The dominant protection theory at this time is based on the concept of limiting information flow. The rational for this assumption is given in earlier chapters of this book. The concept of distributed domains is based on having a set of information domains with restricted flow between them. Each domain may be physically distributed, but is logically unified with respect to information flow. An information network is then described as the set of domains and the information flow between them. Certain management and administrative effects are inherent in the use of distributed domains for information protection, and we examine these in some depth here to provide insight into some current management problems and how they may be addressed.
In an information network based on distributed domains, communication, and thus the ability to disseminate and modify information are limited. If we assume that the system is properly implemented and that external attackers are successfully thwarted by common techniques, we are left with the effects of internal abuse. Since individuals in such a network may access multiple domains, it is convenient to consider individuals as collusions of domains. We may quickly see that the maximum effect of an individual is the combined transitive effects of all domains which that individual can effect, and the maximum dissemination is the combined transitive domains affecting the individual. To consider groups of individuals who might collude to launch an attack, we assume collusion and treat them as a single individual. Our discussion is based on the launching of attacks by individuals or groups of individuals, but the method works equally well in the analysis of accidental leaks and corruption of information.
In order to assess risk in such a system, we consider corruptive effects and dissemination effects independently, and add them for the joint effect. Just as in standard risk assessment techniques [Saltmarsh83] , we assign dollar values to resources and probabilities to attacks, but unlike the standard analysis, we have a firm basis for separation of resources, and thus a means for reducing the complexity of analysis. Our technique is then quite simple:
To reduce Lsys, we have a number of alternatives, combinations of which may lead to optimizations:
reduce the subjects with access without increasing access per subject reduce the values of domains (by eliminating unnecessary information) reduce the loss per individual (by reallocation of duties) reduce the likelihood of attack (by background checks or increased awareness)