Data Security
--- Denning et al., 1972.

[35] Internal security (as opposed to external: armed guards, fire
protection and such) is mainly focused on the following:

   * access controls
        o It relies on being able to identify principals securely
          (authentication).
        o It makes temporary observation awkward.
        o The privilege database is extremely sensitive and should be kept
          out of reach.

     There are two major design patterns:
        o Access control lists
        o Capabilities

   * flow controls

     They limit the information flow to prevent leaks from secret to less
     secure classification. Once you're at class A, you can't talk to a
     lesser class. This scheme incurs severe overclassification, since all
     principals end up going up in classification. It doesn't model the
     world (for instance, NDAs temporarily increase a person's
     classification for a certain domain, with specific penalties in case of
     privilege incursion)

     To fix, info flow must be deduced (which input affects which output).
     Detect covert channels. This is very very hard.

   * inference controls

     Restricted private info can be inferred from unrestricted aggregate
     info: ask controlled question when part of the answer is known
     (trackers).

     Solution: reduce accuracy of answers, use random samples.

   * encryption

     It helps with authentication, guards against eavesdropping.