This paper extends mandatory access controls to meet multi-organizational commercial security requirements. It defines a universal access class that can represent the security needs of two or more independent organizations that may be cooperating on a joint proprietary project. It can distinguish information that is proprietary to each of the organizations and information that is shared between these organizations, but must remain secret from all others. The paper shows how the current way the US Department of Defense (DoD) and Department of Energy (DoE) share classified information does not sufficiently generalize for the commercial world. By contrast, the new universal access class scheme can adequately model both the commercial world and the requirements of the DoD and DoE.
By: Paul A. Karger
Published in: RC21673 in 2000
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .