What is Multi-Level Security (MLS) and why is it important?

Defense and Supply Chain Information Sharing Requires Strict Controls

Implementing the right separation and information protection needed to meet defense and national security requirements is often challenging. As government and defense organisations continue to face increasingly sophisticated threats, cybersecurity must evolve to incorporate new technologies and methodologies where applicable. Dynamic Multi-Level Security (MLS) offers a solution.

In today’s global environment, defence and the complex industry supply chains that enable these operations blur the traditional lines of geography and locality. Even more so as we collaborate and share information daily with our partners, suppliers, subcontractors, and our clients, using numerous combinations of information systems and media.

In the defense sector, sensitive information handling comes with mandated comprehensive controls. Having systems that enable and enforce these security controls to meet requirements is essential for defense and multinational coalition information collaboration and sharing needs.

However, the task of balancing effective security whilst still enabling information sharing in these complex environments is difficult. Dynamic policy enforcement and Multi-Level Security (MLS) methodologies can ensure that separation and protections are in place for contextual access to information without hindering authorized collaboration, whilst also stopping unauthorized access and sharing – a must to meet defense and industry supply chain requirements.

What is Multi-Level Security (MLS)?

Multi-level security (MLS) allows information at different classifications (e.g., Unclassified, Protected, Secret, Top Secret) to be stored and accessed within a single security domain, while enforcing different access control policies and compartments dynamically depending on context, with the assurance that the separation is effective.

Here are some key factors for successfully implementing MLS:

Security Classification

A security classification is the hierarchical category assigned to information and material that identifies the degree of damage that unauthorized disclosure or compromise would cause to a nation, generally regarding military or other government business. The classification denotes the degree of protection and control required for the storage, transmission, and utilization of the information.

Compartmentalization

Alongside security classification is a compartmentalization layer of separation and associated control requirements. Sometimes referred to as codeword, sensitive, compartmentalized, and can include releasability, caveats or rules around the sharing or dissemination of that information artefact.

Security Boundary

All systems have security boundaries, whether logical and enforced, or ephemeral and inadvertent. A security boundary naturally exists wherever two different “security domains” (which could be a set of security requirements, control objectives, or even handling characteristics) come together for some reason. For example, it can be between classifications, between compartments, between organizations, between networks, between systems, or even between nations.

Access Control

Implementing MLS requires the ability to measure and enforce contextual access control, with rules or policies that are defined and automatically applied. This process, also referred to as dynamic policy enforcement, ensures information is protected while remaining accessible to those who have authorization.

Auditing

MLS requires frequent reviews of access controls and permissions that can be independently verified by a security assessor.

How Does an MLS Platform Enable Dynamic Security?

An MLS capability is a system, platform, or environment that provides organizations with the ability to:

• Enable custodians to label and tag their content creations in the system.
• Controls and releases information to individuals/devices/locations that meet the contextual rules.
• Enables dynamic policy enforcement and access controls to information.
• Enforce contextual controls based on labels, tags, and other attributes.
• Enable granular controls to apply either between or inside security domains.

To effectively implement MLS, it’s essential to leverage advanced methodologies that not only provide effective classification capability but also provide the flexibility needed to manage access rights securely.

Enhancing MLS with ABAC and Zero Trust Methodologies

When you add fine-grained controls offered by Attribute-based Access Control (ABAC), MLS becomes even more effective. When utilizing ABAC as the dynamic policy enforcement method, organizations can provide granular access control that takes into consideration the context of the access request to make decisions. These attribute controls are expressed as a key=value pair. For example, [Nationality=Australian], [Location=Canberra, Australia], or [Organization=archTIS].

By dynamically evaluating the attributes of the user or device and aligning them to the rules of access for the information, ABAC becomes an effective way to ensure only the right people – in the right context – can access the information.

ABAC methodologies enforce the zero trust principle of “never trust, always verify” through their dynamic access controls and continuous verification capabilities, overcoming traditional static policy limitations. 

This enables real-time trust evaluation and automated policy enforcement, allowing organizations to maintain strict classification controls while adapting to more modern threats – like AI-powered attacks and complex lateral movement attempts.

The combination of MLS classification with the data-centric zero trust continuous validation offered by ABAC creates a more resilient security posture in today’s complex, distributed environments.

What are the benefits of combining MLS and ABAC?

MLS combined with the dynamic capabilities of ABAC enables and supports complex information sharing challenges and offers several benefits to:

• Increase the accuracy, provenance and speed of getting the right information to the user, within multiple operational and security contexts.
• Improve access management of compartmentalized information, within contextual constraints.
• Assist in collapsing networks and reducing the number of systems that users have to interact with, including potentially within deployed scenarios.
• Enable multi-national information sharing within mission-related network environments, potentially improving interoperability and effectiveness.
• Enable files and documents to be rapidly created and shared, respecting the security rules set by the owner.

Fast tracking MLS to comply with information protection obligations

archTIS’ Kojensi platform provides the security controls needed to help organizations comply with information protection obligations, including MLS. Kojensi provides an assured and accredited SaaS solution to store, share and collaborate both internally and with supply chain, partners, and clients on information up to Australian PROTECTED.

For government and defense sector organisations that need to collaborate with multiple third-party organizations and multi-national personnel to share and collaborate on documents and files, Kojensi offers a turnkey solution. It enables the information owner to set the rules for sharing, providing immediate value.

Kojensi delivers several key capabilities and functions for secure file sharing and collaboration:

Delivers ABAC-powered MLS

• Enables secure, compartmentalized collaboration out of the box with ABAC-based MLS platform.
• Provides an out-of-the-box ABAC-based MLS platform that 

Create Communities of Interest (CoIs) with Ease

• Allows users to establish virtual workspaces or communities of interest (CoI’s) via an intuitive UI.
• User-controlled allocation and invitation of personnel to CoI’s.

Securely share sensitive files, quickly and easily

• Users can create, modify, and upload documents and files, and allocate metadata tags to control their releasability.
• Users can edit documents within the browser, with co-authoring and an easy-to-use interface that enforces and respects the rules of access.
• Users can modify document and file metadata to permit wider user access to the document.
• Authorized users can modify document and file metadata to narrow access only to users who have the necessary attributes.

Supports Multinational Classification Schemes

• Easily map agreements for handling security classifications from different nations to support multi-national information sharing.

Comprehensive MLS Solutions Across Microsoft Environments

archTIS can provide the same level of granular ABAC-based control for Microsoft applications with our NC Protect product. It offers advanced information protection across M365, GCC High and SharePoint Server, enabling simplified policy management and dynamic enforcement of data access and protection rules. For example, automatically detecting and enforcing releasability, encryption, clearance requirements, community of interest, or by keyword and other metadata tags. NC Protect offers ABAC policy-enforced access, usage, and sharing controls, as well as compliance enforcement for sensitive information, even in online and cross-jurisdictional scenarios.

Need MLS? Let us help.

With over 17 years of experience providing architectural and security input to government clients, archTIS has deep domain expertise across all elements of sensitive data protection and sharing, including working within multi-national, cross-domain and multi-domain scenarios, including environments up to TS-SCI within both US and Australian contexts.

To benefit from archTIS’ expertise in delivering multi-level security, cross-domain solutions within the highest security areas of government, contact us today.