Security Models Overview
Understand how classification rules, lattice structures, and business transactions translate into modern security architecture.
Contrast classic access-control models that underpin confidentiality, integrity, and conflict-of-interest protections.
Bell-LaPadula (BLP)
Focus: Confidentiality
No read up, no write down
Key Principles
- Simple Security Property: a subject at a given clearance cannot read data at a higher classification.
- *-Property (Star): a subject cannot write information to a lower classification level, preventing leaks.
- Strong Tranquility: classification levels do not change during runtime; weak tranquility allows non-decreasing changes.
Example Usage
- Military analyst cleared Secret cannot access Top Secret documents.
- Analyst cannot downgrade a Secret report to Confidential when saving changes.
Biba
Focus: Integrity
No read down, no write up
Key Principles
- Simple Integrity Property: subjects cannot read data at a lower integrity level to avoid contamination.
- Star Integrity Property: subjects cannot write to data at a higher integrity level, protecting critical records.
- Invocation Property: calls to higher integrity subjects are restricted.
Example Usage
- Production database (high integrity) blocks writes from a staging server (lower integrity).
- Security engineer cannot import unvetted malware samples into a trusted baseline repository.
Clark-Wilson
Focus: Commercial Integrity
Well-formed transactions + separation of duties
Key Principles
- Users (subjects) manipulate data only through applications enforcing business rules.
- Integrity Verification Procedures (IVPs) validate that data items start in a consistent state and remain valid.
- Transformation Procedures (TPs) are constrained to authorised roles, enforcing dual control and auditing.
Example Usage
- Bank teller application enforces double-entry accounting before committing transactions.
- Change-management workflow requires requestor and approver to be different identities.
Brewer-Nash (Chinese Wall)
Focus: Conflict of Interest
Access decisions evolve based on user's history
Key Principles
- Subjects can access any dataset until they touch a conflict class; afterwards, they are locked out from competitors.
- Dynamic separation-of-duty prevents consultants from serving competing clients concurrently.
- Combines confidentiality and integrity by adapting to context.
Example Usage
- Security analyst advising Bank A cannot access sensitive artefacts for Bank B after engagement starts.
- Law firm DLP blocks copying documents between clients within the same industry conflict cell.
Visualising the Model Lattices
Use these quick graphics to describe mandatory access lattices in workshops and exams. Bell-LaPadula protects confidentiality by preventing writes down, while Biba prevents contamination of higher integrity levels. Brewer-Nash applies a dynamic barrier once a subject engages with a conflict class.
Bell-LaPadula Lattice
Top Secret
Highest clearance — prevent leakage downward
Secret
Sensitive operations data
Confidential
Internal mission details
Unclassified / CUI
Share on need-to-know only
Remember: subjects do not read up and do not write down.
Biba Integrity Levels
System Kernel
Highest integrity – only trusted writes
Critical Applications
Validated business logic
User Space
Workstations and productivity tools
External Inputs
Email attachments, internet downloads
Integrity is preserved because subjects do not read down and do not write up.
Brewer-Nash Conflict Cells
Banking Clients
- Bank A Engagement Workspace
- Bank B (Restricted after Bank A access)
Pharmaceutical Clients
- Pharma X Research Repo
- Pharma Y (Blocked once X accessed)
Energy Sector
- Energy Alpha Project
- Energy Beta Proposal (Denied once Alpha viewed)
Once a consultant accesses one cell, competing datasets are automatically blocked.
Model Comparison Cheat Sheet
| Topic | Bell-LaPadula | Biba | Clark-Wilson | Brewer-Nash |
|---|---|---|---|---|
| Primary Goal | Protect confidentiality of classified information. | Protect integrity of trusted computing base. | Maintain correctness of commercial transactions. | Avoid conflicts of interest by contextual access control. |
| Access Rule Summary | Read <= clearance, Write >= classification. | Read >= integrity, Write <= integrity. | Only well-formed transactions via authorised programs. | Dynamic rules based on prior data access. |
| Best Fit Environments | Defence, intelligence, classified government systems. | Industrial control systems, medical records, code repositories. | Financial systems, ERPs, ticketing workflows. | Consultancies, legal firms, research agencies with market conflicts. |
| Sample Controls | Mandatory Access Control (MAC), clearance checks, mandatory labeling. | Integrity levels, tripwire monitoring, promotion/demotion guard processes. | Dual-control TPs, logging, certification rules. | Conflict-of-interest matrices, dynamic policy engines, contextual DLP. |
Use the matrix to quickly align a system's objectives with the correct control model.
Designing with Security Models
Blend models depending on the system:
- Combine Bell-LaPadula with Biba in military systems to enforce both confidentiality and integrity across classification levels.
- Overlay Clark-Wilson controls on Biba to bring workflow enforcement to industrial control or financial systems.
- Use Brewer-Nash logic within CASBs or zero-trust brokers to manage client conflicts dynamically.
Exam & Interview Tips
- Remember: Bell-LaPadula = confidentiality, Biba = integrity. Confusing the two is a classic exam trap.
- Clark-Wilson emphasises well-formed transactions and separation of duties in commercial environments.
- Brewer-Nash is dynamic and history-based: decisions depend on what you have accessed before.
- Map each model to real-world tooling (e.g., MAC labels, AD RMS, CASB policies) when explaining to stakeholders.
Interviewers often ask when you would choose one model over another; have a real example ready (e.g., SCADA systems = Biba, financial ledger = Clark-Wilson).