Multilevel security is a security policy that allows you to classify objects and users based on a system of hierarchical security levels and a system of non-hierarchical security categories.
Multilevel security provides the capability to prevent unauthorized users from accessing information at a higher classification than their authorization, and prevents users from declassifying information.
Multilevel security offers the following advantages:
- Multilevel security enforcement is mandatory and automatic.
- Multilevel security can use methods that are difficult to express through traditional SQL views or queries.
- Multilevel security does not rely on special views or database variables to provide row-level security control.
- Multilevel security controls are consistent and integrated across the system, so that you can avoid defining users and authorizations more than once.
- Multilevel security does not allow users to declassify information.
What is a multilevel database?
Here is a link to pages that describe multilevel databases from Security in Computing By Shari Lawrence Pfleeger at Google Books.
Briefly, a multilevel database provides granular security for data depending on the sensitivity of the data field and clearance of the user for both writing and reading data.
Multi-level security in database management systems
Multi-level secure database management system (MLS-DBMS) security requirements are defined in terms of the view of the database presented to users with different authorizations.
These security requirements are intended to be consistent with DoD secure computing system requirements. An informal security policy for a multi-level secure database management system is outlined, and mechanisms are introduced that support the policy.
Security constraints are the mechanism for defining classification rules, and query modification is the mechanism for implementing the classification policy. These mechanisms ensure that responses to users’ queries can be assigned classifications which will make them observable to the querying users.
The first formulation of multilevel mandatory policies and the Bell LaPadulamodel, simply assumed the existence of objects (information containers) to which a classification is assigned. This assumption works well in the operating system context, where objects to be protected are essentially files containing the data. Later studies investigated the extension of mandatory policies to database systems. While in operating systems security classes are assigned to files, database systems can afford a finer-grained classification. Classification can in fact be considered at the level of relations (equivalent to file-level classification in OS), at the level of columns (different properties can have a different classification), at the level of rows (properties referred to…
Source: Springer Link
MAC Security Issues
- Inference: Derivation of new information from known information. The inference problem refers to the fact that the derived information may be classified at a level for which the user is not cleared. The inference problem is that of users deducing unauthorized information from the legitimate information they acquire.
- Aggregation: The result of assembling or combining distinct units of data when handling sensitive information. Aggregation of data at one sensitivity level may result in the total data being designated at a higher sensitivity level.
- Polyinstantiation: Polyinstantiation allows a relation to contain multiple rows with the same primary key; the multiple instances are distinguished by their security levels.
- Referential integrity: A database has referential integrity if all foreign keys reference existing primary keys.
- Entity integrity: A tuple in a relation cannot have a null value for any of the primary key attributes.
- Granularity: The degree to which access to objects can be restricted. Granularity can be applied to both the actions allowable on objects, as well as to the users allowed to perform those actions on the object.
Source: NIST SP 800-8 (obsoleted)