clarkf-project1step6-7

.docx

School

University of Maryland Global Campus (UMGC) *

*We aren’t endorsed by this school

Course

610

Subject

Information Systems

Date

Apr 29, 2024

Type

docx

Pages

8

Uploaded by DoctorLlama3627 on coursehero.com

Project 1: Security Models Felicia J Clark University of Maryland Global Campus CMP610: Foundations in Cybersecurity Management Claire Cuccio October 12, 2023
Project 1: Security Models This appendix provides additional context on the security models used to inform the security plan developed for MGM Resorts, below are high-level overviews of security models. The overviews include information pertaining to the origin in addition to an outline of key features and potential weaknesses. For the context of the security models identified in this appendix, a subject can be considered a user, program, process, or device that requests a service; whereas, an object is a user, program, process, or device which provides the requested service (University of Maryland Global Campus, n.d.) Bell-LaPadula Security Model Developed in 1973 by David Elliot Bell and Len LaPadula, the Bell-LaPadula Model was designed to address concerns around access control when dealing with government and military data. The Department of Defense (DoD) used the model to adhere to the requirements within the multilevel security policy and utilizes classification such as Secret and Top Secret. Bell-LaPadula is considered a state-machine model, meaning it requires all states are secure and would inherently mean all further states are considered secure. Bell-LaPadula has three modes of access that integrate with the confidentially policy. Simple security property states a subject cannot read an object with a higher classification level. Star property (* property) notes a subject cannot write to an object with a lower classification level. Finally, Strong Start property (Strong * property) states a subject cannot read/write to an object that is of either higher or lower classification level. The primary flaws with this model include a lack of consideration on if all data will be classified, if the classification levels will ever change, and it only address confidentially but not integrity. Figure 1 Bell-LaPadula security model
Note. A visual representation of the integration between the access modes and the confidentiality policy (University of Maryland Global Campus, n.d.). Biba Security Model Similar to the Bell-LaPadula, the Biba Model is also a state-machine model; however, its purpose is to address integrity instead of confidentially. In 1975 Kenneth J. Biba was tasked to offset the weaknesses identified in the Bell-LaPadula model, specifically so a subject could not access and corrupt an object that was a higher or lower classification level. This model also targets the DoD sector. The Biba Model utilizes a hierarchy structure of data classifications with strict ordering levels from highest to lowest, meaning changes are only authorized at a subject’s level. To emphasize data integrity, its security posture is no write up, no write down. Biba security policy is divided into three categories. Simple integrity condition states a subject cannot read an object that is classified at a lower integrity. Integrity star * property states a subject cannot write to an object this is classified at a higher integrity level. Finally, Invocation property declares a subject cannot request an object of higher integrity. Similar to Bell-LaPadula, the Biba model primary flaw is the assumption that all data is classified. Figure 2 Biba security model
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help