Sensitivity Labels and Clearances

A label has the following two components:

• Classification, also referred to as a level

  This component indicates a hierarchical level of security. When applied to people, the classification represents a measure of trust. When applied to data, a classification is the degree of protection that is required.

  In the U.S. Government, the classifications are TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED. Industry classifications are not as standardized. Unique classifications can be established by a company. For an example, see Figure 1–3. The terms on the left are classifications. The terms on the right are compartments.

• Compartments, also referred to as categories

  A compartment represents a grouping, such as a work group, department, project, or topic. A classification does not have to have a compartment. In Figure 1–3, the Confidential classification has three exclusive compartments. Public and Max Label have no compartments. As the figure shows, five labels are defined by this organization.

Figure 1–3 Typical Industry Sensitivity Labels

Trusted Extensions maintains two types of labels: sensitivity labels and clearances. A user can be cleared to work at one or more sensitivity labels. A special label, known as the user clearance, determines the highest label at which a user is permitted to work. In addition, each user has a minimum sensitivity label. This label is used by default during login to a multilevel desktop session. After login, the user can choose to work at other labels within this range. A user could be assigned Public as the minimum sensitivity label and Confidential: Need to Know as the clearance. At first login, the desktop workspaces are at the label Public. During the session, the user can create workspaces at Confidential: Internal Use Only and Confidential: Need to Know.

All subjects and objects have labels on a system that is configured with Trusted Extensions. A subject is an active entity, usually a process. The process causes information to flow among objects or changes the system state. An object is a passive entity that contains or receives data, such as a data file, directory, printer, or other device. In some cases, a process can be an object, such as when you use the kill command on a process.

Labels can be displayed in window title bars and in the trusted stripe, which is a special stripe on the screen. Figure 1–4 shows a typical multilevel Trusted Extensions session in Trusted CDE. The labels and trusted stripe are indicated.

Figure 1–4 Typical Trusted CDE Session

Figure 1–5 shows a typical multilevel Trusted Extensions session on a Trusted JDS system. The trusted stripe is at the top. The Trusted Path menu is invoked from the trusted stripe. To assume a role, click the user name to invoke the roles menu. The workspace switches in the bottom panel display the color of the workspace label. The window list in the bottom panel displays the color of the window's label.

Figure 1–5 Typical Trusted JDS Session