Analysis of formal models for access control and specific features of their applicability to databases

An integral part of any project to create or assess the security of information systems and databases is the presence of a security model. The paper considers the main positions of the most common security models based on controlling the access of subjects to objects. The analysis of formal models for access control has revealed that each of them, having certain advantages and disadvantages, has the right to be used. The decisive factor in making a decision is an assessment of a specific situation, which will allow one to make the right choice. In this regard, the paper notes that security models based on discretionary policies are advisable to be applied when conducting formal verification of the correctness of building access control systems in well-protected information systems and databases. However, it is emphasized that these models have certain drawbacks that limit their use. The paper states that despite the fact that security models based on the mandatory access policy play a significant role in information security theory and their provisions have been introduced as mandatory requirements for systems that process secret information, as well as in the standards of secure systems, a number of problems may arise in the practical implementation of these models. Among these problems there are the problems associated with overestimating the security level, blind recordings, performing operations that do not fit into the framework of the model by privileged subjects. The paper also concludes that the use of security models based on role-based policy allows one to implement access control rules dynamically changing during the operation of information systems and databases, the effectiveness of which is especially noticeable when organizing access to the resources of systems with a large number of users and objects.