Security Models: Part 5 - Clark-Wilson and Brewer-Nash

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now the last of the security models
00:00
>> that I consider to be the ones
00:00
>> they're going to test you on.
00:00
>> We have Clark-Wilson, and Brewer-Nash.
00:00
These are two models that accomplish
00:00
different features or accomplish different goals.
00:00
The Clark-Wilson security model is all about
00:00
>> making sure we have isolation between resources.
00:00
>> The Brewer-Nash model is a model
00:00
>> that's often implemented in databases
00:00
>> to prevent conflict of interest.
00:00
>> Let's start out by looking at Clark-Wilson first.
00:00
Now I'm going to give you a Kelly definition of what
00:00
the Clark-Wilson model says then
00:00
>> I'll say it a little bit more formally
00:00
>> because the Clark-Wilson model to me
00:00
>> is something everyone should know and understand.
00:00
>> You don't have to call it Clark-Wilson,
00:00
but you've got to get it.
00:00
Because ultimately what the Clark-Wilson model says is,
00:00
"Keep users out of your stuff or they'll break it."
00:00
That makes sense to me.
00:00
Keep users out of your stuff or they'll break it.
00:00
If you think about it,
00:00
let's say I'm going to go to Amazon.
00:00
I'm going to purchase some books.
00:00
Where do I click on the page in Amazon's website
00:00
>> that will take me directly to the Amazon database
00:00
>> and I can remove one book from their quantity?
00:00
>> Amazon doesn't let me in their database.
00:00
Amazon gives me a front end application
00:00
that limits what I can do.
00:00
Because what's going to happen
00:00
>> if Amazon lets me have direct access to their database?
00:00
>> I'm going to break it.
00:00
>> I don't even mean to break it,
00:00
>> but I'm going to break it.
00:00
>> Amazon says, Clark-Wilson tells us
00:00
to keep users out of our stuff so they don't break it.
00:00
But as a user who wants to purchase a book,
00:00
ultimately it does make a change to their database
00:00
for number of books that they have in stock.
00:00
What they do instead,
00:00
is they give me a front end application.
00:00
I go in and they don't even let me type out
00:00
>> the number of books I want.
00:00
>> I don't get to type out any,
00:00
they give me a dropbox,
00:00
choose one out of the list.
00:00
They don't let me have 50 characters for state.
00:00
They give me two characters.
00:00
Not a lot of damage I can do with two characters.
00:00
As a matter of fact, if they're smart,
00:00
they give me a drop-down arrow for that as well.
00:00
That front-end application is limiting
00:00
>> what I can do to their back-end database.
00:00
>> Because if they give me too much freedom
00:00
>> and too much space and too many characters,
00:00
>> we can have a problem called code injection,
00:00
where an attacker out on the Internet can introduce
00:00
malicious code to the back-end database
00:00
through inputs in forms.
00:00
You don't have to be a SQL expert
00:00
>> to know that drop table is probably
00:00
>> not a good command for a database.
00:00
>> We're going to eliminate data control language.
00:00
I don't need brackets,
00:00
I don't need semi-colons,
00:00
I don't need the phrase drop tables.
00:00
Nobody's last name is drop tables.
00:00
Input validation through an application
00:00
or intermediary of some sort
00:00
is what Clark-Wilson's all about.
00:00
You have your user interface stuff,
00:00
and it's that interface that protects your stuff.
00:00
You don't give access to your user,
00:00
you give access to the interface.
00:00
Let's say this a little bit more formally.
00:00
I have this right on the screen,
00:00
because this about the best way
00:00
>> I can figured to say it more formally,
00:00
>> is that Clark-Wilson forces well-formed transactions
00:00
>> through the use of the access triple.
00:00
>> The access triple is your user.
00:00
They have access to a transformation procedure.
00:00
That's your interface or your front-end app.
00:00
You have to go through that front-end app
00:00
>> or interface to access constrained data items.
00:00
>> Those constrained data items
00:00
are the resources you want to protect.
00:00
User goes through a transformation procedure
00:00
>> to access your CDI, constrained data items.
00:00
>> This can show up all over the place,
00:00
it doesn't even have to be in systems.
00:00
This is the foundation for separation of duties
00:00
>> or one of the ways
00:00
>> we implement separation of duties.
00:00
>> Let's say I'm a bank teller
00:00
and I've been with the bank
00:00
>> for about three weeks and John comes by
00:00
>> and makes a deposit for $10,000.
00:00
>> I know that money needs to go in the vault
00:00
>> but I don't have keys to the vault,
00:00
>> I'm not trusted.
00:00
>> So what do I do?
00:00
>> I give the money to the bank manager
00:00
>> who has access to the vault.
00:00
>> I'm the user, bank manager is the interface.
00:00
It's the interface that has access
00:00
to the back-end resource, not the user.
00:00
Just keep that in mind for Clark-Wilson.
00:00
It makes a lot of sense
00:00
>> and you'll see Clark-Wilson all over the place.
00:00
>> If you've ever had an Excel spreadsheet
00:00
>> and you've hidden a column or a row
00:00
>> in Excel because it contains sensitive information
00:00
>> you didn't want to make available to everybody,
00:00
>> you've Clark-Wilsoned.
00:00
>> You have chosen to use
00:00
an interface to limit what users can see or access.
00:00
Clark-Wilson's everywhere.
00:00
Start looking for ways interfaces restrict
00:00
>> the damage users can do.
00:00
>> You can say, I know what you're doing there,
00:00
>> you're Clark-Wilsoning,
00:00
>> don't let anybody hear you say that
00:00
>> because they'll think you've lost your mind,
00:00
>> but you'll know to yourself.
00:00
Now, Clark-Wilson,
00:00
this is a commercial model and notice it doesn't say,
00:00
I can read up or down.
00:00
It's just a rule set,
00:00
user through transformation procedure,
00:00
>> constrained data items.
00:00
>> Biba and Bell–LaPadula talk about
00:00
>> what you can do up and what you can do down,
00:00
>> Clark-Wilson changes that
00:00
>> and so does the Brewer-Nash model.
00:00
>> Sometimes the Brewer-Nash model
00:00
>> is a little bit difficult for people
00:00
>> to comprehend because again,
00:00
>> this isn't something that everybody sees.
00:00
This is designed for databases
00:00
>> where the end-users might have
00:00
>> access to data from a lot of different companies.
00:00
The goal here is to prevent conflict of interest.
00:00
Let's say I work for the FDA.
00:00
Man, I'm tired of working for a living.
00:00
I've decided I'm going to do
00:00
a little insider trading on my way out,
00:00
get my money to the Cayman Islands, and retire.
00:00
Here at the FDA,
00:00
I have access to information on
00:00
a lot of different pharmaceutical companies.
00:00
I'm going to compare records to figure
00:00
out where I would best invest my money.
00:00
I look at Pfizer and find out
00:00
>> that they're getting ready
00:00
>> to have their vaccine approved for kids 5-12.
00:00
Well that's going to make their stocks go up
00:00
even higher than they are now.
00:00
Or I look at Moderna
00:00
>> and I see that the same idea is that
00:00
>> they're going to be authorized to
00:00
send their vaccine overseas,
00:00
which will open up a lot of new business,
00:00
stock's going to rise.
00:00
Then maybe Johnson & Johnson.
00:00
At one point in time,
00:00
we were looking at some issues
00:00
>> with possible side effects for Johnson & Johnson
00:00
>> so their stock went down a little bit.
00:00
>> As a customer service rep or as a representative
00:00
>> that has access to all the pharmaceutical companies,
00:00
>> you don't want me going in and comparing one
00:00
versus the other versus the other versus the other,
00:00
that gives me an unfair advantage.
00:00
What the Brewer-Nash model sets,
00:00
for instance, in this example,
00:00
is each pharmaceutical company,
00:00
it's almost like they have a flag that identifies
00:00
these companies as pharmaceutical manufacturers.
00:00
Maybe let's say all pharmaceutical companies
00:00
have a purple flag.
00:00
I can access any company with a purple flag.
00:00
I can access records for Pfizer,
00:00
Johnson & Johnson, Moderna, Bristol Myers,
00:00
and all these others.
00:00
But once I access one record,
00:00
then I cannot access
00:00
any other of its competitors information.
00:00
I could access Moderna,
00:00
or I could access Pfizer,
00:00
or I could access Johnson & Johnson,
00:00
but whichever one I choose from that point forward,
00:00
I'm locked in just to that company.
00:00
It used to be called the Chinese Wall model
00:00
because the idea is I could access
00:00
>> any one of these companies,
00:00
>> but once I choose one over the others,
00:00
it's almost like a wall comes down behind me
00:00
>> and locks me into that set of records.
00:00
>> You're only going to see this
00:00
>> in certain types of databases,
00:00
>> it's usually very large databases
00:00
that have competitor data.
00:00
We wrap up these last two models,
00:00
which are the Clark-Wilson model
00:00
and the Brewer-Nash model.
00:00
We said Clark-Wilson is all about
00:00
preventing misuse or improper access.
00:00
It creates an access triple that says
00:00
>> we do not allow users direct access
00:00
>> to our protected resources.
00:00
>> Users have access to an application.
00:00
The application has access to our resources.
00:00
Because if we allow an untrusted entity
00:00
>> to access our trusted resources,
00:00
>> those untrusted entities will break our assets
00:00
>> either intentionally or not.
00:00
>> Then the Brewer-Nash model says,
00:00
we've got to find a way to prevent
00:00
someone with access to a database from
00:00
aggregating information across competitors
00:00
and having a competitive edge.
00:00
The Brewer-Nash model says,
00:00
you can access any of these records but
00:00
once you choose one company over another,
00:00
you're locked in and you can't access other records.
00:00
Now a lot of times people say, ''Well, how long?''
00:00
It depends on how the administrator configures it.
00:00
It could be for 30 seconds,
00:00
it could be for 30 years.
00:00
It just is a configuration
00:00
>> by the database administrator.
00:00
>> These security models are very much ones
00:00
>> that you'll see on the exam.
00:00
>> You're not going to get 15 questions on them,
00:00
but they're worth at least one question.
Up Next