Protecting the integrity of information during processing
When considering the issue of data integrity in processing, an integrated approach is used, based on a number of works by D. Clark and D. Wilson, as well as their followers and opponents, and including nine theoretical principles:
transaction correctness;
user authentication;
minimizing privileges;
differentiation of functional responsibilities;
audit of events that have occurred;
objective control;
managing privilege transfer;
ensuring continuous performance;
ease of use of protective mechanisms.
The concept of transaction correctness is defined as follows. The user should not modify the data arbitrarily, but only in certain ways, i.e. so that the integrity of the data is preserved. In other words, data can only be changed by correct transactions and cannot be changed by arbitrary means. In addition, it is assumed that the "correctness" of each of these transactions can be proven in some way.
The second principle states that data modification can only be carried out by users who are specially authenticated for this purpose. This principle works in conjunction with the following four, with which its role in the overall integrity scheme is closely related.
The idea of minimizing privileges appeared at the early stages of the development of information security in the form of restrictions imposed on the capabilities of processes running in the system and implying that processes should be endowed with those and only those privileges that are naturally and minimally necessary for the execution of processes. The principle of minimizing privileges applies to both programs and users. Users usually have a few more privileges than they need to perform a specific action at a given time. And this opens up opportunities for abuse.
The differentiation of functional responsibilities implies the organization of work with data in such a way that in each of the key stages that make up a single process that is critically important from the point of view of integrity, the participation of different users is necessary. This ensures that it is impossible for one user to complete the entire process (or even two of its stages) in order to violate data integrity. In ordinary life, an example of the embodiment of this principle is the transfer of one half of the password for access to the nuclear reactor control program to the first system administrator, and the other half to the second.
An audit of the events that occurred, including the possibility of restoring the full picture of what happened, is a preventive measure against potential violators.
The principle of objective control is also one of the cornerstones of the integrity control policy. The essence of this principle is that data integrity control makes sense only when this data reflects the real state of things. In this regard, Clark and Wilson point out the need for regular checks aimed at identifying possible inconsistencies between the protected data and the objective reality that they reflect.
Privilege transfer management is necessary for the effective operation of the entire security policy. If the privilege assignment scheme does not adequately reflect the organizational structure of the enterprise or does not allow security administrators to flexibly manipulate it to ensure the effectiveness of production activities, protection becomes burdensome and provokes attempts to circumvent it.
The principle of ensuring continuous operation includes protection against failures, natural disasters and other force majeure circumstances.
The ease of use of protective mechanisms is necessary, among other things, so that users do not seek to circumvent them as interfering with "normal" operation. In addition, as a rule, simple schemes are more reliable. The ease of use of protective mechanisms implies that the safest way to operate the system will also be the simplest, and vice versa, the simplest is the most secure.
