Security Models

Why Security Models Still Appear on the Exam

Security models were developed decades ago, many for military and government use cases. You will not implement Bell-LaPadula from scratch in your career. But these models formalize the security properties that every modern system tries to achieve: confidentiality, integrity, conflict of interest prevention. The exam tests whether you know which property each model protects and when each model applies — not whether you can derive proofs.

Think of security models as blueprints for trust decisions. Each model answers a different question: Who can read what? Who can write what? How do we prevent conflicts of interest?

This module covers CISSP exam objective 3.2: understand the fundamental concepts of security models. This is one of the most heavily tested topics in Domain 3.

Bell-LaPadula Model — Confidentiality

Bell-LaPadula (BLP) was designed for military environments where the primary concern is preventing unauthorized disclosure of classified information. It protects confidentiality.

Two mandatory rules define BLP:

• Simple Security Property (no read up) — A subject cannot read data at a higher classification level. A person with Secret clearance cannot read Top Secret documents.
• Star Property / *-Property (no write down) — A subject cannot write data to a lower classification level. A person working with Top Secret data cannot write that information to a Secret or Unclassified document.

The logic: “no read up” prevents you from seeing information above your clearance. “No write down” prevents you from copying sensitive information to a less-protected location. Together, they create a system where classified information can only flow upward or stay at the same level — never downward.

When BLP applies: Any scenario where the primary concern is preventing unauthorized disclosure. Government classification systems are the textbook example, but any environment with tiered confidentiality levels maps to this model.

What BLP does NOT address: Integrity. BLP says nothing about whether data is accurate or has been tampered with. A subject could write garbage into a higher-level document and BLP would not prevent it.

Biba Model — Integrity

Biba inverts Bell-LaPadula to protect integrity instead of confidentiality. If BLP prevents information from flowing down, Biba prevents corruption from flowing up.

Two mandatory rules:

• Simple Integrity Axiom (no read down) — A subject cannot read data at a lower integrity level. You do not want high-integrity processes consuming unverified, low-integrity data.
• Star Integrity Axiom / *-Integrity Property (no write up) — A subject cannot write data to a higher integrity level. Untrusted sources cannot modify trusted data.

The logic: “no read down” prevents contamination by reading unreliable data. “No write up” prevents unreliable subjects from corrupting trusted data stores. Together, they ensure that high-integrity data remains trustworthy.

When Biba applies: Any scenario where data accuracy and trustworthiness are the primary concern. Financial transaction systems, manufacturing control systems, and medical records systems all have integrity as their top priority.

Remember the mirror: Bell-LaPadula and Biba are exact inverses. BLP = no read up, no write down (confidentiality). Biba = no read down, no write up (integrity). If you remember one, you can derive the other.

Clark-Wilson Model — Integrity via Well-Formed Transactions

Clark-Wilson takes a different approach to integrity than Biba. Rather than restricting who can read or write at what level, Clark-Wilson enforces integrity through well-formed transactions and separation of duties.

Key components:

• Constrained Data Items (CDIs) — The data that requires integrity protection
• Unconstrained Data Items (UDIs) — Input data that has not yet been validated
• Transformation Procedures (TPs) — The only authorized methods for modifying CDIs. Users cannot modify data directly — they must go through an approved transaction procedure.
• Integrity Verification Procedures (IVPs) — Processes that verify CDIs remain in a valid state

The logic: users never touch data directly. They interact through controlled transaction procedures that enforce business rules. An accountant does not edit the general ledger file directly — they enter transactions through an accounting application that enforces double-entry bookkeeping rules.

When Clark-Wilson applies: Commercial and business environments where transactions must follow specific procedures to maintain data integrity. Banking systems, ERP applications, and any scenario describing “well-formed transactions” or “access triples” (subject, TP, CDI) point to Clark-Wilson.

Clark-Wilson vs. Biba: Biba uses classification levels to prevent corruption. Clark-Wilson uses procedural controls. Biba is a lattice-based model; Clark-Wilson is a transaction-based model. The exam will present a scenario and expect you to identify which model fits.

Brewer-Nash Model — Chinese Wall

Brewer-Nash addresses conflict of interest. It dynamically restricts access based on what a subject has already accessed, preventing one person from viewing competing organizations’ data.

How it works:

• Data is organized into conflict of interest classes. For example, all bank clients form one class; all oil companies form another.
• A consultant can access data from Company A (a bank). Once they do, they are dynamically blocked from accessing data from Company B (a competing bank) within the same conflict class.
• Access restrictions are not static — they build over time based on the subject’s access history.

When Brewer-Nash applies: Consulting firms, investment banks, law firms, accounting firms — any environment where professionals serve competing clients and must maintain information barriers. If the scenario mentions “Chinese wall,” “information barrier,” or “conflict of interest,” this is the model.

State Machine Model

The state machine model is a foundational concept rather than a specific access control model. It defines a system as a collection of states and state transitions.

• A secure state is one where all security policies are enforced
• Every state transition (action, event, input) must move the system to another secure state
• If the system starts in a secure state and every transition preserves security, the system is always in a secure state

Bell-LaPadula and Biba are both built on the state machine concept. They define what “secure state” means (no unauthorized read/write) and prove that their rules keep the system in that state through every transition.

Exam relevance: When a question asks about a system that must maintain security properties through all possible operations, it is describing a state machine model requirement.

Information Flow Model

Information flow models track how data moves between subjects and objects across a system. The goal is to ensure information only flows in authorized directions.

Bell-LaPadula is an information flow model: classified data flows up or stays level, never down. But information flow models also address covert channels — unauthorized paths through which information leaks outside the intended flow.

Covert channels come in two forms:

• Storage channels — One process writes to a shared resource (like a file or memory location) that another process reads
• Timing channels — One process modulates the timing of its operations to signal information to another process

Information flow models are relevant when the exam asks about preventing data leakage through indirect or unintended paths.

Noninterference Model

Noninterference takes information flow a step further: actions at one security level should have absolutely no observable effect on another security level. A Top Secret user’s activities should not be detectable by an Unclassified user — not through data, not through timing, not through resource availability.

This is the strongest form of isolation. In practice, true noninterference is extremely difficult to achieve because systems share hardware resources (CPU, memory, disk) that create observable side effects.

Exam relevance: Noninterference appears in questions about multi-level secure systems where different classification levels coexist on the same hardware and the design must prevent any information leakage between levels.

Lattice-Based Models

A lattice-based access control model uses a mathematical lattice structure to define security levels and the relationships between them. Each subject and object is assigned a security label, and the lattice defines the upper and lower bounds of allowed information flow.

The lattice establishes:

• A least upper bound (the highest level both parties can access)
• A greatest lower bound (the lowest level that encompasses both parties’ access)

Bell-LaPadula and Biba are both lattice-based models. The security labels (Unclassified, Confidential, Secret, Top Secret) form a lattice with defined ordering. Lattice models enforce that information flows only in authorized directions within this structure.

Exam relevance: When a question mentions security labels, dominance relationships, or mathematically defined access levels, it is describing a lattice-based model.

Graham-Denning Model

Graham-Denning addresses a gap the other models leave open: how are subjects and objects created, deleted, and how are access rights assigned? It defines eight protection rules:

1. Create object
2. Create subject
3. Delete object
4. Delete subject
5. Read access rights
6. Grant access rights
7. Delete access rights
8. Transfer access rights

While Bell-LaPadula tells you who can read or write at what level, Graham-Denning tells you who can create a new user account, who can delete a file, and who can grant access rights to others. It formalizes the administrative side of access control.

Harrison-Ruzzo-Ullman (HRU) Model

HRU extends Graham-Denning by formalizing the question: can we determine whether a given system will ever reach an insecure state? It uses an access control matrix and a set of commands (operations) to model state transitions.

The key finding from HRU research: for general systems, it is undecidable whether a given configuration will ever leak access rights. In other words, you cannot always prove that a general access control system is secure. However, for restricted, simpler systems, safety can be proven.

Exam relevance: HRU appears rarely, but when it does, the question typically asks about access control matrix operations or the decidability of security properties. Remember: HRU deals with whether you can mathematically prove a system will remain secure.

Quick Reference: Model to Property Mapping

• Bell-LaPadula → Confidentiality (no read up, no write down)
• Biba → Integrity (no read down, no write up)
• Clark-Wilson → Integrity (well-formed transactions, separation of duties)
• Brewer-Nash → Conflict of interest (dynamic access based on history)
• State Machine → System must remain in secure state through all transitions
• Information Flow → Data flows only in authorized directions; addresses covert channels
• Noninterference → Actions at one level have zero observable effect on another level
• Lattice-Based → Mathematical structure defining security levels and access boundaries
• Graham-Denning → Eight rules for creating/deleting subjects, objects, and rights
• Harrison-Ruzzo-Ullman → Formal proof of access control safety; undecidable in general case

Pattern Recognition

Security model questions on the CISSP follow these structures:

• Property identification — A scenario describes a security requirement (prevent disclosure, ensure integrity, prevent conflicts). You match it to the model that addresses that property.
• Rule application — A subject attempts an action (reading up, writing down). You identify which model’s rule is being violated or enforced.
• Model comparison — Two models are presented and you identify what distinguishes them. The key difference is usually the property they protect or the mechanism they use.
• Scenario matching — A business scenario (consulting firm, military classification, banking transactions) maps directly to a specific model. The context tells you which model applies.

Trap Patterns

Watch for these wrong answers:

• Confusing BLP and Biba rules — This is the single most common trap. BLP: no read up, no write down (confidentiality). Biba: no read down, no write up (integrity). They are exact mirrors. If you mix up the direction, you get the wrong model.
• Confusing Biba and Clark-Wilson — Both address integrity, but through different mechanisms. Biba uses classification levels. Clark-Wilson uses well-formed transactions. A scenario about tiered integrity levels points to Biba. A scenario about controlled transaction procedures points to Clark-Wilson.
• “Bell-LaPadula prevents all data leakage” — BLP addresses formal information flow but does not prevent covert channels. A subject could still signal information through timing or shared resources.
• “Clark-Wilson is only for banking” — Clark-Wilson applies to any environment where transactions must be controlled and verified. Banking is a common example, not the only application.
• Treating Chinese Wall as a static model — Brewer-Nash is dynamic. Access restrictions build based on what the subject has already accessed. Unlike BLP or Biba, the same subject may have different access at different times depending on their access history.

Scenario Practice

Question 1

A military intelligence system allows analysts with Secret clearance to access Secret and Confidential documents. An analyst attempts to copy a summary of Secret-level findings into an Unclassified briefing document intended for public release.

Which security model rule should prevent this action?

A. Bell-LaPadula Simple Security Property
B. Bell-LaPadula *-Property (Star Property)
C. Biba Simple Integrity Axiom
D. Clark-Wilson Transformation Procedure

Question 2

A consulting firm serves multiple clients in the telecommunications industry and multiple clients in the banking industry. A senior consultant who has been working on a project for Telecom Company A requests access to financial data from Telecom Company B for a new engagement.

Which security model governs this access decision?

A. Bell-LaPadula — the consultant lacks clearance for Company B data
B. Biba — the Company B data may have lower integrity than Company A data
C. Brewer-Nash — having accessed Company A data, the consultant is barred from Company B data in the same conflict class
D. Graham-Denning — the consultant’s access rights need to be formally transferred

Question 3

A hospital implements an electronic health records (EHR) system where clinicians cannot modify patient records directly. Instead, they enter observations through a structured clinical form that validates entries against medical coding standards, checks for drug interaction conflicts, and creates an audit trail before committing changes to the patient record.

Which security model does this implementation BEST represent?

A. Biba — the system prevents low-integrity data from reaching patient records
B. Clark-Wilson — well-formed transactions through controlled procedures protect record integrity
C. Bell-LaPadula — the system prevents unauthorized access to patient records
D. State machine — the system transitions between secure states with each record update

Key Takeaway

For exam purposes, security models boil down to three questions: What property is being protected? What mechanism does the model use? When does the model apply?

• Confidentiality + classification levels = Bell-LaPadula
• Integrity + classification levels = Biba
• Integrity + controlled transactions = Clark-Wilson
• Conflict of interest + dynamic access = Brewer-Nash

Master the BLP/Biba mirror (they are exact inverses), know when Clark-Wilson applies instead of Biba, and recognize Brewer-Nash from conflict-of-interest keywords. That covers the majority of security model questions you will encounter.