Posted filed under CISSP.

Security Models of Control

Security models of control are used to determine how security will be implemented, what subjects can access the system, and what objects they will have access to. Simply stated, they are a way to formalize security policy. Security models of control are typically implemented by enforcing integrity or confidentiality.



Integrity is a good thing. It is one of the basic elements of the security triad, along with confidentiality and availability. Integrity plays an important role in security because it can verify that unauthorized users are not modifying data, that authorized users don’t make unauthorized changes, and that data remains internally and externally consistent. Two security models of control that address integrity include Biba and Clark-Wilson.



The Biba model was the first model developed to address the concerns of integrity. Originally published in 1977, this lattice-based model has two defining properties:

  • Simple Integrity Property- This property states that a subject at one level of integrity is not permitted to read an object of lower integrity.
  • Star * Integrity Property- This property states that an object at one level of integrity is not permitted to write to an object of higher integrity.

Biba addresses integrity only, not availability or confidentiality. It also assumes that internal threats are being protected by good coding practices and, therefore, focuses on external threats.


 Remember that the Biba model deals with integrity. As such, writing to an object of a higher level might endanger the integrity of the system.



The Clark-Wilson model was created in 1987. It differs from previous models because it was developed with the intention to be used for commercial activities. This model dictates that the separation of duties must be enforced, subjects must access data through an application, and auditing is required. It also differs from the Biba model in that subjects are restricted. This means a subject at one level of access can read one set of data, whereas a subject at another level of access has access to a different set of data.



Although integrity is an important concept, confidentiality was actually the first to be addressed in a formal model. This is because the Department of Defense (DoD) was concerned about the confidentiality of information. The DoD divides information into categories, to ease the burden of managing who has access to what levels of information. DoD information classifications include confidential, secret, and top secret.



The Bell-LaPadula model was actually the first formal model developed to protect confidentiality. This is a state machine that enforces confidentiality. A state machine is a conceptual model that monitors the status of the system to prevent it from slipping into an insecure state. Systems that support the state machine model must have all their possible states examined to verify that all processes are controlled. The Bell-LaPadula model uses mandatory access control to enforce the DoD multilevel security policy. For a subject to access information, he must have a clear “need to know” and meet or exceed the information’s classification level.

The Bell-LaPadula model is defined by the two following properties:

  • Simple Security Property (ss Property)- This property states that a subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. This is sometimes referred to as “no read up.”
  • Star * Security Property- This property states that a subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. This is also known as “no write down.”


 Review the Bell-LaPadula Simple Security and Star * Security models closely; they are easy to confuse with Biba's two defining properties.
 Know that the Bell-LaPadula model deals with confidentiality. As such, reading information at a higher level than what is allowed would endanger confidentiality.


Take-Grant Model

The Take-Grant model is another confidentiality-based model that supports four basic operations: take, grant, create, and revoke. This model allows subjects with the take right to remove take rights from other subjects. Subjects possessing the grant right can grant this right to other subjects. The create and revoke operations work in the same manner: Someone with the create right can give the create right to others, and those with the revoke right can remove that right from others.


Brewer and Nash Model

The Brewer and Nash model is similar to the Bell-LaPadula model and is also called the Chinese Wall model. It was developed to prevent conflict of interest (COI) problems. As an example, imagine that your security firm does security work for many large firms. If one of your employees could access information about all the firms that your company has worked for, he might be able to use this data in an unauthorized way. Therefore, the Chinese Wall model would prevent a worker consulting for one firm from accessing data belonging to another, thereby preventing any COI.


Other Models

Although not as popular, other security models of control exist:


  • Noninterference model- As its name states, this model’s job is to make sure that objects and subjects of different levels don’t interfere with the objects and subjects of other levels.
  • Information-flow model- This model is the basis of design of both the Biba and Bell-LaPadula models. Information-flow models are considered a type of state machine. The Biba model is designed to prevent information from flowing from a low security level to a high security level. This helps protect the integrity of sensitive information. The Bell-LaPadula model is designed to prevent information from flowing from a high security level to a lower one. This protects confidentiality. The real goal of any information-flow model is to prevent the unauthorized, insecure information flow in any direction.
  • Graham Denning model- This model uses a formal set of protection rules for which each object has an owner and a controller.
  • Harrison-Ruzzo-Ullman model- This model details how subjects and objects can be created, deleted, accessed, or changed.


 Spend some time reviewing all the models discussed in this section. Make sure you know which models are integrity based and which are confidentiality based; you will need to know this distinction for the exam.


Open and Closed Systems

Open systems accept input from other vendors and are based upon standards and practices that allow connection to different devices and interfaces. The goal is to promote full interoperability whereby the system can be fully utilized.
Closed systems are proprietary. They use devices that are not based on open standards and are generally locked. They lack standard interfaces to allow connection to other devices and interfaces.
An example of this can be seen in the U.S. cellphone industry. Cingular and T-Mobile cellphones are based on the worldwide Global System for Mobile Communications (GMS) standard and can be used overseas easily on other networks by simply changing the SIM module. These are open-system phones. Other phones, such as Sprint, use Code Division Multiple Access (CDMA), which does not have worldwide support.


**Source by wikipedia**

 To Become Certified For CISSP Please Visit This Link;



  1.  electronic hits stream