The author proposes separating the security properties of protection objects (called “entities” in this paper) in the form of “security labels.” These labels can then be used through a proposed architecture to enforce security constraints, independently from the data processing part of the system. This separation provides flexibility for configuring and modifying the security policies of a system. The idea is well developed, including notes on its use in implementing access control, flow control, authorization, and role-based access control. The architecture has been implemented and appears reasonably efficient.
This approach uses the principle of separation of authorization from processing aspects. This principle is not new; it was already used in Lang et al. [1], where a separate module was in charge of the authorization functions of a database system. However, its use here is quite different: it is applied to the security model, not to its software implementation as in Lang et al. [1].
A problem with this approach is that since it is defined at a high level, it needs a way to assure that the lower levels actually enforce the security constraints. If a user can access any of the lower levels directly, these constraints may be bypassed. This aspect is not discussed in the paper.
Overall, the paper is well written, and presents an interesting and well-justified security architecture. It is valuable reading for anybody interested in security models and architectures.