Secure Information Flow Connections

TL;DR

This paper introduces a mathematically rigorous framework based on Lagois connections for secure information flow between autonomous organizations with different security policies, ensuring security and flexibility.

Contribution

It extends Denning's lattice model to support inter-organizational information exchange using Lagois connections, maintaining security and autonomy.

Findings

Framework preserves non-interference security property

Supports modular and adaptable security policies

Extends to Decentralised Labels Model for bidirectional flows

Abstract

Denning's lattice model provided secure information flow analyses with an intuitive mathematical foundation: the lattice ordering determines permitted flows. We examine how this framework may be extended to support the flow of information between autonomous organisations, each employing possibly quite different security lattices and information flow policies. We propose a connection framework that permits different organisations to exchange information while maintaining both security of information flow as well as their autonomy in formulating and maintaining security policies. Our prescriptive framework is based on the rigorous mathematical framework of Lagois connections proposed by Melton, together with a simple operational model for transferring object data between domains. The merit of this formulation is that it is simple, minimal, adaptable and intuitive. We show that our framework is semantically sound, by proving that the connections proposed preserve standard correctness notions such as non-interference. We then illustrate how Lagois theory also provides a robust framework and methodology for negotiating and maintaining secure agreements on information flow between autonomous organisations, even when either or both organisations change their security lattices. Composition and decomposition properties indicate support for a modular approach to secure flow frameworks in complex organisations. We next show that this framework extends naturally and conservatively to the Decentralised Labels Model of Myers et al. - a Lagois connection between the hierarchies of principals in two organisations naturally induces a Lagois connection between the corresponding security label lattices, thus extending the security guarantees ensured by the decentralised model to encompass bidirectional inter-organisational flows.