The Chinese Wall Security Policy


Posted on by Divya Aradhya

The 1989 Brewer and Nash published paper titled “The Chinese Wall Security Policy” is an authoritative voice in the information security realm. It is essentially an access control policy that addresses a very specific security issue: conflict of interest.

It aims to protect the confidentiality and, through extension, the integrity of a set of data, by mandating rules around its access and availability.

Data sets in the Brewer-Nash abstraction model could be any one of the following three types-

  • Objects – This is the same as the objects of the Bell-LaPadula model and is essentially the ungrouped basic units of information
  • Company Dataset – This is the collection of all objects belonging to a single organization or company
  • Conflict of Interest Class – This is a collection of companies that are in competition with each other

Through a few axioms it can be inferred that if “Object 1” belongs to “Company 1” and “Object 2” belongs to “Company 2”, and if “Company 1” and “Company 2” belong to the same conflict of interest class, then all objects of “Company 1” are in conflict of interest with all objects of “Company 2”. So “Object 1” would be in conflict with “Object 2”.

The following could be considered as examples of conflict classes-

{Experian, Equifax, TransUnion}

{JP Morgan Chase, Bank of America, Citigroup}

{Google, Microsoft, Apple}

Now if “Person A” has access to some of Experian’s files, he cannot be granted access to any files of Equifax or TransUnion. However, he can be allowed access to Citigroup’s files. And if he is allowed this access, he cannot then further access any files belonging to JP Morgan Chase or Citigroup.

Thus it is seen that the access permissions in The Chinese Model are completely dependent on the history of access rights.

Brewer and Nash express their model in terms of two rules-

  • The Simple Security rule – access can be permitted to an object if even one of the following two conditions are met-
    • The object is within the “Wall” i.e the object belongs to same company set.
      If “Person A” has access to “Object 1” from Google, he can also be allowed access to “Object 2” from Google, or
    • The object belongs to an entirely separate conflict of interest class.
      If “Person A” can access objects from Google, he can be granted access to objects from Bank of America
  • *-Property rule or the Write Access rule – access for writing can be granted only if both the following conditions are met-
    • access is permitted by the above defined Simple Security rule, and
    • no object can be read if it is-
      • in a different company dataset than the one being written into, or
      • if the data is unsanitized

For example, if “Person A” wants to write an object in Google, and has access to Google and Bank of America, he is in accordance with the Simple Security rule, but he fails the *-Property rule and will not be allowed write into Google.
Further “Person B” who has access only to Google, and nothing else, satisfies both the Simple Security rule and the Write Access rule and can be granted permission to write a Google object.

On closer examination of the Simple Security rule, and on the understanding of how heavily access history weighs in The Chinese Wall policy, it is seen that while “Person A” can never compare Google’s datasets with Apple’s datasets, he also further never be allowed to compare Google’s datasets with Bank of America’s datasets, if he ever had had access to Apple’s datasets.

With the introduction of the concept of “sanitized” data, Brewer and Nash allow the relaxation of this stringent restriction. They define sanitized data as masked or disguised data that provide the facts but hides the identity of the company/organization.

For instance, if “Person A” had access to read only sanitized objects in “Apple” (implying that he did not know they belonged to Apple), then he can be allowed to compare datasets from Google with datasets from Bank of America.

In conclusion, it is obvious that the Chinese Wall model is starkly different from other security models. While the Biba Security Model, Lipner’s Security Model, and the Clark-Wilson Security Model are generic in nature, the Chinese Wall policy focuses on solving the very specific security concern of conflict of interest. It is further seen that the neither the Bell-LaPadula model nor role-based access controls cannot solve the conflict of interest security issues.
The legal mandate of the Chinese Wall security model in the realm of the United Kingdom Stock Exchange is a testimony of its effectiveness in preventing conflict of interest. The Brewer-Nash model can thus be adopted in commonplace business operations such as dealings with consultants and contractors and safeguard corporations from conflicts of interest.

References

Brewer, D., & Nash, M. (1989). The Chinese Wall Security Policy. Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy, 215-228.

Young, B. (n.d.). Foundations of Computer Security. Retrieved from https://www.cs.utexas.edu/~byoung/cs361/lecture25.pdf