Brewer-Nash model

The Brewer-Nash model (also Chinese Wall model ) describes an IT security model for protecting data. It protects the confidentiality of information through a system of enforced rules. It thus implements the concept of mandatory access control for IT system security. It is intended to prevent an “inadmissible use of insider knowledge when processing bank or stock exchange transactions” or the disclosure of company-specific insider information to competing companies by a consultant .

The model has its origins in the financial sector and describes certain rules that are intended to prevent a conflict of interest from being created (see also Chinese Wall (financial world) ).

The Brewer and Nash model was in 1989 by David FC Brewer and Michael J. Nash described

Formal definition

The set of subjects models the actors, e.g. B. the active consultants in a management consultancy, while the number of objects represents the objects of protection, for example sensitive documents of a bank or a company. ${\ displaystyle S}$ ${\ displaystyle O}$

Access history

The Brewer-Nash model looks at an access history that is given by a matrix . It applies here that exactly when there are times when the subject accessed the object with authorizations . ${\ displaystyle N_ {t}: S \ times O \ rightarrow 2 ^ {R}}$ ${\ displaystyle N_ {t} (s, o) = \ {r_ {1}, \ ldots, r_ {n} \}}$ ${\ displaystyle t '<t}$ ${\ displaystyle s}$ ${\ displaystyle o}$ ${\ displaystyle r_ {1}, \ ldots, r_ {n}}$

Object tree

The objects are structured in an object tree of depth 3: The protected objects are the leaves of the tree. The parent nodes of the protected objects represent the companies or areas to which the objects belong. For an object , the company to which it is assigned is denoted by. The companies in turn have the conflict of interest classes as parent nodes , which are identified by for a given object . Intuitively, this means that if two companies A and B are in the same conflict of interest class, subjects may not gain knowledge of sensitive information (objects) about A and B at the same time. ${\ displaystyle o}$ ${\ displaystyle y (o)}$ ${\ displaystyle x (o)}$

In addition, objects that should be publicly accessible to all subjects are marked with and the conflict of interest class is defined for these objects accordingly . ${\ displaystyle y_ {0}}$ ${\ displaystyle x_ {0} = \ {y_ {0} \}}$

Reading rule

Now the system-related access restrictions must be defined. The first rule, the reading rule , says that a subject is granted read access to an object if and only if all objects to which it already had access (with any right) are public, they belong to the same company how they are assigned or they belong to a different conflict of interest class than . Formally that means ${\ displaystyle o}$ ${\ displaystyle o}$ ${\ displaystyle o}$

${\ displaystyle \ forall o '\ in O: {\ big (} N_ {t} (s, o') \ neq \ emptyset \ rightarrow y (o ') = y_ {0} \ vee y (o) = y (o ') \ vee x (o) \ neq x (o') {\ big)}}$

Writing rule

Only with the reading rule cannot an undesired flow of information be excluded. There is namely the possibility that a subject has read access to an object and then writes its content to an object that is in a different conflict of interest class than . A second subject could now first access an object that is in the same conflict of interest class as , but belongs to a different company. Now you could acquire inadmissible inside knowledge about reading impermissible , since the contents of and match. ${\ displaystyle s_ {1}}$ ${\ displaystyle o_ {1}}$ ${\ displaystyle o_ {3}}$ ${\ displaystyle o_ {1}}$ ${\ displaystyle s_ {2}}$ ${\ displaystyle o_ {2}}$ ${\ displaystyle o_ {1}}$ ${\ displaystyle s_ {2}}$ ${\ displaystyle o_ {3}}$ ${\ displaystyle y (o_ {1})}$ ${\ displaystyle o_ {3}}$ ${\ displaystyle o_ {1}}$

In order to prevent this flow of information, we define the following writing rule, which says that a subject receives write access to an object if and only if all objects to which the subject has already had read access are public or the same company how are assigned. Formally that means ${\ displaystyle o}$ ${\ displaystyle o}$

${\ displaystyle \ forall o '\ in O: {\ big (} read \ in N_ {t} (s, o') \ rightarrow y (o ') = y_ {0} \ vee y (o) = y ( o ') {\ big)}}$

This rule prevents precisely the case described above in which a subject passes on inside information about another conflict of interest class to a competitor.

Individual evidence

^ Claudia Eckert: IT security. Concepts - Procedures - Protocols. 6th, revised and expanded edition. Oldenbourg, 2009, ISBN 978-3-486-58999-3
↑ ^a ^b Dr. David FC Brewer, Dr. Michael J. Nash: The Chinese Wall Security Policy. (PDF; 791 kB) Gamma Secure Systems Limited, 1989, accessed on November 3, 2017 (English).

literature

Heinrich Kersten : Introduction to Computer Security. Oldenbourg, Munich et al. 1991, ISBN 3-486-21873-5 ( Security in information technology. 3, series of publications, vol. 1).
Claudia Eckert : IT security. Concepts - Procedures - Protocols. 5th revised edition. Oldenbourg Wissenschaftsverlag, Munich et al. 2008, ISBN 978-3-486-58270-3 .

Web links

Dr. David FC Brewer and Dr. Michael J. Nash: The Chinese Wall Security Policy . In: IEEE (Ed.): Proceedings of IEEE Symposium on Security and Privacy . 1989, p. 206–214 ( purdue.edu [PDF; 772 kB ]).

[Eckert_6te-1] Claudia Eckert: IT security. Concepts - Procedures - Protocols. 6th, revised and expanded edition. Oldenbourg, 2009, ISBN 978-3-486-58999-3

[:0-2] Dr. David FC Brewer, Dr. Michael J. Nash: The Chinese Wall Security Policy. (PDF; 791 kB) Gamma Secure Systems Limited, 1989, accessed on November 3, 2017 (English).