Low-level entities are objects; all objects concerning the same
corporation form a CD (company dataset); CDs whose corporations are
in competition are grouped into COIs (Conflict of Interest classes)
Intuitive goal: keep one subject from reading different CDs in
the same COI, or reading one CD and writing to another in same COI
Simple Security Property: Read access granted if the object:
is in the same CD as an object already accessed by the subject; or
is in a CD in an entirely different COI.
Theorems:
Once a subject has accessed an object, only other objects in that CD are available within that
COI;
Subject has access to at most 1 dataset in each COI class
Exceptions: sanitized information
*-Property: Write access is permitted only if:
Read access is permitted by the simple security property; and
No object in a different CD in that COI can be read, unless it contains sanitized information
Key result: information can only flow within a CD or from sanitized information
