Advances in computing and communications technologies continue to reduce privacy by making it possible for people and organizations to store and process vast amounts of personal information. To achieve privacy of data, it is necessary to protect stored data, data in transit, and to have some control over the release of data. Whereas protection of stored data is somewhat covered by emerging privacy policy languages and their enforcement, there are no mechanisms currently proposed to ensure the correct use of and therefore to control the release of personally identifying information from within an enterprise computing facility.
Traditionally, managing the security of a computer system has required mapping an organization's security policy to a relatively low-level set of controls, typically access control lists. That is, assuming individual users (persons or logical processes) are first identified and authenticated to a computing system in a satisfactory manner, their access to documents, programs, facilities, and other “objects” within the protected computer system is then controlled by a security system, for example a system security manager, simply by comparing the user's name against a list of names of persons entitled to access the given object. Generally speaking, this technique is known as discretionary access control or DAC.
According to a more sophisticated and well developed model for security of computer systems that is used extensively within the U.S. government, and elsewhere, access to objects in a computing system can be controlled by a logical system of compartmentalization implemented by way of logical security levels (which are hierarchical) and/or categories (which are not hierarchical) that are associated with users and protected computer resource objects. Such systems are referred to as “multilevel secure” (“MLS”) systems and are implementations of the Bell-LaPadula security model as defined by D. Bell and L. LaPadula in ‘Secure computer systems: Mathematical foundations and model’ MITRE Report, MTR 2547 November 1973. Significant investment has been made in the development, verification, and implementation of such systems.
In MLS systems, users who are associated with (by assignment) the highest security levels and the largest numbers of categories are said to have the highest security levels in the system. Authority to read a protected object is granted to a user when the requesting user (after proper identification and authentication to the computing system) has an associated security level that is at least as high as that of the requested object and the user has a set of categories (one or more) that include those associated with the requested object. In this case, the user is said to “dominate” the object. Conversely, authority to write to an MLS protected object is granted to a user when the requested object has an associated security level that is at least as high as that of the requesting user and the object has a set of categories that include at least the categories that are associated with the requesting user. In this case the object is said to dominate the user. From these principals, as defined by the Bell-LaPadula model, it can be seen that MLS protected information can only become more secure as it is read from one object and written to another, as the information moves from lower to higher levels of security and/or from fewer to more categories. Conversely, a model for authorization checking that is effectively the inverse of the Bell-LaPadula model is described by K. Biba in ‘Integrity considerations for secure computer systems’ Technical Report 76-372, U.S. Air Force Electronic Systems Division, 1977. Biba showed both that the integrity of a data and programming system is dependent upon: the integrity of the data and programming systems that were used in its creation, and a processing model for assuring such integrity. Both the Bell-LaPadula (MLS) model and the “MLS-inverse” aspect of the Biba model are currently in use within the computing industry, for example within the program product Resource Access Control Facility (RACF) which is an optional component of the z/OS operating system offered by the International Business Machine Corporation (IBM). The z/architecture is described in an IBM publication entitled “z/Architecture Principles of Operation”, publication no. SA22-7832-01, October 2001 which is hereby incorporated herein by reference in its entirety. Further, RACF is described in a publication entitled “z/OS V1R4.0 Security Server RACF Security Administrator's Guide”, SA22-7683-03, IBM Corp., September 2002, the entirety of which is hereby incorporated herein by reference.