Introducing location-determination in information flow control

When modelling allowed information flows of virtual resources in the context of the challenge of location inhomogeneity (cf. Def.4.6), it is necessary to describe theensured level of se- curityat the location of the hardware resources (i.e., subjects) and how they comply with the

necessary level of securityof virtual resources (i.e., objects). In general, the ensured level of securitydepends on applicable legislation of the country a hardware resource is based in (cf. Section3.6.1). Therefore, location has to be modelled by using two dimensions: (1) the geo- graphical location of subjects and objects and (2) the geographical application of legislation. For example, for a virtual resource that contains tax data of a German corporate customer that is allowed to be hosted only on hardware resources that are located in Europe, it is necessary to model the location of the hardware resources and virtual resources dependent on the country they are based in.

The geographical application of legislation can be classified by territories with their own legislation. Territories can be part of other territories (e.g., Germany is part of theEU/EEA). Further, territories usually do not overlap, i.e., they are fully part of another territory or com- pletely different. However, it is possible for territories to overlap due to contractual agree- ments, for example, the United Kingdom is a member of theEU/EEAand the Commonwealth

of Nations. Therefore, territories can be modelled as the geographical area with their own leg- islation, and territories are (partially) ordered by the subset relation of their geographical areas. Additionally, an upper and lower bound for territories can be defined. The upper bound is the global territorythat contains all other territories. Without loss of generality, the lower bound is defined as the empty territory that has an empty intersection with all other territories and, by definition, is contained in every territory. The existence of this territory has no impact on other territories but makes it possible to model the special case where information is not allowed to be part of the system. In the context of IT outsourcing to the cloud, the security calls empty territoryis used when information is not allowed to flow to the cloud and has to remain at the corporate customer.

The geographical location of subjects and objects is specified by a geographical and organ- isational closed space which is associated with a legal or real person. For example, hardware resources are geographically located at a hosting site operated by a hardware provider. Further, each location is based in one or more hierarchically contained territories. For example, a Ger- man hosting site that is located in Passau is based in the following four territories: (1) in the administrative district of Passau, (2) in the federal state of Bavaria, (3) in the German state, and (4) in theEU/EEA.

Consequently, location, territory, and their interdependency are defined in the model as follows.

Definition 5.40 (Location) A location loc is defined as a geographical and organisational closed space where specified subjects and objects are located, andLOC:= {loc1, ..., locn} set

of locations loci.

Definition 5.41 (Territory) A territory T is defined as a geographical area having its own legislation, andT:= {T1, ..., Tn} set of territories Ti. Further,loc:T→P(LOC) is the function

returning the set LOCT⊂LOCwhere all locations loc∈ LOCT are geographically located in

territory T . In addition, Tglobal∈Twithloc(Tglobal) =LOCis defined as the global territory

containing all locations, and Tlocal ∈Twith loc(Tlocal) = /0 is defined as the empty territory

containing no location. Then,Tis partially ordered by the⊂-relation onlocwith upper bound

Tglobaland lower bound Tlocal. Further,Tis finite when modelling real-world systems.

Based on the definition of location and territory, it is possible to define location classes and the information flow allowed between them. For each territory, a location class is defined. Then, a location class corresponds to theensured level of securitywithin a specific territory. Further, the information flow allowed between location classes depends on the compatibility of their ensured level of security. In general, the ensured level of security of a territory is compatible with that of another territory only if in the first territory the legislation of the second applies. This is the case only if the first territory is contained in the second territory. For example, theensured level of securityin Germany is compatible with that in theEU/EEAsince Germany is a member state of theEU/EEA, and basically the legislation of theEU/EEAalso applies to Germany. On the other hand, the ensured level of securityin the EU/EEA does not necessarily have to be compatible with that in Germany since Germany is not the only member state and German legislation is not applicable in other member states generally. This

implies that information flow between location classes is allowed only if the territory of the target location class lies in the territory of the source location class. For example, information is allowed to flow from Germany to France if the information is classified to flow within the

EU/EEA. Consequently, location classes and the information flow allowed between them are defined as follows.

Definition 5.42 (Location class) A location classlocSCT is defined as the corresponding secu-

rity class to territory T ∈_T, andlocSC⊆SCis defined as a set of location classeslocSCT.

Also, letlocSCglobal∈locSCthe corresponding security class to theglobal territory Tglobal, loc

SClocal∈locSCthe corresponding security class to theempty territory Tlocal.

In addition, let(locSCT17→

loc_SC

T2) if and only if (loc(T1) ⊇loc(T2)) where T1, T2∈Tand

loc

SCT1,

loc

SCT2∈

loc

SC(i.e., information inlocSCT1 is allowed to flow to

loc

SCT2 if and only if

all locations in territory T2also lie in territory T1).

For an object or subject, the location class can be interpreted as a boundary of their possible locations. Thereby, it is possible to model the geographical location of subjects and objects.

Further, because territories are finite and partially ordered, it follows that (locSC,7→) is also

finite and partially ordered, andlocSCglobal is the corresponding lower bound and locSClocalis

the upper bound. This implies that Denning’s Axioms apply to location classes and (locSC,7→

,⊕,⊗) is a lattice.

In addition, (locSC,7→) is partially ordered and implies thatγΣ(γR, D,γW,γz0)withSC=

loc

SCis a secure system satisfying the general ∗-property (cf. Theorem 5.5). This is made

plausible by looking at the general simple-security property (cf. Def.5.36) and the general ∗- property(cf. Def.5.37). The general simple-security property defines allowed information flow from objects to subjects. Information can flow from object O ∈Oto subject S ∈Sonly for the

access modes read and write (since viewing the object causes information flow to the subject). LetlocSCTO ∈

loc

SCbe the security class of O andlocSCTS ∈

loc

SCthe security class of S with

TO, TS ∈Tbeing the corresponding territories. Then, according to the definition of location

classes, information flow (locSCTO 7→

loc

SCTS) is allowed if and only if (loc(TO) ⊇loc(TS)).

This means that information flow is allowed if and only if the possible locations of the object covers the possible locations of the subject. This implies that objects are accessible only by subjects that are based at locations that are also allowed for the object. The object’snecessary level of securityis therefore satisfied by the subject’sensured level of security. The general ∗- propertydefines the information flow allowed between objects via subjects and, therefore, the information flow from subjects to objects. Here, the access of a subject to objects is allowed if and only if information is allowed to flow from objects which are accessed in read and write mode to objects that are accessed in write and append mode. With respect to location classes, information flow is allowed if and only if the possible locations of the viewed object covers the possible locations of the modified objects. This implies that thenecessary level of securityof viewed objects is satisfied by thenecessary level of securityof modified objects. Consequently, the location classeslocSCsatisfy the General Security Theorem (cf. Theorem5.5).

Remark 5.9 (Modelling confidentiality, integrity, and location) Analogously to Remark5.8, confidentiality, integrity, and location can be modelled at the same time by using combined se- curity classes that are defined as triples of confidentiality, integrity, and location classes which

are defined by: c,i,locSC⊂cSC×iSC×locSC with c,i,locSCi= (cSCi,iSCi,locSCi) ∈c,i,locSC

wherecSCi∈cSC,iSCi∈iSC, andlocSCi∈locSC.

Allowed information flow is defined: c,i,locSC1 7→ c,i,locSC2 if and only if cSC1 7→cSC2

andiSC17→iSC2andlocSC17→locSC2wherec,i,locSC1,c,i,locSC2∈c,i,locSC,cSC1,cSC2∈cSC,

i_SC

1,iSC2∈iSC, andlocSC1,locSC2∈locSC.

Then,(c,i,locSC,7→) is partially ordered and finite (due to the fact thatcSC,iSC, andlocSC

are partially ordered and finite). Therefore,Denning’s Axioms apply (cf. Theorem 5.2) and (c,i,locSC,7→,⊕,⊗) is a lattice with lower bound c,i,locSCL= (cSCL,iSCL,locSCL) and upper

boundc,i,locSCH= (cSCH,iSCH,locSCH).