Multi-level models, directed graphs and partial orders in flow control for data secrecy and privacy

We present the view that the method of multi-level access control, often considered confined in the theory of mandatory access control, instead is central in access control methods, in the sense that it is necessary for data secrecy (i.e. confidentiality) and privacy. This is consequence of a result in directed graph theory showing that there is a multi-level structure in any data flow graph. Then, given the data flow graph of any access control system, it is possible to determine which multi-level access control system it implements. On the other hand, given any desired data flow graph, it is possible to assign subjects and objects to its different levels and thus implement a multi-level access control system for secrecy and privacy. As a consequence, we propose that the well-established lattice model of secure information flow be replaced by a model based on partial orders of components.