- Email: [email protected]
Enforcing legal ownership rights by an access control system
Computers
& Security, 15 (1996) 212-220
Enforcing Legal Ownership Rights by an Access Control System Eike Born Siemens Ntidorf Informationssysteme AG, D-81 730 Miinchen, Germany.
Data processing is liable to civil and criminal law just as many other human activities of a civilized world. Thus in particular for data objects in a data processing environment, ownership and author or originator rights apply as to other objects in the real world. Accordingly, basic requirements for an access control system in a data processing environment must be based on these rights. This article derives and discusses most general originator rights based requirements for access control systems. Furthermore, we particularize and refine these requirements for data processing systems from large commercial organizations, which are outstanding with very many users and data objects to be managed, with an interference between individual and organizational rights, and with clearly identifiable tasks to be processed successfully. We argue that legal requirements to these access control systems are in particular met by usage conditions, describe this concept and give some examples for concrete implementation of corresponding access control systems.
Keywords: Civil rights, criminal
rights, ownership, possession, ownership rights, copyrights, originator rights, access control system, mandatory access control, discretionary access control.
Introduction Data processing systems support many and very different classes of data objects for their users. The necessity of protection for these objects attracts the interest of system developers, salesmen and users, particularly recently with the spread of Internet usage. Besides technical protection against incorrect system behaviour and physical or information intrusion, user defined
212
discretionary protection and system based mandatory protection against misuse of the objects,as specific kinds of access control, are discussed thoroughly (cf. e. g. [4], [7] or [IO]). Nevertheless, most of these concepts are rather obviously based on a technical point of view, as are those concentrating on access control lists, capabilities or dataflow models, or are predestined to the military hierarchy and information flow principles, as e.g. the tight and particular access rules ofBell-La Padula
PI.
In this paper, we start discussion of object protection in a data processing environment from a judicial point of view, founded on the concept of authorship and ownership in civil and criminal rights. It is introduced in section 1. This concept yields fundamental requirements for a data object access control system, as shown in section 2, and section 3 considers large commercially used data processing environments and particular requirements for their access control systems. Usage conditions, recently proposed by the author [3], for discretionary access control, are shown in section 4 to meet these requirements to a large degree. In section 5, a legal rights enforcing access control system based on enhanced usage conditions is proposed and discussed. A small example for such an access control system is introduced in section 6, and section 7 finally shows how the specific but widely accepted Bell-La Padula model can be embedded into a usage conditions based legal ownership rights enforcing access control system.
0167-4048/96/$15.00
0 1996, Elsevier Science Ltd
Computers & Security, Vol. 15, No. 3
1. Ownership and Enforcement of Ownership Rights Data processing systems are built for handling data objects. This is done on different layers and by different subsystems. Operating systems offer address spaces, files, message boxes or communication channels. Database management systems manage databases, relations and fields. Network systems handle communication partners, routing directories and message files. Web-servers provide us with information pages or Java applets. At first sight, all these objects appear as being available for every user of the data processing environment. Without additional efforts, they cannot be locked in a desk as a paper document, or restricted to particular individuals like a car. In addition they allow for fast and cheap reproduction. Overall, rules and systems of access control for these objects seem at least to be completely left to the developer of corresponding mechanisms in operating systems and applications, if not at all unnecessary or unpractical. With Internet usage and the World Wide Web, controlled access is often regarded as being contrary to the intention of these media. But such considerations overestimate technical feasibility and the immaterialism ofthe concerned objects, and neglect the social and legal frame of activities of civil life. Indeed every data processing environment and all its objects are liable to civil and criminal rights, and are protected by the corresponding laws. Thus basic requirements for object protection in a data processing environment must at least be in accordance with, and preferably should be derived from the legal requirements for the object protection. Legal protection ofboth physical and intellectual objects in general intends to protect the abstract value of these objects. This abstract value of an object, realized in general as it common price, arises from its restricted availability, due to efforts necessary for its production, and from the requests for it due to its usefulness for particular individuals. Since usefulness can hardly be controlled by a law, civil and criminal rights primarily aim at preserving restricted availability of protected objects. This is primarily materialized by the concept of property (ownership) and possession, both nowadays an essential part of almost all legal systems of civil and criminal laws. These concepts undergo a particular realization in a number oflaws,among which for objects of intellectual work, primarily authorship or originator
rights (copyright) and the corresponding
criminal laws
apply Property is defined as the right of completely deciding about an object. Accordingly originator rights include in particular, the ability to decide completely about how an intellectual work may be spread to other individuals or the public. In the corresponding guiding direction of the European Union (cf. [5]), subsequently realized in civil rights of all European Communities (cf. [6], pp.545 for German laws), originator rights concern primarily works of literature, science and arts, with original and not public known contents [ 151, UhG 2). To be covered by these laws, the particular realization of the work, say as a paper product or stored on a disk,is irrelevant. Thus also data files in a data processing environment are liable to these rights, as long as their contents are. In particular, originator rights restrict publishing in any form of a protected work to the originator only, or a person authorized by the originator ([ 151, UhG 15). This concerns explicitly replication, publishing and making the work available to others but authorized persons. European and accordingly German rights admit the social obligation of information by generally allowing for private copying of protected works. But this is limited to non profitable exploitation and concerns works, which basically are already published ([ 151, UhG 53). All this applies directly and obviously to data objects in a data processing environment. The concept of possession (occupancy) is subordinate to ownership and originator rights. Possession is the right to use an object in accordance with an authorization given by the owner or originator. Within originator rights, this is covered by exploitation rights (cf. [15], UhG 31). Perhaps by taking examples from computer science, one can think of a more recursively defined structure of authorized usage. It may start with the originator as the root owner, and allows every authorized owner to delegate some or all or its rights for an object to sub-owners. But no system of civil law is known which establishes such a recursive ownership structure. In European originator rights, re-transmission of exploitation rights is excluded explicitly ([15],UhG 34 (1)). Thus we will deal with this concept only occasionally. Nevertheless, possession may include additional rights for an object, intuitively far beyond pure usage of this
213
Enforcing Legal Ownership Rights by an Access Control System /Eike Born
object. For instance, one may think of rights for modification or withholding. In civil law, a particular problem arises whenever an object has several owners. Then internal agreements for exercising ownership rights are required. We assume in what follows that this is always assured such that to the outside only one owner is visible. In order to avoid discussions of minor problems, we assume on the other hand that for every object in a data processing environment, at least one user of this environment may act as the originator, either by authorship or by being fully authorized.
2. Basic Requirements Control Systems
for Access
A data processing system or environment is a facility for the electronic management of storing and manipulating data objects. Any means of such an environment to restrict the access of a user to a data object is said to be an access control system. According to the above discussion, the concept of ownership and originatorship of civil law applies to the objects in a data processing environment. The owner of an object prescribes its availability to the public. These ownership rights must be represented by controlled access to the information content of the object. A data processing system must thus basically provide a mechanism which enforces the keeping of the originator-given availability rules within access to all objects realized and managed in it. By this very concept of property, the explicit formulation of these access conditions must be left to the owner of an object. Hence a data object control system must not prescribe any rules for the usage of data objects itself. Instead, it must offer: Rl:A mechanism allowing for object and subject specific formulation, by the owner of a data object only, of whatever rules for control of access the owner wants, and R2: Enforcement ofkeeping these rules by checking the object specific rules within every access of a subject to a data object. Guidance from the system for specification of access control conditions may be appropriate to support a logically unambiguous formulation and a proper evalu-
214
ation of access conditions. But the benefits from such a convenient user interface must be carefully balanced against the induced restriction in specification of access control conditions and the corresponding restrictions of ownership rights. Thus most mandatory access control systems, prescribing particular information flow rules e.g. [2], do not cope with the ownership rights of civil law. Indeed as long as civil and criminal laws supply the owner with complete disposal for an object, a generally accepted and applied access control system may not prescribe any semantic contents for the ownership rights. Only for reflecting social obligation of ownership for instance, an access control system may restrict ownership accordingly by imposing a specific semantic for access to data objects. For instance limitations of access fees for basic social information in public information systems as the Internet according to usury laws may require corresponding ownership rights restrictions, supported accordingly by an access control system.
3. Access Control Systems in Large Commercial Organizations Legal requirements for a data objects access control system discussed so far are fundamental. They do not depend on the structure or size of the organization running the data processing system. There are additional requirements for an access control system, whenever it must apply to particular organizational and legal structures of its owner. In what follows we derive some additional requirements for an access control system in a data processing environment in large commercial organizations. Common to all kinds of commercial organizations is an internal structure, both within the organization and within the applied rights and authorizing system. In general there is an internal regulation of originator rights, which is covered and protected by freedom of contract within civil laws (cf. e.f. [15]). These internal regulations most often put ownership of all data objects created by employees in working hours to the organization. This ownership may be executed by particular representatives of the company, e.g. the chief executive officer. By law, the employees are then only possessor of these data objects.Nevertheless, they may be vested with perhaps very extended rights of possession. Such pos-
Computers & Security, Vol. 15, No. 3
session rights may even contain the formulation of additional access rules for an object, the application of which must be enforced as well, only limited by basic ownership rights of the organization. Refined signature structures within such organizations may reflect these structures of possession rights. Also common are well identifiable tasks to be processed successfully within the organization for realizing its (business or welfare) goal. For a manufacturer e.g., these tasks comprise basically buying, production, quality control and selling. Most ofien, a much finer granulation and partly hierarchical structure of tasks is established. In general these tasks are specified explicitly, for instance as workplace descriptions, and the specification is done independent of the persons entrusted with these tasks, according to the needs of the organization and personal requirements. Common to large organizations finally is a rather large number of data objects and users to be managed. Several thousands of users are not unusual, and millions of data objects. The number of tasks in contrast is comparably small, often not more than a few hundreds. And these tasks exhibits considerably less dynamics than user or data objects. In a company with say 1000 employees, each one working say for 10 years for the company, every year at least 100 employees are leaving, with new staff entering. This is almost one per working day, requiring updating of the user information in the access control system. Creation and deletion of data objects will show even more dynamic. But the tasks of such a small company, in contrast, may be stable for months or years. Thus among data objects, users and tasks, the last one comprises much less dynamic than the other two. Hence the entity task is predestinated for separate management, supporting dynamic entrustment of users with tasks by referencing only We arrive at three additional requirements for an access control system within a organizationally used data processing environment: R3: It must support with a convenient specification and management of ownership rights, well adapted and restricted to representatives of the organization which act as the owner of the system. R4: It must allow formulation and enforce application of possessor defined access rights, overruled only by the originator defined access rights.
R5: It should allow for a reflection of the task structure of the organization, and the entrustment of individuals with such tasks independent of their specification.
4.
Usage Conditions
In [3], a concept for user defined access control is proposed which we will extend for the application to general legal ownership based access control. The authors introduce objects of a new class, called usage conditions.These objects can be defined by any user,and contain logical expressions specifying conditions of an access as: (user a or b orJ and (between 7:30 and 12:30 am) and (from terminal 1 or 3 or 7). References can be set from every access mode of an object to one or more usage conditions, by the creator of the object only, according to his needs. For every data access, the referenced usage conditions are checked. Access to an object in a requested mode is granted if it is granted by at least one referenced usage condition (or -combination of usage conditions). Aside from the usual manipulation methods for usage conditions (for an appropriate user interface see [3]), there is the access mode specific method set up reference in every object class, corresponding to the method use (evaluate) of usage conditions, invoked implicitly at an access request. Access control for usage conditions itself can be realized by an ownership concept or again by usage conditions by specifying circular references. For their appropriate application, usage conditions should contain access conditions, necessary to execute a certain task in the real world successfully and thus should specify general conditions of usage. In this sense, a usage condition should correspond to an elementary task of the real world. A restricted set ofusage conditions may then be sufficient to define even complex access control conditions for a large number ofdata objects,by making use of references from one data object to several usage conditions as well as references from several data objects to the same usage condition. Theor-combination of concurrently evaluated usage conditions requires and reflects the independence of the corresponding real world tasks. Data objects from different classes can have the same protection because the usage conditions are not attached to the complete data object but to each
215
Enforcing Legal Ownership Rights by an Access Control System /Eike Born
data objects
usage conditions
data objects
usageconditions
users
organizatmnal <
Figure 1: Access control with usage conditions. Arrows indicate references to usage conditions. Access control to usage conditions is set up again by references to usage conditions. available access method separately This is illustrated in F&. 1. In [3], ex p eriences from an implementation of a corresponding discretionary access control system in an existing operating system are reported. Usage conditions thus allow for the specification and management of access rules and their checking within every access situation. In this way they establish a realization of the Formulary Model of [8]. According to the above discussion, they fulfil the requirements of an ownership rights enforcing access control system to a large degree, in particular for large data environments, and thus may be taken as a base for such an access control system.
Enforcing Ownership Rights with Usage Conditions
5.
For a legal rights enforcing specification and management ofaccess control in a large organizational structure, we propose an enhancement of usage conditions with respect to three aspects. The modifications are derived from the above requirements for formulation of ownership rights for organization owned data objects and for enforcing its obedience within every access.
Contents of usage conditions The
216
access control
conditions
laid down in a usage
representative >
Figure 2. Referencing of enhanced usage conditions from users and from objects.
condition do not contain names of subjects explicitly. Instead according to requirement R5, references are set up from each subject to appropriate usage conditions, in addition to references from objects to usage conditions.Thus lower dynamics oftasks and task specification is decoupled from higher dynamics of users and data objects. And possession rights can be formulated without referring to particular individuals but to tasks individuals may be entrusted with, which is usual in juridical world. Overall usage conditions represent tasks in an unambiguous way and stand right between (names of) subjects and names and access modes of objects, being referenced by both. This is illustrated in F&. 2. The main advantage of this referencing from both data objects and users to usage conditions is the simplification of data object and user management. Introduction and removal of data objects and users require only local modifications of their meta-data, and no modification of the generic access control information. In particular the removal of a data object or a user does not require complete scanning of meta-data of all users, all data objects or all usage conditions, which is necessary for an access control system based on capabilities, access control lists or original usage conditions. Formulation of usage conditions thus is to be done in a one-to-one relation to tasks of the real world in a way as strict as possible, without relying on individuals, eventually entrusted with these tasks. This supports a flexible, organization-wide and user-independent man-
Computers & Security, Vol. 15, No. 3
agement of originator rights based access control. In all remaining aspects, the kinds of contents of usage conditions remains the same as in [3]. Of course attributes to be evaluated in case of an access request must now be distributed carefully between users, data objects and usage conditions. Attributes either are attributes of the subject and must be recorded in the subject description tile, or are attributes of the data object to be accessed and thus are stored within its attribute list, or are indeed attributes of the task to be executed and thus must be stored in the usage condition, as e.g. times or places processing of the task is restricted to.
tional efforts, according to the tasks a person in entrusted with. Additional system support is thus primarily required for setup of references from data objects and their access modes to usage conditions. In the most simple way this can be done at creation time of a data object automatically, according to properties of the creator or the creating task, e.g. by referring to the usage condition the creator already refers to within the task leading to the creation of the object. In this way, usage conditions are manageable with restricted efforts, while still adaptable to the structure of the organization, running the data processing system.
The exact correspondence of usage conditions and real world tasks is already required for the original usage conditions in [3]. Its additional stressing rises from the fact that legal ownership rights definition in large commercial organizations is rather centralized because of its business importance, and nevertheless the corresponding legal ownership rights enforcing access control in the corresponding processing environment must be easily manageable by representatives for the information flow in the organization. Assuming manageability of tasks in a sensible running organization, the strict correspondence yield manageability of access control as well. By the export of subject names as well as object names and their access modes, usage conditions now constitute an organization of the access control matrix of [7] with respect to tasks of real world, orthogonal to row wise and column wise compression to access control lists and capabilities.
It may be appropriate to allow formulation and realization of additional access control also for particular users. These are then allowed by a usage condition to define usage conditions on their own and set up references from objects and perhaps even users to these conditions. To avoid ambiguous access rights, these possessor defined usage conditions must be clearly identifiable.
Specification of and referencing to usage conditions Both methods must be completely under control of representatives of the organization, acting as the originator of the data objects. They should be supported appropriately by the data processing system. Hence the representatives define usage conditions for the domain of their responsibility and specifies access granting rules corresponding to tasks within this domain. They are also responsible for defining references from every subject and every object in their domain of responsibility to appropriate usage conditions. Introduction of new users in a data processing system is usually organizationally centralized and thus allows for setup of references to usage conditions without addi-
Access control with usage conditions Access from a subject to an object (in a requested mode) is granted if and only if it is granted by at least one commonly referenced owner defined usage condition. Thus evaluation of concurrent owner defined usage conditions is done in an or-combination. This reflects and preserves the independence of the tasks, represented by the usage conditions (cf. [3]). In order to avoid an overruling of originator defined access rules by access rules defined subsequently by authorized possessors, it must depend on the contents of the referenced owner defined usage conditions, whether existing possessor defined access control information is evaluated or not, and perhaps even whether the possessor defined access rules are in accordance with the possessor rights. This corresponds to overruling of individual possessor rights by company ownership rights in most labour legislations. Fig 3 shows a detail from an access control system with concurrent owner and possessor defined usage conditions. At first sight, or-combination of usage conditions seems to run the risk of violating access restrictions from one owner defined usage condition by another one.But due to the above discussion, usage conditions correspond to independent real world tasks. If a subject is entrusted with a task and an object is necessary for this task (by
217
Enforcing Legal Ownership Rights by an Access Control System /Eke Born
data objects
usageconditions
executing
office board
development/producflon quality
af,surincr
rw TWX
rw
TWX
rw
sales department IT support
Figure 3. Complete legal rights enforcing access control with enhanced usage conditions. Possessor-defined access rights are evaluated if required from the owner defined usage conditions. Arrows indicate a reference to owner defined resp. possessor defined access control information.
references to the corresponding usage condition), an access must be granted irrespective of concurrent usage conditions. Subjects within an organization in general are entrusted with several tasks, each one must be processed successfully In this sense the tasks are indeed independent. Dependent tasks as, for instance, those to be executed consecutively should be formulated within the single usage conditions explicitly, e.g. by ‘access only if the predecessor task completed successfully’. An alternative negative formulation of access restrictions within usage conditions, and a corresponding and-combination of usage conditions may lead already in simple access control environments to inferences, finally excluding any access.
6. A Simple Example We consider a company of moderate size, producing and selling a certain product. Next to the executing office board, departments for development and production, quality assurance, sales, and information technology support are established. The heads of the departments are responsible for keeping the information rules of the company in their department, and the chief executing officer (CEO) is responsible for the information rules. There exist four basic tasks in the company, namely: manufacturing, selling, support and management. Fig. 4
218
rw
Figure 4. Tasks, departments, entrustment with tasks, and information necessary to execute these tasks (the letters I, w, a and x indicate that information must be readable, writable, appendable or applicable in the sense of executing a program).
specifies which department’s individuals are entrusted with a certain task, and which kind of access to which data is necessary for the tasks. For implementing these information rules within a data processing system, usage conditions can be applied as follows. Four usage conditions are established according to the four tasks of the company. They contain general restricting conditions only, as ‘within working hours’ or ‘user defined access control information is evaluated only for read access’. Modification of these usage conditions is left to the CEO bureau, and references to them are set up by the heads of the concerned departments according to Fig. 4. References from members of a department to the corresponding usage conditions can be set up by hand on introducing a new user. It is not sensible to charge the heads of departments to also make the references from data objects to usage conditions by hand. Within, say, a Unix-like hierarchical file system this can be supported by the system of inheritance, for instance: for every access more for directories and every object class subordinated to a directory, there are attached usage conditions to each directory, which are inherited to the corresponding access modes of all objects and subdirectories created in such a directory. Then a refined but well manageable access control structure can be set up with
Computers & Security, Vol. 15, No. 3
usage conditions, precisely adapted to the needs of the tasks within the company, and easily modified when requirements of the working processes are changing. In particular, specification of tasks to be processed successfully and introduction or removal of users and objects can be done completely separately and without access or even modification of data other than those of the modified entity.
7. Discretionary and Mandatory
Access Control Policies The discussion of access control to data objects in data processing environments is centred almost exclusively around discretionary (user defined) and mandatory (rule based) access control. Within this discussion, the notion of discretionary access control refers mostly to all aspects we encountered with the application of possession rights to an object. (In [3] it is shown that usage conditions to a large extent meet the requirements posed on a discretionary access control system. Mandatory access control primarily concerns explicit rules for information flow to be enforced by a corresponding access control system. All principles, discussed so far for mandatory access control, proved to be not general enough to be appropriate for every organization running a data processing system and hence are not recommended for implementation in generally used data processing environments. This observation was one main motivation for our approach. Nevertheless mandatory access control principles are compatible with our approach:if an owner of a data processing system decides upon requiring applications of a particular data flow principle within this environment, it can be formulated within a usage condition based access control system as every other owner defined access conditions. As an example we show how to integrate the security labels based mandatory access control model of Bell-La Padula [2]. It has become basic for security requirements formulated by the United States Department ofDefense in the security requirements for operating systems [ 131, and is applied nowadays also for commercially used systems. In short, the rules require that every user and every data object is equipped with a security label, which is a number. Access to a data object by a subject may be granted only if there is an access mode specific relation between the security label of the subject and
those of the object. For reading an object, the security label of the user must be higher or equal than those of the object, for writing (without reading) it must be lower or equal, hence for writing and reading both security labels must be equal. The concept of Bell-La Padula is based on two features: definition of and equipment with security labels as additional specific attributes ofsubjects and data objects, and a label-value based granting decision of every access request. Mechanisms to support the labeling of subjects and objects are well understood and described (cf. [4], [lO]).Indeed they are the kernel of an implementation of Bell-La Padula mandatory access control. They are completely independent of our approach, which concerns only actual access request situations. We suppose that there are sufficient mechanisms for this labeling. Evaluation of labels can now obviously be implemented by means of usage conditions. The system security authority, required by the Bell-La Padula model, has to define three usage conditions only, say with names ‘read-access’, ‘write-access’ and ‘update-access’. The usage condition ‘read-access’ contains the condition ‘if subject label object label’ only, the usage condition ‘write-access’ contains the condition ‘if subject label object label’ only and the usage condition ‘update-access’ contains the condition ‘if subject label = object label’. Every subject then gets references to all these usage conditions, the access modes ‘read’, ‘write’ and ‘read+wright’ of every date object get references to the usage conditions ‘read-access’, ‘write-access’ and ‘update-access’, resp., at creation time. This obviously ensures application of Bell-La Padula access rules in every access to a data object. There may be a forth usage condition name ‘control_of_labeling’ with only the security officer but all objects referring to. It allows for instance a down-labelling of objects, necessary within real life implementations of Bell-La Padula based mandatory access control environments. As a particular advantage, this integration of Bell-La Padula based mandatory access control in an ownership rights enforcing access control system can be combined with every other owner required access control and, additionally, possessor defined access control. This may allow for a flexible adaptation to the information rules within an organization. Thus this approach can be applied for label based mandatory access control even
219
Enforcing Legal Ownership Rights by an Access Control System /Eike Born
in more specific data object environments, as e.g. those discussed in [9]. Of course, the system security authority then has to ensure carefully that organization specific access rules enrich Bell-La Padula access control according to the intention of the owner of the system. In every case, concurrent evaluation of additional access control information leads to a corruption of the Bell-La Padula model.
References [II
Bell, D.E., LaPadula, L.J.: Secure Computer Systems. Air Force Elec. Syst.Div. Report ESD-TR-73-278,Vols. I,II,III, 1973. Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Mathematical Foundations and Model. MITRE Corp. Bedford MA, 1974. Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Unified Exposition and Multics Interpretation. MITRE Corp., Ref. MTR-2997.1976.
8. Conclusion We have covered a discussion of the implications, validity of civil and criminal rights concept of originatorship and possession for data objects in a data processing system, and what this entails for the corresponding access control systems. Basically it must allow for specification and enforce application in every access request situation of whatever conditions the owner of an object requires for an access. In large organizations and their data processing environments, this principle leads to more specific requirements to an access control system, namely allowing for specification of more complicated ownership rights and extended possessor rights and nevertheless easy management, which is naturally achieved by a strict reference of access control information to the tasks or processes which are performed in the organization. The concept allows for translation of every logically and semantically unambiguously formulated access rule into the data access control of an information processing system. Also the formulation and application of possessor defined access rights subordinated to those of the owner can be integrated smoothly. The concept is basic and fundamental, and by this gives a more applicable and legally well grounded base of owner and possessor rights to the discussion on discretionary (user defined) and mandatory (rule based) access control. And this approach asks only for few efforts to integrate mandatory access control policies as the specific Be&La Padula data access model. In this case it can be comfortably enhanced by additional access rules, formulated by the owner ofthe system.Thus overall this approach may lead to a modified view and proper concepts of data access control rules, paying more regard to the legal point of view for objects protection in a commercial data processing environment and being far more general than particular mandatory access control policies as those of Bell-La Padula.
220
Abrams, M.D., LaPadula, L.J., Olson, I.M.: Building generalized access control on Unix. Proceedings of USENIX Security Workshop II, Portland, OR, Aug. 27-28, 1990, p.65-70.
[31
Born, E., Stiegler, H.: Discretionary access control by means of usage conditions. Computers & Security 13 [5], 1994, 437-450.
PI
Dening, Addison
(51
Directive 91/250/ECC of the European Council from Mai 14, 1991, Abl. EG Nr. I 122, pp. 42. In: Gewerblicher Rechtsschutz and Urheberrecht (GRUR), Int. 91.
[61
Gewerblicher Int.91.
[71
Graham, G.S., Denning, PJ.: Protection principle practice.Proc.SpringJt.Computer Conf.,VoL40,AFIPSPress, Montvale, NJ, 1972,~~. 417 - 429.
PI
Hoffilann, L.J.: The Formulary Model for Flexible Privacy and Access Controls. In: Ho&an, L.J., Security and Privacy in Computer Systems. Melville Pub. Comp. Wiley 1973.
[91
JaJodia, S., Kogan, B.: Integrating an object-oriented model with multilevel security, Proc. 1990 IEEE Comp. Symp. on Research in Security and Privacy, Oakland, 199O,pp.76-85.
D.: Cryptography Wesley 1982.
[lOI Landwehr,
and
Urheherrecht
C.E.: Formal models for computer surveys, Vol. 13, p.247 - 278,1981.
computing
[Ill
Rechtsschutz
and Data Security.
Readings
NA:
(GRUR),
security.
and
data Sec. CA,
ACM
Lee, T.M.P.: Using Mandatory Integrity to Enforce “Commercial” Security Proc. IEEE Symp. on Security and Privacy 1988,140 - 146.
[121 Lunt,
T.: Access Control: Some Unanswered Computers and Security, Feb. 1989.
Questions.
[I31 Department Criteria. 1985.
ll4
ofDefense Trusted Computer System Evaluation Department of Defense 5200.28-STD: Washington
Nordemann, W., Vinck, K., Hertin, EW: Urheberrecht Kommentar zum Urheberrechtsgesetz und sum Urheberrechtswahrnehmungsgesetz. Stuttgart: Kohlhammer, 1994.
[I51 Schanfelder,
H.: Deutsche Gesetze. Sammlung Straf-und Verfahrensrecht. Miinchen: Verlagsbuchhandlung, 85. Auflage, MCrz 1995.
des Zivil-, Beck’sche
& Security, 15 (1996) 212-220
Enforcing Legal Ownership Rights by an Access Control System Eike Born Siemens Ntidorf Informationssysteme AG, D-81 730 Miinchen, Germany.
Data processing is liable to civil and criminal law just as many other human activities of a civilized world. Thus in particular for data objects in a data processing environment, ownership and author or originator rights apply as to other objects in the real world. Accordingly, basic requirements for an access control system in a data processing environment must be based on these rights. This article derives and discusses most general originator rights based requirements for access control systems. Furthermore, we particularize and refine these requirements for data processing systems from large commercial organizations, which are outstanding with very many users and data objects to be managed, with an interference between individual and organizational rights, and with clearly identifiable tasks to be processed successfully. We argue that legal requirements to these access control systems are in particular met by usage conditions, describe this concept and give some examples for concrete implementation of corresponding access control systems.
Keywords: Civil rights, criminal
rights, ownership, possession, ownership rights, copyrights, originator rights, access control system, mandatory access control, discretionary access control.
Introduction Data processing systems support many and very different classes of data objects for their users. The necessity of protection for these objects attracts the interest of system developers, salesmen and users, particularly recently with the spread of Internet usage. Besides technical protection against incorrect system behaviour and physical or information intrusion, user defined
212
discretionary protection and system based mandatory protection against misuse of the objects,as specific kinds of access control, are discussed thoroughly (cf. e. g. [4], [7] or [IO]). Nevertheless, most of these concepts are rather obviously based on a technical point of view, as are those concentrating on access control lists, capabilities or dataflow models, or are predestined to the military hierarchy and information flow principles, as e.g. the tight and particular access rules ofBell-La Padula
PI.
In this paper, we start discussion of object protection in a data processing environment from a judicial point of view, founded on the concept of authorship and ownership in civil and criminal rights. It is introduced in section 1. This concept yields fundamental requirements for a data object access control system, as shown in section 2, and section 3 considers large commercially used data processing environments and particular requirements for their access control systems. Usage conditions, recently proposed by the author [3], for discretionary access control, are shown in section 4 to meet these requirements to a large degree. In section 5, a legal rights enforcing access control system based on enhanced usage conditions is proposed and discussed. A small example for such an access control system is introduced in section 6, and section 7 finally shows how the specific but widely accepted Bell-La Padula model can be embedded into a usage conditions based legal ownership rights enforcing access control system.
0167-4048/96/$15.00
0 1996, Elsevier Science Ltd
Computers & Security, Vol. 15, No. 3
1. Ownership and Enforcement of Ownership Rights Data processing systems are built for handling data objects. This is done on different layers and by different subsystems. Operating systems offer address spaces, files, message boxes or communication channels. Database management systems manage databases, relations and fields. Network systems handle communication partners, routing directories and message files. Web-servers provide us with information pages or Java applets. At first sight, all these objects appear as being available for every user of the data processing environment. Without additional efforts, they cannot be locked in a desk as a paper document, or restricted to particular individuals like a car. In addition they allow for fast and cheap reproduction. Overall, rules and systems of access control for these objects seem at least to be completely left to the developer of corresponding mechanisms in operating systems and applications, if not at all unnecessary or unpractical. With Internet usage and the World Wide Web, controlled access is often regarded as being contrary to the intention of these media. But such considerations overestimate technical feasibility and the immaterialism ofthe concerned objects, and neglect the social and legal frame of activities of civil life. Indeed every data processing environment and all its objects are liable to civil and criminal rights, and are protected by the corresponding laws. Thus basic requirements for object protection in a data processing environment must at least be in accordance with, and preferably should be derived from the legal requirements for the object protection. Legal protection ofboth physical and intellectual objects in general intends to protect the abstract value of these objects. This abstract value of an object, realized in general as it common price, arises from its restricted availability, due to efforts necessary for its production, and from the requests for it due to its usefulness for particular individuals. Since usefulness can hardly be controlled by a law, civil and criminal rights primarily aim at preserving restricted availability of protected objects. This is primarily materialized by the concept of property (ownership) and possession, both nowadays an essential part of almost all legal systems of civil and criminal laws. These concepts undergo a particular realization in a number oflaws,among which for objects of intellectual work, primarily authorship or originator
rights (copyright) and the corresponding
criminal laws
apply Property is defined as the right of completely deciding about an object. Accordingly originator rights include in particular, the ability to decide completely about how an intellectual work may be spread to other individuals or the public. In the corresponding guiding direction of the European Union (cf. [5]), subsequently realized in civil rights of all European Communities (cf. [6], pp.545 for German laws), originator rights concern primarily works of literature, science and arts, with original and not public known contents [ 151, UhG 2). To be covered by these laws, the particular realization of the work, say as a paper product or stored on a disk,is irrelevant. Thus also data files in a data processing environment are liable to these rights, as long as their contents are. In particular, originator rights restrict publishing in any form of a protected work to the originator only, or a person authorized by the originator ([ 151, UhG 15). This concerns explicitly replication, publishing and making the work available to others but authorized persons. European and accordingly German rights admit the social obligation of information by generally allowing for private copying of protected works. But this is limited to non profitable exploitation and concerns works, which basically are already published ([ 151, UhG 53). All this applies directly and obviously to data objects in a data processing environment. The concept of possession (occupancy) is subordinate to ownership and originator rights. Possession is the right to use an object in accordance with an authorization given by the owner or originator. Within originator rights, this is covered by exploitation rights (cf. [15], UhG 31). Perhaps by taking examples from computer science, one can think of a more recursively defined structure of authorized usage. It may start with the originator as the root owner, and allows every authorized owner to delegate some or all or its rights for an object to sub-owners. But no system of civil law is known which establishes such a recursive ownership structure. In European originator rights, re-transmission of exploitation rights is excluded explicitly ([15],UhG 34 (1)). Thus we will deal with this concept only occasionally. Nevertheless, possession may include additional rights for an object, intuitively far beyond pure usage of this
213
Enforcing Legal Ownership Rights by an Access Control System /Eike Born
object. For instance, one may think of rights for modification or withholding. In civil law, a particular problem arises whenever an object has several owners. Then internal agreements for exercising ownership rights are required. We assume in what follows that this is always assured such that to the outside only one owner is visible. In order to avoid discussions of minor problems, we assume on the other hand that for every object in a data processing environment, at least one user of this environment may act as the originator, either by authorship or by being fully authorized.
2. Basic Requirements Control Systems
for Access
A data processing system or environment is a facility for the electronic management of storing and manipulating data objects. Any means of such an environment to restrict the access of a user to a data object is said to be an access control system. According to the above discussion, the concept of ownership and originatorship of civil law applies to the objects in a data processing environment. The owner of an object prescribes its availability to the public. These ownership rights must be represented by controlled access to the information content of the object. A data processing system must thus basically provide a mechanism which enforces the keeping of the originator-given availability rules within access to all objects realized and managed in it. By this very concept of property, the explicit formulation of these access conditions must be left to the owner of an object. Hence a data object control system must not prescribe any rules for the usage of data objects itself. Instead, it must offer: Rl:A mechanism allowing for object and subject specific formulation, by the owner of a data object only, of whatever rules for control of access the owner wants, and R2: Enforcement ofkeeping these rules by checking the object specific rules within every access of a subject to a data object. Guidance from the system for specification of access control conditions may be appropriate to support a logically unambiguous formulation and a proper evalu-
214
ation of access conditions. But the benefits from such a convenient user interface must be carefully balanced against the induced restriction in specification of access control conditions and the corresponding restrictions of ownership rights. Thus most mandatory access control systems, prescribing particular information flow rules e.g. [2], do not cope with the ownership rights of civil law. Indeed as long as civil and criminal laws supply the owner with complete disposal for an object, a generally accepted and applied access control system may not prescribe any semantic contents for the ownership rights. Only for reflecting social obligation of ownership for instance, an access control system may restrict ownership accordingly by imposing a specific semantic for access to data objects. For instance limitations of access fees for basic social information in public information systems as the Internet according to usury laws may require corresponding ownership rights restrictions, supported accordingly by an access control system.
3. Access Control Systems in Large Commercial Organizations Legal requirements for a data objects access control system discussed so far are fundamental. They do not depend on the structure or size of the organization running the data processing system. There are additional requirements for an access control system, whenever it must apply to particular organizational and legal structures of its owner. In what follows we derive some additional requirements for an access control system in a data processing environment in large commercial organizations. Common to all kinds of commercial organizations is an internal structure, both within the organization and within the applied rights and authorizing system. In general there is an internal regulation of originator rights, which is covered and protected by freedom of contract within civil laws (cf. e.f. [15]). These internal regulations most often put ownership of all data objects created by employees in working hours to the organization. This ownership may be executed by particular representatives of the company, e.g. the chief executive officer. By law, the employees are then only possessor of these data objects.Nevertheless, they may be vested with perhaps very extended rights of possession. Such pos-
Computers & Security, Vol. 15, No. 3
session rights may even contain the formulation of additional access rules for an object, the application of which must be enforced as well, only limited by basic ownership rights of the organization. Refined signature structures within such organizations may reflect these structures of possession rights. Also common are well identifiable tasks to be processed successfully within the organization for realizing its (business or welfare) goal. For a manufacturer e.g., these tasks comprise basically buying, production, quality control and selling. Most ofien, a much finer granulation and partly hierarchical structure of tasks is established. In general these tasks are specified explicitly, for instance as workplace descriptions, and the specification is done independent of the persons entrusted with these tasks, according to the needs of the organization and personal requirements. Common to large organizations finally is a rather large number of data objects and users to be managed. Several thousands of users are not unusual, and millions of data objects. The number of tasks in contrast is comparably small, often not more than a few hundreds. And these tasks exhibits considerably less dynamics than user or data objects. In a company with say 1000 employees, each one working say for 10 years for the company, every year at least 100 employees are leaving, with new staff entering. This is almost one per working day, requiring updating of the user information in the access control system. Creation and deletion of data objects will show even more dynamic. But the tasks of such a small company, in contrast, may be stable for months or years. Thus among data objects, users and tasks, the last one comprises much less dynamic than the other two. Hence the entity task is predestinated for separate management, supporting dynamic entrustment of users with tasks by referencing only We arrive at three additional requirements for an access control system within a organizationally used data processing environment: R3: It must support with a convenient specification and management of ownership rights, well adapted and restricted to representatives of the organization which act as the owner of the system. R4: It must allow formulation and enforce application of possessor defined access rights, overruled only by the originator defined access rights.
R5: It should allow for a reflection of the task structure of the organization, and the entrustment of individuals with such tasks independent of their specification.
4.
Usage Conditions
In [3], a concept for user defined access control is proposed which we will extend for the application to general legal ownership based access control. The authors introduce objects of a new class, called usage conditions.These objects can be defined by any user,and contain logical expressions specifying conditions of an access as: (user a or b orJ and (between 7:30 and 12:30 am) and (from terminal 1 or 3 or 7). References can be set from every access mode of an object to one or more usage conditions, by the creator of the object only, according to his needs. For every data access, the referenced usage conditions are checked. Access to an object in a requested mode is granted if it is granted by at least one referenced usage condition (or -combination of usage conditions). Aside from the usual manipulation methods for usage conditions (for an appropriate user interface see [3]), there is the access mode specific method set up reference in every object class, corresponding to the method use (evaluate) of usage conditions, invoked implicitly at an access request. Access control for usage conditions itself can be realized by an ownership concept or again by usage conditions by specifying circular references. For their appropriate application, usage conditions should contain access conditions, necessary to execute a certain task in the real world successfully and thus should specify general conditions of usage. In this sense, a usage condition should correspond to an elementary task of the real world. A restricted set ofusage conditions may then be sufficient to define even complex access control conditions for a large number ofdata objects,by making use of references from one data object to several usage conditions as well as references from several data objects to the same usage condition. Theor-combination of concurrently evaluated usage conditions requires and reflects the independence of the corresponding real world tasks. Data objects from different classes can have the same protection because the usage conditions are not attached to the complete data object but to each
215
Enforcing Legal Ownership Rights by an Access Control System /Eike Born
data objects
usage conditions
data objects
usageconditions
users
organizatmnal <
Figure 1: Access control with usage conditions. Arrows indicate references to usage conditions. Access control to usage conditions is set up again by references to usage conditions. available access method separately This is illustrated in F&. 1. In [3], ex p eriences from an implementation of a corresponding discretionary access control system in an existing operating system are reported. Usage conditions thus allow for the specification and management of access rules and their checking within every access situation. In this way they establish a realization of the Formulary Model of [8]. According to the above discussion, they fulfil the requirements of an ownership rights enforcing access control system to a large degree, in particular for large data environments, and thus may be taken as a base for such an access control system.
Enforcing Ownership Rights with Usage Conditions
5.
For a legal rights enforcing specification and management ofaccess control in a large organizational structure, we propose an enhancement of usage conditions with respect to three aspects. The modifications are derived from the above requirements for formulation of ownership rights for organization owned data objects and for enforcing its obedience within every access.
Contents of usage conditions The
216
access control
conditions
laid down in a usage
representative >
Figure 2. Referencing of enhanced usage conditions from users and from objects.
condition do not contain names of subjects explicitly. Instead according to requirement R5, references are set up from each subject to appropriate usage conditions, in addition to references from objects to usage conditions.Thus lower dynamics oftasks and task specification is decoupled from higher dynamics of users and data objects. And possession rights can be formulated without referring to particular individuals but to tasks individuals may be entrusted with, which is usual in juridical world. Overall usage conditions represent tasks in an unambiguous way and stand right between (names of) subjects and names and access modes of objects, being referenced by both. This is illustrated in F&. 2. The main advantage of this referencing from both data objects and users to usage conditions is the simplification of data object and user management. Introduction and removal of data objects and users require only local modifications of their meta-data, and no modification of the generic access control information. In particular the removal of a data object or a user does not require complete scanning of meta-data of all users, all data objects or all usage conditions, which is necessary for an access control system based on capabilities, access control lists or original usage conditions. Formulation of usage conditions thus is to be done in a one-to-one relation to tasks of the real world in a way as strict as possible, without relying on individuals, eventually entrusted with these tasks. This supports a flexible, organization-wide and user-independent man-
Computers & Security, Vol. 15, No. 3
agement of originator rights based access control. In all remaining aspects, the kinds of contents of usage conditions remains the same as in [3]. Of course attributes to be evaluated in case of an access request must now be distributed carefully between users, data objects and usage conditions. Attributes either are attributes of the subject and must be recorded in the subject description tile, or are attributes of the data object to be accessed and thus are stored within its attribute list, or are indeed attributes of the task to be executed and thus must be stored in the usage condition, as e.g. times or places processing of the task is restricted to.
tional efforts, according to the tasks a person in entrusted with. Additional system support is thus primarily required for setup of references from data objects and their access modes to usage conditions. In the most simple way this can be done at creation time of a data object automatically, according to properties of the creator or the creating task, e.g. by referring to the usage condition the creator already refers to within the task leading to the creation of the object. In this way, usage conditions are manageable with restricted efforts, while still adaptable to the structure of the organization, running the data processing system.
The exact correspondence of usage conditions and real world tasks is already required for the original usage conditions in [3]. Its additional stressing rises from the fact that legal ownership rights definition in large commercial organizations is rather centralized because of its business importance, and nevertheless the corresponding legal ownership rights enforcing access control in the corresponding processing environment must be easily manageable by representatives for the information flow in the organization. Assuming manageability of tasks in a sensible running organization, the strict correspondence yield manageability of access control as well. By the export of subject names as well as object names and their access modes, usage conditions now constitute an organization of the access control matrix of [7] with respect to tasks of real world, orthogonal to row wise and column wise compression to access control lists and capabilities.
It may be appropriate to allow formulation and realization of additional access control also for particular users. These are then allowed by a usage condition to define usage conditions on their own and set up references from objects and perhaps even users to these conditions. To avoid ambiguous access rights, these possessor defined usage conditions must be clearly identifiable.
Specification of and referencing to usage conditions Both methods must be completely under control of representatives of the organization, acting as the originator of the data objects. They should be supported appropriately by the data processing system. Hence the representatives define usage conditions for the domain of their responsibility and specifies access granting rules corresponding to tasks within this domain. They are also responsible for defining references from every subject and every object in their domain of responsibility to appropriate usage conditions. Introduction of new users in a data processing system is usually organizationally centralized and thus allows for setup of references to usage conditions without addi-
Access control with usage conditions Access from a subject to an object (in a requested mode) is granted if and only if it is granted by at least one commonly referenced owner defined usage condition. Thus evaluation of concurrent owner defined usage conditions is done in an or-combination. This reflects and preserves the independence of the tasks, represented by the usage conditions (cf. [3]). In order to avoid an overruling of originator defined access rules by access rules defined subsequently by authorized possessors, it must depend on the contents of the referenced owner defined usage conditions, whether existing possessor defined access control information is evaluated or not, and perhaps even whether the possessor defined access rules are in accordance with the possessor rights. This corresponds to overruling of individual possessor rights by company ownership rights in most labour legislations. Fig 3 shows a detail from an access control system with concurrent owner and possessor defined usage conditions. At first sight, or-combination of usage conditions seems to run the risk of violating access restrictions from one owner defined usage condition by another one.But due to the above discussion, usage conditions correspond to independent real world tasks. If a subject is entrusted with a task and an object is necessary for this task (by
217
Enforcing Legal Ownership Rights by an Access Control System /Eke Born
data objects
usageconditions
executing
office board
development/producflon quality
af,surincr
rw TWX
rw
TWX
rw
sales department IT support
Figure 3. Complete legal rights enforcing access control with enhanced usage conditions. Possessor-defined access rights are evaluated if required from the owner defined usage conditions. Arrows indicate a reference to owner defined resp. possessor defined access control information.
references to the corresponding usage condition), an access must be granted irrespective of concurrent usage conditions. Subjects within an organization in general are entrusted with several tasks, each one must be processed successfully In this sense the tasks are indeed independent. Dependent tasks as, for instance, those to be executed consecutively should be formulated within the single usage conditions explicitly, e.g. by ‘access only if the predecessor task completed successfully’. An alternative negative formulation of access restrictions within usage conditions, and a corresponding and-combination of usage conditions may lead already in simple access control environments to inferences, finally excluding any access.
6. A Simple Example We consider a company of moderate size, producing and selling a certain product. Next to the executing office board, departments for development and production, quality assurance, sales, and information technology support are established. The heads of the departments are responsible for keeping the information rules of the company in their department, and the chief executing officer (CEO) is responsible for the information rules. There exist four basic tasks in the company, namely: manufacturing, selling, support and management. Fig. 4
218
rw
Figure 4. Tasks, departments, entrustment with tasks, and information necessary to execute these tasks (the letters I, w, a and x indicate that information must be readable, writable, appendable or applicable in the sense of executing a program).
specifies which department’s individuals are entrusted with a certain task, and which kind of access to which data is necessary for the tasks. For implementing these information rules within a data processing system, usage conditions can be applied as follows. Four usage conditions are established according to the four tasks of the company. They contain general restricting conditions only, as ‘within working hours’ or ‘user defined access control information is evaluated only for read access’. Modification of these usage conditions is left to the CEO bureau, and references to them are set up by the heads of the concerned departments according to Fig. 4. References from members of a department to the corresponding usage conditions can be set up by hand on introducing a new user. It is not sensible to charge the heads of departments to also make the references from data objects to usage conditions by hand. Within, say, a Unix-like hierarchical file system this can be supported by the system of inheritance, for instance: for every access more for directories and every object class subordinated to a directory, there are attached usage conditions to each directory, which are inherited to the corresponding access modes of all objects and subdirectories created in such a directory. Then a refined but well manageable access control structure can be set up with
Computers & Security, Vol. 15, No. 3
usage conditions, precisely adapted to the needs of the tasks within the company, and easily modified when requirements of the working processes are changing. In particular, specification of tasks to be processed successfully and introduction or removal of users and objects can be done completely separately and without access or even modification of data other than those of the modified entity.
7. Discretionary and Mandatory
Access Control Policies The discussion of access control to data objects in data processing environments is centred almost exclusively around discretionary (user defined) and mandatory (rule based) access control. Within this discussion, the notion of discretionary access control refers mostly to all aspects we encountered with the application of possession rights to an object. (In [3] it is shown that usage conditions to a large extent meet the requirements posed on a discretionary access control system. Mandatory access control primarily concerns explicit rules for information flow to be enforced by a corresponding access control system. All principles, discussed so far for mandatory access control, proved to be not general enough to be appropriate for every organization running a data processing system and hence are not recommended for implementation in generally used data processing environments. This observation was one main motivation for our approach. Nevertheless mandatory access control principles are compatible with our approach:if an owner of a data processing system decides upon requiring applications of a particular data flow principle within this environment, it can be formulated within a usage condition based access control system as every other owner defined access conditions. As an example we show how to integrate the security labels based mandatory access control model of Bell-La Padula [2]. It has become basic for security requirements formulated by the United States Department ofDefense in the security requirements for operating systems [ 131, and is applied nowadays also for commercially used systems. In short, the rules require that every user and every data object is equipped with a security label, which is a number. Access to a data object by a subject may be granted only if there is an access mode specific relation between the security label of the subject and
those of the object. For reading an object, the security label of the user must be higher or equal than those of the object, for writing (without reading) it must be lower or equal, hence for writing and reading both security labels must be equal. The concept of Bell-La Padula is based on two features: definition of and equipment with security labels as additional specific attributes ofsubjects and data objects, and a label-value based granting decision of every access request. Mechanisms to support the labeling of subjects and objects are well understood and described (cf. [4], [lO]).Indeed they are the kernel of an implementation of Bell-La Padula mandatory access control. They are completely independent of our approach, which concerns only actual access request situations. We suppose that there are sufficient mechanisms for this labeling. Evaluation of labels can now obviously be implemented by means of usage conditions. The system security authority, required by the Bell-La Padula model, has to define three usage conditions only, say with names ‘read-access’, ‘write-access’ and ‘update-access’. The usage condition ‘read-access’ contains the condition ‘if subject label object label’ only, the usage condition ‘write-access’ contains the condition ‘if subject label object label’ only and the usage condition ‘update-access’ contains the condition ‘if subject label = object label’. Every subject then gets references to all these usage conditions, the access modes ‘read’, ‘write’ and ‘read+wright’ of every date object get references to the usage conditions ‘read-access’, ‘write-access’ and ‘update-access’, resp., at creation time. This obviously ensures application of Bell-La Padula access rules in every access to a data object. There may be a forth usage condition name ‘control_of_labeling’ with only the security officer but all objects referring to. It allows for instance a down-labelling of objects, necessary within real life implementations of Bell-La Padula based mandatory access control environments. As a particular advantage, this integration of Bell-La Padula based mandatory access control in an ownership rights enforcing access control system can be combined with every other owner required access control and, additionally, possessor defined access control. This may allow for a flexible adaptation to the information rules within an organization. Thus this approach can be applied for label based mandatory access control even
219
Enforcing Legal Ownership Rights by an Access Control System /Eike Born
in more specific data object environments, as e.g. those discussed in [9]. Of course, the system security authority then has to ensure carefully that organization specific access rules enrich Bell-La Padula access control according to the intention of the owner of the system. In every case, concurrent evaluation of additional access control information leads to a corruption of the Bell-La Padula model.
References [II
Bell, D.E., LaPadula, L.J.: Secure Computer Systems. Air Force Elec. Syst.Div. Report ESD-TR-73-278,Vols. I,II,III, 1973. Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Mathematical Foundations and Model. MITRE Corp. Bedford MA, 1974. Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Unified Exposition and Multics Interpretation. MITRE Corp., Ref. MTR-2997.1976.
8. Conclusion We have covered a discussion of the implications, validity of civil and criminal rights concept of originatorship and possession for data objects in a data processing system, and what this entails for the corresponding access control systems. Basically it must allow for specification and enforce application in every access request situation of whatever conditions the owner of an object requires for an access. In large organizations and their data processing environments, this principle leads to more specific requirements to an access control system, namely allowing for specification of more complicated ownership rights and extended possessor rights and nevertheless easy management, which is naturally achieved by a strict reference of access control information to the tasks or processes which are performed in the organization. The concept allows for translation of every logically and semantically unambiguously formulated access rule into the data access control of an information processing system. Also the formulation and application of possessor defined access rights subordinated to those of the owner can be integrated smoothly. The concept is basic and fundamental, and by this gives a more applicable and legally well grounded base of owner and possessor rights to the discussion on discretionary (user defined) and mandatory (rule based) access control. And this approach asks only for few efforts to integrate mandatory access control policies as the specific Be&La Padula data access model. In this case it can be comfortably enhanced by additional access rules, formulated by the owner ofthe system.Thus overall this approach may lead to a modified view and proper concepts of data access control rules, paying more regard to the legal point of view for objects protection in a commercial data processing environment and being far more general than particular mandatory access control policies as those of Bell-La Padula.
220
Abrams, M.D., LaPadula, L.J., Olson, I.M.: Building generalized access control on Unix. Proceedings of USENIX Security Workshop II, Portland, OR, Aug. 27-28, 1990, p.65-70.
[31
Born, E., Stiegler, H.: Discretionary access control by means of usage conditions. Computers & Security 13 [5], 1994, 437-450.
PI
Dening, Addison
(51
Directive 91/250/ECC of the European Council from Mai 14, 1991, Abl. EG Nr. I 122, pp. 42. In: Gewerblicher Rechtsschutz and Urheberrecht (GRUR), Int. 91.
[61
Gewerblicher Int.91.
[71
Graham, G.S., Denning, PJ.: Protection principle practice.Proc.SpringJt.Computer Conf.,VoL40,AFIPSPress, Montvale, NJ, 1972,~~. 417 - 429.
PI
Hoffilann, L.J.: The Formulary Model for Flexible Privacy and Access Controls. In: Ho&an, L.J., Security and Privacy in Computer Systems. Melville Pub. Comp. Wiley 1973.
[91
JaJodia, S., Kogan, B.: Integrating an object-oriented model with multilevel security, Proc. 1990 IEEE Comp. Symp. on Research in Security and Privacy, Oakland, 199O,pp.76-85.
D.: Cryptography Wesley 1982.
[lOI Landwehr,
and
Urheherrecht
C.E.: Formal models for computer surveys, Vol. 13, p.247 - 278,1981.
computing
[Ill
Rechtsschutz
and Data Security.
Readings
NA:
(GRUR),
security.
and
data Sec. CA,
ACM
Lee, T.M.P.: Using Mandatory Integrity to Enforce “Commercial” Security Proc. IEEE Symp. on Security and Privacy 1988,140 - 146.
[121 Lunt,
T.: Access Control: Some Unanswered Computers and Security, Feb. 1989.
Questions.
[I31 Department Criteria. 1985.
ll4
ofDefense Trusted Computer System Evaluation Department of Defense 5200.28-STD: Washington
Nordemann, W., Vinck, K., Hertin, EW: Urheberrecht Kommentar zum Urheberrechtsgesetz und sum Urheberrechtswahrnehmungsgesetz. Stuttgart: Kohlhammer, 1994.
[I51 Schanfelder,
H.: Deutsche Gesetze. Sammlung Straf-und Verfahrensrecht. Miinchen: Verlagsbuchhandlung, 85. Auflage, MCrz 1995.
des Zivil-, Beck’sche