SECURITY FOR NEXT GENERATION HYPERTEXT SYSTEMS

Transcription

1 Hypermedia, Vol. 6, No. 1, Taylor Graham Publ., London, 1994, pp SECURITY FOR NEXT GENERATION HYPERTEXT SYSTEMS DIETER MERKL, GÜNTHER PERNUL Universität Wien Institut für Angewandte Informatik und Informationssysteme Liebiggasse 4/3-4, A-1010 Wien, Austria {merkl ABSTRACT. This paper concerns the need for enhancing hypertext systems with security protection. We identify the elements of hypertext models which must be subject to security control. Main attention is directed toward hypertext and access control preventing the information stored from unauthorized disclosure or modification. From the class of known security models we consider the Discretionary Models, the Mandatory Models, the Personal Knowledge Approach, and the Clark and Wilson Model as candidates for the underlying security paradigm of hypertext systems. The security techniques considered originate from emphasizing different goals: Discretionary Models try to assign access privileges to users, Mandatory Models try to keep secrets, the Personal Knowledge Approach focuses on enforcing the constitutional right of informational self-determination of humans, and the Clark and Wilson Model tries to adapt common commercial security practice to computerized systems. The applicability of these security models to hypertext is discussed and their pros and cons are outlined. 1. INTRODUCTION As long as hypertext systems keep being small applications with a very small group of users, we are not forced to investigate security problems that arise by editing and using hypertext systems. Yet, since these systems are expected to grow both in terms of stored information items and users, we face at least two types of problems worth mentioning. First, there is the need for user assistance to keep the track while navigating through hyperspace and second, we have to protect the information units from loss, unauthorized access, destruction, use, modification or disclosure. Whereas the first problem has gained wide attention in the community (consult for example (1), (2), (3), (4), (5), to name but a few), the second problem has not found an appropriate forum so far. Nevertheless, it is the authors' opinion that real world hypertext applications do not have a chance for broad acceptance unless they employ some sort of security enforcement, or in other words provide a certain degree of information security. Obviously, this is true not only for hypertext systems, but for information systems in general. With the trend toward multi-user and multi-application hypertext systems and the increasing amount and sensitive nature of the information stored in the system, it is crucial that appropriate security measures be applied to hypertext systems as well. This paper can be seen as a first step toward a secure hypertext system. To achieve a certain degree of system security different security models for information systems have been proposed so far. For a brief survey consult (6) and for a detailed annotated bibliography (7). It is the purpose of this paper to review and briefly describe their structure and to apply the most prominent among them as the underlying security paradigm to a hypertext reference model. 1

2 To give an idea of security and related needs that may occur in hypertext systems, we discuss application domains well suited for hypertext systems in the following. Technical Manual. From a security point of view, technical manuals often have high requirements on the protection of the stored information. The situation can be described as having one manual for a heterogeneous group of users. The information one single user shall get from the manual heavily depends on the role the user has to perform in the organization. Information that is not necessary to fulfill her/his role should be hidden. Generally, the more sensitive the information is, the more restrictive must be the access. As an example consider the manual of an aircraft: Information about the navigation unit must not be accessible to the personnel whose duty is, for example, to check the seat belts although the information about the navigation unit and the proper functioning of seat belts may be contents of the same hypertext information system. Encyclopedia Books. It is common practice with printed encyclopedia books that the more the client pays the more information is offered. A similar practice can be employed with electronic books via a security or authorization policy. The more the user pays for the system, the more information trails are made available by the information provider. Business Information Systems. Consider a common business information system for a heterogeneous group of potential users. The system may cover information for clients, visitors, the security staff of the building, and the management as well. Evidently, instead of revealing all the information available for each user, the aim of such a system is to supply a particular group of users with only a fraction of the stored information. The amount of information offered may depend on the role the user is currently acting in. Legal Requirements. An additional impetus for security in hypertext systems emerges from legal requirements of many countries stating how stored information about humans has to be handled in order to protect the privacy of individuals. A number of countries have a privacy legislation although the various laws may differ. In order to build a framework, common principles were adopted by the member nations of the Organization for Economic Cooperation and Development (OECD). Summarizing the need for security in hypertext systems, it is obvious that with larger hypertext systems (both in terms of the heterogeneity of the users and the number of stored information items) these systems have to give the authors the opportunity to express their security requirements on the data they store in the system. Yet, of course, since the potential application areas for hypertext systems are not homogeneous in the sense of the sensitivity of the stored information items, there may be different security models applicable to hypertext systems. In general, the goal of a hypertext security model must be to offer an opportunity for information providers to specify and to restrict access to the stored information to those users and processes which have appropriate permission. The information in the system may therefore appear different to users performing different roles in the organization. This is due to the fact that a single user may only be aware of a subset of the stored information, namely the information which she/he is permitted to access. In contrast, if all users had the same privileges and rights, there would be no need for security control in hypertext systems. 2

3 The outline of this paper is as follows: In Section 2 we introduce the building blocks of hypertext systems and define a hypertext reference model. In Section 3 we investigate the applicability of security models to hypertext systems. The pros and cons of these models are discussed. Finally, Section 4 contains the conclusion and incites further research and development. 2. A FRAMEWORK FOR HYPERTEXT SECURITY In general, information security is a very broad topic and entails such things as moral issues imposed by public and society, legal issues where control is legislated over the collection and disclosure of information, or more technical issues such as how to protect the stored information from loss, unauthorized access, destruction, use, modification, or disclosure. The security features of the system are based on a certain security model and have to enforce the security requirements of the application. This paper is not intended to take such a broad perspective of information system security. Instead of covering the whole area main focus is directed to authorization policies. Pragmatically speaking, authorization specifies a set of rules of who has which type of access rights to what part of the information stored in the system. Thus, covering disclosure and modification of information by users. Before we can move to a more detailed discussion of access control in hypertext systems we will define the basic vocabulary used in the subsequent sections of this paper BUILDING BLOCKS OF HYPERTEXT SYSTEMS Node. A node is the basic structure for storing information in a hypertext system. Typically a hypertext system consists of a number of interconnected nodes. If the contents of the nodes consists exclusively of text one speaks of hypertext systems. If a node contains any sort of manageable media (e.g. text, sound, graphics, animation, music) one speaks of hypermedia systems. Depending on the implementation of the system a node may or may not be titled. Link. A link enables the connection between the nodes of the hypertext system. Each node may be connected to one or more other nodes by links. They open the possibility to move from one node to others. Usually a link starts at a distinct point within a node (this point is called the source of the link) and targets another node as a whole. The sources of links are often referred to as buttons. An usual way of moving from one node to another is by mouse-clicking on link buttons. The information stored in the referred node is then presented in a new window on the screen. In analogy to nodes, depending on the implementation of the system the links may or may not be titled. Graph. A hypertext graph is the sum of all hypertext nodes connected with hypertext links. Web. Usually one user is not interested in (or not authorized for) all the information stored in the hypertext system. Therefore the information has to be structured into nodes and regions covering similar information. Such regions are referred to as webs. Obviously, webs form subsets of the entire hypertext graph. Any one node may belong to several webs. Path. During the work with a hypertext system the nodes are accessed in a linear sequence. This sequence represents the path a user has taken through the hypertext graph. 3

4 Fig. 1 contains examples for the building blocks of hypertext systems as described above. The hypertext graph consists of eight interconnected nodes each of which is labeled node 1 through node 8, respectively. Nodes node 2 through node 5 as well as node 8 belong to the same web. A user is supposed to have taken the following path while browsing through the hypertext graph: At the beginning the user has seen node 1, then has continued the search at node 7, and so on until finally has reached node 4. In the figure the path is visualized using bold arrows for the links and bold boxes for the nodes the user has accessed during browsing. Graph Web node 6 node 1 node 7 node 2 node 8 node 3 node 4 node 5 Link Path Fig. 1: Basic elements of hypertext systems 2.2. A HYPERTEXT REFERENCE MODEL In order to keep the following survey of potential security models for hypertext systems as general as possible we have to relate our investigation to a hypertext reference model. The reference model consists of a set of nodes N, a set of links L, and a set of webs W representing semantically related nodes. Each of the nodes contains a certain amount of stored information. The nodes are atoms in the sense that a user cannot access only a fraction of a node. Apart from the stored information a node may contain a set of keywords describing its contents (i.e. some sort of meta-information). For a more detailed description of hypertext models and systems consult (8), (9), or (10). With the help of the links it is possible to build a directed connection between pairs of nodes. Each link starts at a distinct point within a node (i.e. source) and targets another node as a whole. Thus, the set of nodes together with the set of links form a directed graph. The user is offered two distinct facilities to retrieve information from the hypertext system. First, it is possible to follow chains of links from one node to others. Second, the user has the opportunity to move directly to a node. This by querying the system with a set of keywords 4

5 connected by Boolean operators describing the information needs of the users. As a result of the search the set of matching nodes is displayed to the user. Obviously, this resembles the way information can be obtained from conventional information retrieval systems. Only a particular set of users (i.e. system administrators) is allowed to delete nodes, certain users may add new information or may modify existing information while each user is permitted to establish new links. Emphasizing on the users of a hypertext system, we are faced with the fact that users can be classified within different categories depending on their information needs. Information security requirements are supposed to differ between the different categories of users. In this sense, in a hypertext system security control addresses at least the following issues: different types of access (e.g. read, delete, modify, add) sets of heterogeneous users different hypertext concepts (e.g. nodes, links, webs) In the following, the article surveys some intuitive approaches to security control in hypertext systems. The approaches are influenced by security techniques that are already implemented or at least discussed in the context of conventional information systems. 3. EXTENDING HYPERTEXT WITH SECURITY CONTROL Information security requires a mechanism to restrict the access of certain users to a particular subset of the information available in a computerized system. As we consider in our study a multiuser environment, access to information must be based on the identity of the accessing users. In the subsequent sections we assume the following system architecture: The hypertext system runs on top of a general purpose multi-user operating system. The operating system is responsible for the identification, authentication and auditing of actions operating on behalf of the users. If these security checks are passed properly, we consider the corresponding user as being authorized to access at least a subset of the information available in the hypertext system. However, it is the task of the security module of a hypertext system to protect the information that is not contained in this subset DISCRETIONARY HYPERTEXT SECURITY Discretionary security models are stated in terms of a set of security objects O, a set of security subjects S, a set of access privileges T defining the kind of access a subject has to a certain object, and a set of predicates P in order to represent content-based access rules. For a detailed study of discretionary controls consult (11) and for recent developments and open issues see (12). Discretionary hypertext security may be described by relations <O, S, T, P>. In this notation, O is the hypertext graph, S is the set of possible security subjects, T represents the different access types, and P is a set of predicates. An object o O is either a node, a link, or a web. A subject s S may either be a user, a group of users, or a transaction (e.g. query) operating on behalf of a user. The set of access privileges T is identical with the set of potential operations such as access (accessing the contents of an object o O in read-only mode), insert (augmenting the hypertext graph with new objects), delete (dropping objects), update (changing the contents of existing objects), grant (granting own privileges to others), and revoke (taking away previously granted access privileges). A predicate p P defines the view of a subject s S on the content of the 5

6 hypertext graph. The tuple <o, s, t, p> is called access rule and a function f is defined to determine if an authorization f(o, s, t, p) is valid or not: f: O S T P {True, False} For any tuple <o, s, t, p>, if f(o, s, t, p) evaluates to True, then subject s has privilege t (t T) to access an object o of the hypertext graph O within the range defined by predicate p. An important property of discretionary security models is the support of the delegation of rights where a right is defined as the (o, t, p)-portion of the access rule. A Subject s i S who holds the right (o, t, p) may be allowed to delegate that right to another subject s j S (i j). As a consequence of discretionary access control different webs as subsets of the global hypertext network are imposed. Please note that the notion of webs in this case denotes the fact that different users see different parts of the hypertext graph. This does not imply that the different parts (i.e. subsets of the hypertext graph) consist of semantically related nodes only.within a web, different privileges may exist. Regarding only the access and update privileges discretionary access control and the concept of webs in this model are comparable to the notion of webs in the Intermedia hypertext system (for a description of Intermedia see (13)). By evaluating the set of predicates assigned to each security subject, the users can be forced to act exclusively within the subset of information described by the predicates. By stating 'read-only' privileges, users can be prevented from updating or deleting information they are authorized to access. Discretionary access control has its main advantage in being very flexible to support the users with different views (i.e. access windows) on the information contained in the hypertext system. The information (nodes, links, as well as webs) a particular user is not authorized to access can be filtered out from the hypertext graph easily by means of predicates. However, we feel that discretionary controls cannot be applied as the underlying protection system to hypertext without modification. In particular we see two stringent limitations which both are due to the principle of delegation of rights: Users enforce the security policy. Discretionary access control is based on the concept of ownership of information. In such a model the ownership of information is assigned to the creator of the information items. The creator subject is allowed to grant access to others. This is in contrast to enterprise models where the whole enterprise is the owner of information and responsible for granting access to stored data. The direct consequence of this fact is the inconvenience that the burden of enforcing the security policy of the enterprise is in the responsibility of the users themselves and cannot be controlled by the enterprise without involving high costs. Thus, discretionary access controls are not suitable for applications where security is of main concern. As an example of a possible flaw against the security consider an authorized user s 1 with the privileges of accessing a certain node and inserting new nodes. Assume s 1 copies the information contained in this node and makes the copy available to another user s 2 who may not be authorized to access the contents of the original node. This is possible because the system considers s 1 as the 'owner' of the information stored in the copied node and thus, s 1 automatically possesses the right to grant access to the new node to s 2. 6

7 Discretionary models cannot prevent this flaw because they adhere to the principle of delegation of rights. Cascading authorization. The case where two or more subjects have the privilege of granting or revoking certain access rules to other subjects may lead to cascading revocation chains. As an example consider the situation given in Fig. 2. Here, subjects s 1, s 2, s 3, and access rule (o,s 1,t,p) are outlined. Subject s 2 receives the privilege (o,t,p) from s 1 and grants the access rule to s 3. Later, s 1 grants (o,t,p) again to s 3 but s 2 revokes (o,t,p) from s 3. The effect of these operations is that s 3 still has the authorization (from s 1 ) to access object o of the hypertext graph O by satisfying predicate p and using privilege t even if subject s 2 has revoked it. As a consequence subject s 2 might not be aware of the fact that authorization (o,s 3,t,p) is still in effect. (1) grant s 2 (4) revoke s 1 (2) grant s 3 Subject Level (3) grant Object Level (1) s 1 : grant(o,t,p) to s 2 (2) s 2 : grant(o,t,p) to s 3 (3) s 1 : grant(o,t,p) to s 3 (4) s 2 : revoke(o,t,p) from s 3 Fig. 2: Cascading revocation chains 3.2. MANDATORY HYPERTEXT SECURITY While discretionary models are more concerned with defining, modelling, and enforcing access to information, mandatory security models are in addition concerned with the flow of information within a system. Mandatory security is stated in terms of security objects O, security subjects S, and a lattice of security levels. Similar to discretionary security, the objects represent the stored 7

8 information and the subjects are the users or the processes operating on behalf of the users. Mandatory security requires that objects and subjects be assigned to certain security levels represented by a label. The label for an object o O is called its classification, class(o), whereas the label for a subject s S is called its clearance, clear(s). The classification represents the sensitivity of the labelled information while the clearance mirrors the trustworthiness of a subject not to disclose sensitive information to others. A security label consists of two components: a sensitivity level out of a hierarchical list (e.g. unclassified, classified, secret, top secret) and a category out of a set of categories. Thus, the set of security labels is partially ordered and forms a class lattice. Mandatory security as developed by Bell and LaPadula (14) in the early 1970's is perhaps the best known and most widely accepted model to serve as the basis for security control in computerized systems with high security needs. The Bell and LaPadula model states the security requirements in terms of a simple security property and a *-property. In this paper we consider a slightly modified version of the original *-property, the so-called restricted *-property. The first rule (i.e. simple security property) protects the information from unauthorized disclosure, and the second (i.e. *-property) protects data from contamination or unauthorized modification by restricting the information flow from high to lower trusted subjects. (1) Subject s is allowed to read item o if clear(s) class(o). (2) Subject s is allowed to write o if class(o) = clear(s). The simple security property provides that no subject can read an information item unless the current security level of the subject dominates the security level of the object. This is also known as the read-up restriction. The *-property deals with the problem of unauthorized information flow. A subject is prevented from writing information into an object with a lower security level than the subject's clearance (clear(s) > class(o)); thereby giving other users access to information they are not intended to have. This is also known as the write-down restriction. For a more detailed study on the mandatory security model consult (15), or (16). Mandatory security grew out of the military environment where it is common practice to classify both users and information with different sensitivity or security levels. In this environment, security labels like 'unclassified', 'classified', 'secret', or 'top secret' are typically found. Although labelling of information is common in many large business organizations (there, the labels are similarly termed: 'confidential', 'company confidential', etc.), mandatory systems suffer from their inability to properly represent the variety and nature of social roles of users in the lattice structure of security labels. To overcome this and other limitations, several extensions of the basic lattice structure model have been proposed so far (for example see (6), (7), and (15)). It is the objective of further research to investigate their applicability for hypertext systems. In this paper we limit ourselves to the original mandatory security model as described above. Applying mandatory security to hypertext, the set of nodes containing the information and the set of links forming the paths to the information are subject to security classification, while the set of users are subject to certain security clearances. We suggest that each link inherits the highest security label from the connected nodes to ensure consistency of the labelled objects. Since our hypertext reference model allows the retrieval of information by either navigating through information by means of the predefined paths or by using querying facilities, it is necessary to assign nodes as well as links to security labels. By using the query facilities of the system, mandatory access control can filter out all nodes that are referenced by the user supplied query but 8

9 labelled at a classification level higher than the clearance of the user. By using predefined paths and the technique of navigating between the different nodes in the hypertext graph, mandatory access controls can be used to hide higher classified nodes and links from a particular user. More generally, a mandatory hypertext security model divides the information available into distinct and separate areas. A user may only access data within an area at a specified security level. Security levels are usually considered as being static, and changes of the secrecy of the labelled information may not occur frequently. In case downgrading or upgrading of the secrecy of information be required, it can only be performed by an authorized security officer. In comparison with discretionary access control, one of the main advantages of mandatory security systems is that they assume the ownership of information by a central authority. This person is responsible for carefully analyzing the information and assigning corresponding security classifications. This overcomes the limitations inherent in discretionary systems which are due to the principle of delegation of rights. We see a considerable potential for mandatory protection in hypertext systems. In case a hypertext system is rather considered for retrieving than for updating information, a restricted version of mandatory security control may be sufficient. In this restricted version main emphasis should be given to control the read access of the users, i.e. the unauthorized disclosure of information. In such an environment, information flow control by using the *-property might not be necessary. An interesting optional feature of mandatory security is that it may lead to polyinstantiation. Polyinstantiation is the simultaneous existence of multiple information instances referring to the same real world concept but differing by their classification level and by their contents. As an example, consider a hypertext system containing technical information about an aircraft. Suppose, each of the potential users knows that all the knowledge and technical information about the type of aircraft under consideration is stored in the system. Furthermore, assume the existence of a security policy of the manufacturer requires that the information regarding the navigation unit be considered as 'top secret'. From a security point of view it is sometimes not enough to simply hide part of the information available from insufficiently cleared users. Since from knowing that the information is stored in the system but without having access to it the users can infer that sensitive information must exist they are not authorized to access. A hypertext system supporting the security requirement that users should not be able to infer information by the knowledge of certain facts must support polyinstantiation of hypertext nodes. The situation described above can be solved by introducing a second node n' for an existing node n. Both nodes, n and n' are referring to the same real world object (i.e. in our example to the navigation unit) but contain different information and have a different security classification. In this example, node n' will contain restricted information on the navigation unit (even wrong information may be stored intentionally) and is usually called cover story of node n. Node n will contain the proper information available about the real world object and will have a classification that dominates the security level of node n'. In hypertext systems where users are responsible for extending the system by further nodes, polyinstantiation of information units may also become necessary. Consider the case where a user tries to insert a node into a hypertext graph referring to a real world concept already present in the system but classified above the users clearance. In this case the user does not know that this concept has already been described in the system. The system has to perform the insert operation and has to polyinstantiate the information. The reason for having to do this, of course, is due to the policy that the user must not be told that there is information contained in the system which she/he 9

10 is not authorized to see. The requirement for polyinstantiation of information units was first considered for operating systems supporting mandatory security, later adopted for databases and may also have some potential when mandatory security is applied to hypertext systems. Fig. 3 contains an example of a hypertext network in a system supporting mandatory access controls. For the sake of simplicity, we only consider two different security levels in this example - classified (C) and unclassified (UC). For a user with a clearance of UC only the hypertext links visualized as full lines and the nodes drawn as full boxes are visible when browsing through hyperspace. In contrast, a user with a clearance of C may in addition browse along the dashed links and as a consequence access the dashed boxed nodes. Nodes node 5 and node 5 are an example of polyinstantiation where users s C and s UC (the indices denote the clearances of the users) are not supplied with the same contents of the node. As explained above, this situation may have arisen because there is a need to support users s UC with a cover story only, or because s UC has inserted a node with information referring to a real world object already present in the system but classified above the users clearance. In this example and because of the read access rule users s C have access to both nodes, node 5 and node 5. node 1 UC node 4 C node 6 C node 2 UC node 3 UC node 7 UC node 5 C node 5 UC Fig. 3: Hypertext network with polyinstantiated nodes 3.3. OTHER APPROACHES In this Section we concentrate on two different approaches to information security. These are the Clark and Wilson Model and the Personal Knowledge Approach. Both security models have gained considerable importance in the field of information security but may only have their potential for special purpose hypertext systems. Fundamental for both approaches is the concept of role-based security where authorization depends on the role a user performs in the organization. This is in contrast to the attempts of security as described previously where authorization is based on the users' identity. The following contains our interpretation of the two models. 10

11 THE CLARK AND WILSON MODEL The Clark and Wilson approach (17) to security originates from a comparison between military (mostly following the mandatory security paradigm) and commercial security requirements and the findings that these requirements are not directly compatible. The main concern of the Clark and Wilson Model is to identify security requirements for commercial information systems and to provide strategies to meet these requirements. In mandatory security main attention is directed toward the flow of classified information within the organization and among the users. Thus, in such an environment an information system providing a certain degree of security is aimed at regulating the access to information by controlling its flow. In contrast, a considerable part of today's business data processing focuses on preventing vital information from intentional corruption or accidental modification. Thus, Clark and Wilson argue that the primary goal of information security is to enforce the integrity rather than the privacy of the stored information. Violation of the integrity of the stored information may only occur by updating the stored data. Thus, the Clark and Wilson Model is mainly applicable to hypertext systems where the stored information is subject to frequent update operations. In order to achieve information security, the Clark and Wilson Model relies on two basic concepts, namely: Well-formed transactions. A well-formed transaction operates on an assigned set of information items. These transactions need to be formally verified assuring that all relevant security and integrity properties are satisfied. Well-formed transactions are the means to assure that information items are not manipulated arbitrarily but only in constrained ways that preserve or ensure the integrity of the stored information. For hypertext systems a well-formed transaction may only operate on a predefined set of nodes by using a predefined set of links. Separation of duty. The principle of separation of duty requires that all operations that have to be performed must be divided into several suboperations, each of which has to be executed by a different person to ensure that each operation is observed by several persons. Thus, providing the external consistency of the stored information items (i.e. correspondence between the stored data objects and their counterparts in the real world). As a consequence, hypertext objects are not necessarily associated with a security level but rather with a set of transactions permitted to manipulate them. Furthermore, users are not authorized to read/write certain data items but rather have the authority to execute certain transactions operating on certain data items. Concerning well-formed transactions we find some applications in hypertext systems. Information, for example, should only be retrieved and updated by means of well-formed transactions operating on predefined information items and predefined paths. In addition, a well-formed transaction may only be executed by users that perform a certain role within the organization. We see main potential for this security policy in so called 'closed' hypertext systems where a particular user may only browse along predefined paths. As an example consider a museum hypertext system where users obtain information only by following completely predefined paths (i.e. guided tours). Because of the concept of well-formed transactions a hypertext system adhering to the Clark and Wilson Model may not support ad-hoc querying facilities. 11

12 THE PERSONAL KNOWLEDGE APPROACH The Personal Knowledge Approach (18), (19) focuses on protecting the privacy of individuals by controlling the access to stored information. The main goal of this model is to meet the right of humans to informational self-determination as requested in Constitutional Laws of many countries. Informational self-determination can be described as the right of humans to decide whether private information not available to the public may be kept in an information system or not. The Personal Knowledge Approach is built around the concept of a person and her/his knowledge. A person is either a user having access to the information system or an individual about whom information is stored in the system. Each person has a set of authorities and performs a role in the organization. Thus, the main application field of systems supporting this approach to information security are those where mainly information about humans is stored. More technically, this approach uses concepts found in the object-oriented world and in secure operating systems. In the system a person is represented as an encapsulated object while the knowledge of a person is a relational database. A person is only aware of information about herself/himself and of her/his relationship to other person, i.e. his/her acquaintances. This is the only permanent knowledge a person may have and if she/he wants to know something about another person, that person must be asked. The set of acquaintances of a person describes the social environment of the person, i.e. with whom the person may communicate. Communication is performed by means of messages. The receiver of a message responds to the message only if the sender possesses appropriate authorities and is assigned particular roles in the organization. For hypertext systems we can interpret this security technique as follows: The Personal Knowledge Approach assumes an active role for the information stored in a system. Moreover, the information should refer to humans. In addition to its information contents, each node of a hypertext system must have permanent knowledge about the roles that may be performed in the organization. Users are assigned certain roles within the organization. Each role corresponds to a number of statically declared acquaintances (nodes of the hypertext system) and a number of dynamically assigned authorities (privileges on operations that may be performed with the nodes). Depending on the role a user is currently acting in she/he may derive information from a node (if the node is acquainted with the role the user is acting in) and may follow certain links to other nodes. Each node has the knowledge of which links start from it and of which authorities are necessary for a user to follow a particular link. 4. CONCLUSION The implementation of access control in multi-user and multi-application hypertext systems is crucial to ensure necessary security measures. Access control concepts developed for information systems, in particular database systems, may provide a basis for the investigation of security techniques for hypertext systems. In this paper we have discussed different approaches concerned with modeling and expressing information security needs in hypertext systems. The discretionary security approach may be the primary choice if a high degree of security is not necessary. Keeping the responsibility to enforce 12

13 a security policy at the users side is only adequate if potential threats against security will not result in considerable damage. Mandatory security models offer the most powerful protection mechanisms against unauthorized disclosure and modification of information. The approach of personal knowledge is an interesting alternative for applications where information about humans is kept and where the need to respect the right for informational self-determination exists. Moreover, we believe that object-oriented concepts (e.g. the property of object encapsulation) as used in this model come very close to the 'nature' of hidden personal knowledge and may correspond to the practice of separating information into different nodes in hypertext systems. The Clark and Wilson model may also be an alternative since security enforcement is delegated to the application programs. We believe, however, that this security policy is suitable only for special purpose hypertext systems with very high update rates on the stored information units as well as for hypertext systems where the only way to access information is by means of predefined paths. All four approaches originate from emphasizing different goals. In a nutshell, discretionary models try to assign privileges, mandatory models try to keep secrets, the Clark and Wilson approach guards security by well-formed transactions, and the approach of personal knowledge focuses on the constitutional right of informational self-determination. We feel that information security may need to deal with all aspects discussed above even if the degree of a goal might vary among different applications. It should be recognized that information security is not an isolated problem but an entire system problem. Although not discussed in this paper, further security issues for systems with high security needs may include personnel security, procedural security, network security, encryption, hardware protection, software verification, add-on security packages and others. Last but not least it is important to note that computer security in general is subject to many national and international standardization efforts. These efforts were started in the USA with a national proposal for computer security in general (20) and later on extended to networks and databases. Recently, standardization efforts have moved over to Europe where security proposals of several European countries have been unified into a common harmonized proposal by the Commission of the European Communities (21). In the authors' opinion the hypertext community will be faced with information security aspects in the near future. REFERENCES 1. FOSS, C.L. Tools for reading and browsing hypertext. Information Processing and Management, 25(4), MARCHIONINI, G. and SHNEIDERMAN, B. Finding Facts vs. Browsing in Hypertext Systems. IEEE Computer, 21(1), NIELSEN, J. The art of navigating through hypertext. Communications of the ACM, 33(3), TOMEK, I. and MAURER, H. Helping the user to select a link. Hypermedia, 4(2), TRIGG, R. H. Guided Tours and Tablestops: Tools for Communicating in a Hypertext Environment; ACM Trans. on Office Information Systems (TOIS), 6(4), PERNUL, G. and TJOA, A M. Database Security Policies; Proceedings of the Int'l Conf. on Safety and Reliability of Computers (SAFECOMP-92), Pergamon Press, PERNUL, G. and LUEF, G. A Bibliography on Database Security. ACM SIGMOD Record, 21(1),

14 8. CONKLIN, J. Hypertext - An introduction and survey. IEEE Computer, 20(1), HALL, P.A.V. and PAPADOPOULOS, S. Hypertext systems and applications. Information and Software Technology, 32(7), NIELSEN, J. Hypertext and Hypermedia. Academic Press, San Diego, CA, FERNANDEZ, E. B., SUMMERS, R. C. and WOOD, C. Database Security and Integrity. Addison-Wesley, Reading, Mass, LUNT, T. F. Security in Database Systems: A Research Perspective. Computers & Security, 11, YANKELOVICH, N., HAAN, B., MEYROWITZ, N. and DRUCKER, S. M. Intermedia: The Concept and the Construction of a Seamless Information Environment. IEEE Computer, 21(1), BELL, D. E. and LAPADULA, L. J. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997, MITRE Corp., Bedford, Mass, LANDWEHR, C. E. Formal Models for Computer Security. ACM Computing Surveys, 13(2), MILLEN, J. K. Models of Multilevel Computer Security. in: Advances in Computers (M. C. YOVITS, ed.), 29, Academic Press, San Diego, CA, CLARK, D. D. and WILSON, D. R. A Comparison of Commercial and Military Computer Security Policies. Proceedings of the IEEE Symposium on Research in Security and Privacy, BISKUP, J. and BRÜGGEMANN, H. H. The Personal Model of Data: Towards a Privacy-Oriented Information System. Computers & Security, 7, BISKUP, J. and BRÜGGEMANN, H. H. The Personal Model of Data: Towards a Privacy Oriented Information System (extended abstract). Proceedings of the 5 th Int'l Conference on Data Engineering, IEEE Computer Society Press, Trusted Computer System Evaluation Criteria. US National Computer Security Center, Technical Report DoD STD, Information Technology Security Evaluation Criteria (ITSEC). Provisional Harmonized Criteria. Commission of the European Communities, Brussels, June