Data flow control for security is a mature research area in computer security, and its established results can be adapted to the newer area of data security in the Internet of things or the Cloud. This paper takes a fundamental approach to the problem. It shows that, under reflexivity and transitivity assumptions, any network of communicating entities can be seen as a partial order of equivalence classes of entities, which is a simplification and generalization of current theory based on the lattice concept, where lattices are generated by labelling. Networks of communicating entities can be created in many ways, including routing, access control policies (possibly involving labeling), etc. Their intrinsic partial orders are necessary and sufficient for data security, and in any such network entities will have greater or lower secrecy or integrity according to their position in the partial order. It is shown how labeling systems, capable of expressing many types of security requirements, can be constructed to assign entities to their appropriate positions in network partial orders. Established paradigms in data security, such as conflicts, conglomeration, aggregation, are introduced in examples. Then it is shown how entities can be added, removed or relocated in partial orders, as a result of events such as user or administrative action. A label-based method is described to maintain security requirements through such transformations. Efficient algorithms exist to implement these concepts, they are applications of transitive closure algorithms and strongly connected component algorithms.

用于安全性的数据流控制是计算机安全性的一个成熟研究领域，其确定的结果可以适应物联网或云中较新的数据安全性领域。本文对这个问题采取了基本的方法。它表明，在自反性和及物性假设下，任何通信实体网络都可以视为实体等价类的偏序，这是基于格的当前理论的简化和概括。概念，其中通过标记生成晶格。可以通过许多方式来创建通信实体的网络，包括路由，访问控制策略（可能涉及标签）等。它们的固有部分顺序对于数据安全是必要且足够的，并且在任何此类网络实体中，其保密性将更高或更低。完整性根据其在部分顺序中的位置。显示了如何构造能够表达多种类型的安全性要求的标记系统，以将实体分配给网络部分订单中的适当位置。示例中介绍了数据安全中已建立的范式，例如冲突，集团化，聚合。然后说明由于诸如用户或管理操作之类的事件，如何可以按部分顺序添加，删除或重新放置实体。描述了一种基于标签的方法，以通过此类转换来维护安全性要求。存在有效的算法来实现这些概念，它们是传递闭包算法和强连接组件算法的应用。