A security model is a mathematical, or logical, expression of a set of security policies. It is a diagrammatic, schematic, or tabular construct of the rules derived from security policies that deals with security levels (of information, of people, and of processes), and the interplay between the various types of security levels. The interplay takes place in accordance with well defined rules, which determine whether information should be allowed to flow, or be restricted, whenever a person or a process tries to access the information.

A security model takes security policies as input, and develops mathematical formulae and relationships between the objects. These formulae and relationships are built into data structures and mapped according to the policy requirements. After the security policies have been written, and the security models are ready as part of the Enterprise Security Architecture (ESA), the process of writing program code or procuring vendor solutions, can begin.

A system can be secure only if its security model is based on logically sound premises as the security features are built into operating systems, database systems, applications, etc, on the basis of their security models. Further, the user has to ensure that the system is appropriately configured to get the full benefit of its security model, since default settings usually constitute a 'low security' version of the model.

There are several well-known security models, such as the Bell-LaPadula model and the Biba model. These models represent certain standard concepts for controlling accessibility, integrity, etc, of information systems.

The Bell-LaPadula model is meant for information systems, where secrecy is of prime importance. On the other hand, the Biba model is suitable where integrity is more important. For example, if a timetable for passenger trains is to be made available online, then thousands of people should be able to access the database, often simultaneously. There would be no need for confidentiality, but there would be the highest possible need for integrity in the system.

In the above example, the data should never get corrupted (intentionally or accidentally), either at its primary storage location, or at the terminals where it is displayed, or even during intermediate stages of processing or transit through networks. Stringent requirements of integrity have to be met, despite the huge volumes of public network access at high speeds and in various processed formats. Evidently, an integrity model, rather than an access control model, will be used for building and operating this railway timetable.

An ESA usually has different security models co-operating within the system. For example, an enterprise may have several databases, built on different security models.

Security models have many benefits. Principally, they establish benchmarks, and ensure optimum utilisation of resources, by incorporating the right kinds of security for different bodies of information. This happens at the machine level, network level, and enterprise level.

Since there is never a single model that can meet all kinds of security requirements, 'best fit' solutions have to be designed, based on organisational requirements.

The Concept
All information security models use the terminologies of 'subject' and 'object.'

A 'subject' is an entity, such as a person, process, or device, which accesses or uses information from the system. An 'object' is the information, or a piece of a larger body of information, which is accessed by a 'subject.' An 'object' may be a 'subject' in another situation or context, and vice versa.

Types of Security Models
The important types of information security models are Access control models, Integrity models, State machine models, Information flow models and Non-interference models.

Different types of information security models use different philosophies for looking at subjects and objects, and also for grouping and classifying them, and for controlling their interactions.

A specific model, which may be a well-known model or a model designed for a particular organisational environment, usually has features from different types of information models. For example, the Bell-LaPadula model is largely an access control model, but it is also based on the state machine model.

Access control models
Access control models use sets of rules, which permit or deny access for a subject to an object. This ensures that information does not fall into wrong hands. The process involves a subject requesting for an object. The permission or denial of access to the object depends upon the 'right' that the subject possesses.

Access control models can be broadly classified into Mandatory access control (MAC) and Discretionary access control (DAC).

Mandatory access control models use the concept of 'labels,' which describe the confidentiality level (or security clearance) of a subject or an object. Access is then controlled as per the labels (or confidentiality levels/security clearances).

Discretionary access control models enable the owners of system resources to specify the subjects, and the rights of the subjects to objects. 'Discretionary access control' enables rights to be assigned as per the discretion (or choice) of the owner of the resource. It provides the owner with a degree of flexibility in exercising access control.

For example, Windows 2000 provides discretionary access control though Active Directory (AD) and Access Control Lists (ACLs). Similarly, Linux also provides discretionary access control.

The important access control models are Access matrix model, Take-Grant model and Bell-LaPadula model.

Integrity models
Integrity models focus on reliability, consistency, and correctness of data. This is achieved by protecting data from modification by unauthorised users, protecting data from unauthorised modification by authorised users, and maintaining consistency of data.

Integrity models ensure that data remains in the same state. In other words, the desired state of data should not undergo any change; either with malicious intent, or by mistake or due to events beyond the control of a user.

Integrity models classify data into integrity levels, and provide appropriate integrity protection between and within the different levels.

The important integrity models are Biba integrity model and Clark-Wilson integrity model

State machine model
The state machine model captures the current state of a system, and compares it with the state at a later time, to determine if there has been a security violation in the interregnum. It looks at users, states, state commands, and outputs. It depicts a transition from one state to another, as a state variable.

A state machine model considers a system to be in a secure state, when there is not a single instance of security breach at the time of state transition. In other words, a state transition should occur only by intent, otherwise it is a security breach.

Information flow models
Information flow models deal with controlling the flow of information, so as to ensure that there are no leakages during the movement of data.

Leakages need to be prevented, whether information is flowing within a security level, or between different levels. Usually this is done by permitting flows only in specified directions, since a leakage is nothing but a flow in an unwanted direction.

The components of information flow models are objects (class, value), state transitions (modifications from current state), lattice (flow policy)

An example of an information flow model is the Sutherland model.

Non-interference model
Developed by Goguen and Meseguer in 1982, the non-interference model keeps activities at different security levels separated from each other, instead of permitting restricted flows between them. This model minimises leakages that may occur through covert channels, by maintaining complete separation (non-interference) between security levels.

A user at a higher security level cannot interfere, in any way, with the activities at a lower level. As a result, the lower level cannot possibly get any information from the higher level.

One of the major limitations of the non-interference model is the premise that a lower-level input cannot, by itself, generate a higher-level output. This assumption is often incorrect. For example, a cryptographic process can transform a low-security data into high-security data.