Hook / Why This Matters
CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.
Security models feel academic until you realize they are the logic behind every access control system you use. Bell-LaPadula is why classified systems block downward data flow. Biba is why you do not let untrusted inputs modify critical data. Understanding the models unlocks understanding of why systems are built the way they are.
Core Concept Explained Simply
Security models are formal descriptions of how a system should enforce security policies. They define rules about who can access what and under which conditions. Each model focuses on a specific security goal, and knowing which model applies to a given scenario is one of the most testable skills in CISSP Domain 3.
Bell-LaPadula Model (Confidentiality)
Bell-LaPadula is all about keeping secrets secret. It has two core properties:
- Simple security property ("no read up"): A subject cannot read data at a higher classification level than their own clearance.
- Star property ("no write down"): A subject cannot write data to a lower classification level than the data's current classification.
Together, these prevent information from flowing downward from classified to unclassified. A user with Secret clearance can read Secret and Confidential documents but cannot read Top Secret. They also cannot copy Secret data into a Confidential folder.
Bell-LaPadula addresses confidentiality only. It says nothing about integrity.
Biba Model (Integrity)
Biba is the mirror image of Bell-LaPadula, focused on integrity instead of confidentiality:
- Simple integrity axiom ("no read down"): A subject cannot read data at a lower integrity level.
- Star integrity axiom ("no write up"): A subject cannot write data to a higher integrity level.
The logic is that reading unreliable data could corrupt your decisions, and writing to a higher integrity level could corrupt trusted data with untrusted input.
Clark-Wilson Model (Integrity Through Transactions)
Clark-Wilson takes a different approach to integrity. Instead of labels, it enforces integrity through well-formed transactions and separation of duties. Users do not access data directly. They interact through constrained interfaces (called transformation procedures) that ensure every change follows defined rules. Think of it as the model behind financial systems where every transaction must be authorized, recorded, and auditable.
Brewer-Nash Model (Chinese Wall)
Brewer-Nash handles conflict of interest scenarios. Access restrictions change dynamically based on what a user has already accessed. Once an analyst accesses data for Company A, they are automatically blocked from accessing data for Company A's competitor. The "wall" is built in real time.
Other Models
- Graham-Denning and Harrison-Ruzzo-Ullman define rules for creating, deleting, and managing access rights in an access control matrix.
- State machine models ensure a system remains in a secure state through every transition.
- Lattice-based models define upper and lower bounds for information flow based on security labels.
CISSP Lens
The exam heavily tests Bell-LaPadula and Biba properties. You need to:
- Know the primary goal of each model (confidentiality vs. integrity vs. conflict of interest)
- Identify which model applies when a scenario describes specific data flow restrictions
- Remember that Bell-LaPadula addresses confidentiality only, not integrity
- Recognize Clark-Wilson as distinct from Biba because it uses transactions and separation of duties, not just labels
A common exam pattern is describing a scenario and asking which model is being applied or violated. If the scenario involves preventing data from flowing to a lower classification, that is Bell-LaPadula. If it involves preventing untrusted data from corrupting a trusted system, that is Biba.
Real-World Scenario
A consulting firm handles engagements for competing companies in the same industry. An analyst working on a market strategy for Company A could gain an unfair advantage (or create a liability) if they also access Company B's confidential data.
The firm implements Brewer-Nash principles in their document management system. When an analyst opens Company A's engagement files, the system dynamically blocks access to files belonging to Company A's competitors. If a new analyst has not accessed any client data yet, all clients are available. The restrictions build over time based on actual access patterns.
This is not hypothetical. Financial services firms, law firms, and consulting companies implement these controls routinely to manage regulatory and ethical obligations around conflicts of interest.
Common Mistakes and Misconceptions
- Mixing up Bell-LaPadula and Biba. Bell-LaPadula is confidentiality ("no read up, no write down"). Biba is integrity ("no read down, no write up"). The directions are opposite because the goals are opposite.
- Thinking Clark-Wilson is just Biba with extra steps. Clark-Wilson focuses on transactions, constrained interfaces, and separation of duties. It is a fundamentally different approach to integrity, not a variation of Biba.
- Assuming these models are purely theoretical. Every access control system implements elements of these models. MAC systems follow Bell-LaPadula. Financial transaction systems follow Clark-Wilson. Conflict-of-interest controls follow Brewer-Nash.
- Forgetting what each model allows. Bell-LaPadula allows reading at or below your level. Biba allows reading at or above your level. Getting the "allowed" direction wrong is a common exam mistake.
Actionable Checklist
- Create a one-page reference card listing each model, its primary goal, and its key rules
- Map your organization's access controls to the model they most closely follow
- Identify where integrity models (Biba, Clark-Wilson) apply in your environment, especially financial and transaction systems
- Review financial and compliance systems for Clark-Wilson principles: constrained interfaces, separation of duties, and audit trails
- Practice scenario questions that require choosing the correct model
- Remember the mnemonic: Bell-LaPadula protects Confidentiality (BLP = "Blocks Leaks to the Public"), Biba protects Integrity
Key Takeaways
- Bell-LaPadula protects confidentiality; Biba protects integrity; they solve different problems
- Clark-Wilson enforces integrity through controlled transactions, not just labels
- Brewer-Nash handles dynamic conflict-of-interest scenarios
- Real systems often combine elements of multiple models
- Know the properties and rules well; the exam tests them directly
Exam-Style Reflection Question
A military system prevents a user with Secret clearance from reading Top Secret documents but allows reading Confidential documents. Which security model is being applied?
Answer: Bell-LaPadula. The simple security property ("no read up") prevents reading above your clearance, while the model permits reading at or below your clearance level. This is a confidentiality-focused model used in classified government systems.