Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!longway!std-unix From: randall@uvaarpa.Virginia.EDU (Randall Atkinson) Newsgroups: comp.std.unix Subject: Mandatory Access Controls in the commercial world Message-ID: <753@longway.TIC.COM> Date: 29 Jun 90 22:09:32 GMT Sender: std-unix@longway.TIC.COM Reply-To: std-unix@uunet.uu.net Lines: 52 Approved: jsq@longway.tic.com (Moderator, John S. Quarterman) From: randall@uvaarpa.Virginia.EDU (Randall Atkinson) % The TCSEC security criteria's popularity and widespread acceptance % have given MAC another connotation -- that of a codification of the % familiar, U.S.-government, hierarchical security classifications: Top % Secret, Classified, and Unclassified. Government policy prohibits % users of a lower classification from viewing work of a higher % classification. Conversely, users at a high classification may not % make their work available to users at a lower classification: one can % neither ``read up'' nor ``write down.'' There are also compartments % within each classification level, such as NATO, nuclear, DOE, or % project X. Access requires the proper level and authorization for all % compartments associated with the resource. The MAC group is defining % interfaces for such a mandatory mechanism. It's not as confusing as % it sounds, but outside of the DoD it is as useless as it sounds. I disagree. The mechanisms described here are indeed useful in the commercial world. For example, an insurance company happens to own and operate both a bank and a savings & loan and a lot of customers of the banks are owner-members of the insurance firm. The firm is legally obligated not to permit the bank/s&l to have access to information on a customers insurance information or the fact that he/she is a member-owner of the insurance firm without explicit written permission from the individual whose records we are concerned with here. But the insurance agency may legally access the information in the bank/s&l on its customers. This is analgous to the workers at the insurance firm being in a different compartment than the workers at the bank or s&l. Similarly, a bank teller would normally be able to access one level of information and a loan officer or branch manager a different level of information. Please note that my example is real-world rather than one I'm making up. Similarly, firms engaged in product development of one sort or another, for example making computer systems, frequently have projects with different sensitivites and areas of access. Often the goal is deliberately restrict and compartmentalise information about actual costs or profit margin or future plans or two groups with competing approaches to solving customer needs. The management will find it useful to control information access both horizontally and vertically. Certainly the restrictions on write-down and read-up are essential to having a viable security system. It is possible and desirable to talk in terms of having both vertical levels of access and horizontal compartmentalisation without actually using DoD's official classifications whatever they might be. I trust the POSIX draft doesn't talk in terms of Unclassified, Secret, and Top Secret as that would be inappropriate. Randall Atkinson randall@virginia.edu Opinions are those of the author. Volume-Number: Volume 20, Number 68