Difference between "Subject" and "Object"

in SSCP
B"H
Quick question: is the difference between a "subject" and an "object" in terms of data on a PC whether or not this data exists within running-memory ("subject") vs. on disk alone ("object"); that is my current impression from comments made by Conrad in his book about this topic and I wanted to bounce the idea off you folks.
Another point of confusion here for me is this: in his definition of "subject" Conrad includes "entity", and cites as example both people actively accessing data, as well as that data actively running in memory. Yet, in his definition of object he states "passive data within the system". Would an "object" include entities other than data as does a "subject"? For example, how about a $100 bill, for example; would that count as an object too?
Thanks,
Dovid
Quick question: is the difference between a "subject" and an "object" in terms of data on a PC whether or not this data exists within running-memory ("subject") vs. on disk alone ("object"); that is my current impression from comments made by Conrad in his book about this topic and I wanted to bounce the idea off you folks.
Another point of confusion here for me is this: in his definition of "subject" Conrad includes "entity", and cites as example both people actively accessing data, as well as that data actively running in memory. Yet, in his definition of object he states "passive data within the system". Would an "object" include entities other than data as does a "subject"? For example, how about a $100 bill, for example; would that count as an object too?
Thanks,
Dovid
Comments
A subject is usually a human user or process running in memory.
An object is any resource that exists anywhere a subject can access it (in memory, on disk, across a communications channel, in "the cloud", etc.).
Subjects are active and objects are passive.
This is basically how the concepts of subjects and objects work in English grammar too.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Also, Conrad notes that DAC is sometimes considered a form of MAC, sometimes not. I can see why - after all, somethings besides the subject's discretion determines their level of access (here: group membership). However, I cannot understand why DAC would be considered unique as compared to MAC...maybe because there are many groups ("roles") that exist within the operating system? Whereas in MAC the clearance/label is used and the group convention is, apparently not?
Just wondering,
Thanks again!
Dovid
To a human (subject), a security clearance is an assigned level of trustworthiness that the human will follow the rules s/he has agreed to. In other words, the degree of ethical behavior a human can be expected to demonstrate.
To a resource (object), a security label specifies the level of sensitivity of that object to public exposure. When something labeled as Confidential exposed to the public it may be somewhat bad for the owner, while something Top Secret exposed to the public is potential catastrophic to the owning organization (and possibly to others as well).
The actual label used to represent a security clearance level is completely arbitrary, and is defined by an organization creating a data classification standard (e.g., US DoD). You can say something is "Top Secret" or "5" or "Banana"and it can means the same thing.
The same security labels are not necessarily the same across all organizations. E.g., "Secret" in one organization is not necessarily treated with the same level of protection as "Secret" in another organization.
Security clearances and security labels often have the same names so they many be matched for the purpose of determine authorization (e.g., a Secret clearance can see Secret material and lower). However, there are so many different dimensions of clearances (by employer, by customer, by program, by installation, passed a polygraph, "Need To Know," etc.) that a straight, one-to-one comparison is often not practical outside of academic examples, like those you find in IT security certification books.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Before reading your post I thought that "secret" vs. "top secret", e.g. had an objective meaning based on the extent to which they would harm national security if disclosed (Heaven forbid). But I never stopped to think that this might apply: a) on other levels, e.g., not just national security, but, the security of a particular organization (e.g. within the nation); and that b) the damage assessment may be subjective. (For example, maybe it includes not just assets but reputation, etc.).
To the point about DAC, MAC: good one; I didn't think of that either. One system you can adjust to create the results of the other, but not vice versa.
My new goal here is - yes, still reviewing the same few systems of Access Control - the relative advantages of each. I understand why I might want DAC since not everyone appreciates having "the system" enforce rules on them without their own input. I also see the need on the flip side of preventing subjects from granting their friends (in the case of people) unnecessary access, which is possible with DAC; so, I see a need for MAC. The one question I have left at this moment is this:
If it is the case that I can adjust RBAC, in essence, to achieve MAC level results, why is this not the best in - if not all, at least - most situations? At a superficial view, it seems hard to beat...you have your groups; you throw your users into them; you can get very granular in individual "permissions" if need be. So, the process doesn't seem overly time consuming; it is built into, say, MS Windows Server; it can reach almost any level of granularity of access control...why ditch that flexibility for MAC, which cannot be adjusted in such a granular way, seemingly?
Thanks again,
Dovid
PS. I hope you do't mind the "101" questions. I like to engage the material, and, draw on people's more expert knowledge and experience.
Part of the integrity of MAC, Role-BAC, and Rule-BAC is that they can't be broken by reconfiguring them to some other access model, accidentally or otherwise. If you have a system where you can have multiple access models then that's a hybrid designed to put more bullet points on the marketing glossies (IMHO).
And no problem the "101" questions. I'm looking at the possibility of soon teaching InfoSec courses in a classroom, so I certainly need this practice in answering these types of questions without running to Google first.
I just found Eric Conrad's Web site at http://www.ericconrad.com/ He might have some additional information in his blog and whitepapers that is help to you.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Heres what I got
A file, directory, and computer are NOT considered subjects.
An object is an entity that contains information.
Subjects are granted or denied access to objects.
A user, process, and group are subjects. Subjects actively request access to objects. Anything that requests access to an object is a subject. A program can be either a subject or an object, depending on its current use. A process is a particular instance of an application that is running. A group of processes that share access to the same resources is called a protection domain.
Hey, if you're in NYC let me know, I'd be happy to recommend you to a school near my place looking for I.T. instructors.
Shomer, thank you also for taking the time to consider these topics. It seems to me at this time like, in the context of data, Conrad considers whatever is actively running a "subject" and whatever is not an "object."
As for Conrads site, I checked it, and then his google group or something like that; I emailed him and he said I could join but he'd prefer if I ask once but more questions than many times with fewer questions, in not so many words...
Data is typically thought of as inert and does nothing on its own. Data may be operated upon by Subjects, which perform actions on Objects. Processes are Subjects and the data they chew on are Objects. (Note that program code is data because it is not "living" until made a running process by a Subject.)
I like to think of data as an excavation site and intelligence are the cool fossils and artifacts that are found by the digging and mining actions of Subjects.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray