Multilevel Security - "There Is No Such Thing As MLS"

"There Is No Such Thing As MLS"

With the decline in COMPUSEC experts, more laypersons who are not COMPUSEC-astute are designing secure computing systems and are mistakenly drawing this conclusion because the term MLS is being overloaded. These two uses are: MLS as a processing environment vs MLS as a capability. The false conclusion is based on a belief that since no products are certified to operate in an MLS environment or mode, that the MLS as a capability does not exist. One does not imply the other. Many systems operate in an environment containing data that has unequal security levels and therefore is MLS by the Computer Security Intermediate Value Theorem (CS-IVT). The consequence of this confusion runs deeper.

Laypersons often conclude that to admit that a system operates in an MLS environment (environment-centric meaning of MLS) is to be backed into the perceived corner of having a problem with no MLS solution (capability-centric meaning of MLS). MLS is deceptively complex and just because simple solutions are not obvious does not justify a conclusion that they do not exist. This can lead to a crippling ignorance about COMPUSEC that manifests itself as whispers that "one can not talk about MLS," and "There's no such thing as MLS." These MLS-denial schemes change so rapidly that they cannot be addressed. Instead, it is important to clarify the distinction between MLS-environment and MLS-capable.

• MLS as a security environment or security mode: A community whose users have differing security clearances may perceive MLS as a data-sharing capability: users can share information with recipients whose clearance allows receipt of that information. A system is operating in MLS Mode when it has (or could have) connectivity to a destination that is cleared to a lower security level than any of the data the MLS system contains. This is formalized in the CS-IVT. Determination of security mode of a system depends entirely on the system's security environment; the classification of data it contains, the clearance of those who can get direct or indirect access to the system or its outputs or signals, and the system's connectivity and ports to other systems. Security mode is independent of capabilities, although a system should not be operated in a mode for which it is not worthy of trust.

• MLS as a capability: Developers of products or systems intended to allow MLS data sharing tend to loosely perceive it in terms of a capability to enforce data-sharing restrictions or a security policy, like mechanisms that enforce the Bell–LaPadula model. A system is MLS-capable if it can be shown to robustly implement a security policy.

The original use of the term MLS applied to the security environment, or mode. One solution to this confusion is to retain the original definition of MLS and be specific about MLS-capable when that context is used.