiness and need-to-know and the object's sensitivity and categories, then the access control decision is likely to avoid leakage of the information in the object and therefore the risk associated with such leakage. In short, the model is geared toward risk avoidance.
In many organizations, especially organizations in the national security and intelligence arena, the ability to rapidly process, share and disseminate large amounts of sensitive information in order to support informed decision making to rapidly respond to external events is important to the central mission of those agencies. Current access control models, includes MLS models, do not provide a sufficient level of flexibility to deal with the dynamic environments and needs of these organizations. For example, a complex organization with multiple, hierarchically organized departments, each holding information and data needs to be able to organize and share this information among the various departments. Understanding the significance of isolated events and formulating an effective response may require users and management in the organization to pool together information available within multiple departments, i.e., to “connect the dots”. The information that needs to be pooled together would depend on the external event and the analysis approach adopted, which cannot be predicted in advance.
Traditional access control policies based on roles aligned with the organizational chart can degrade the effectiveness of the response. Studies of such organizations have concluded that existing security policy models are too rigid and do not allow necessary information to be shared. An example of a study is found in HORIZONTAL INTEGRATION: Broader Access Models for Realizing Information Dominance, JASON Program Office, JSR-04-132, MITRE Corporation (2004). As a reaction, some organizations have set up a complex mix of loose and ad-hoc policies that may result in an unaccountable risk of information leakage. The problem is due to the fact that existing access control policies specify access decisions statically, and the environments in which the policies are applied are dynamic. Thus the ideal case where an organization continually optimizes access control based on risk vs. benefit trade-offs while capping overall risk cannot be realized.