In CISSP Study Guide, authors Eric Conrad, Seth Misenar and Joshua Feldman describe information security models, such as the Bell-LaPadula Model (BLP), Biba and Clark-Wilson integrity models. These models relate to Domain 5 of the CISSP exam: security architecture and design.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The following excerpt comes from Chapter 6: Domain 5: Security architecture and design (pdf).
Models such as Bell-LaPadula focus on confidentiality, sometimes at the expense of integrity. The Bell-LaPadula “No Write Down” rule means subjects can write up: a Secret subject can write to a Top Secret object. What if the Secret subject writes erroneous information to a Top Secret object? Integrity models such as Biba address this issue.
While many governments are primarily concerned with confidentiality, most businesses desire to ensure that the integrity of the information is protected at the highest level. Biba is the model of choice when integrity protection is vital. The Biba model has two primary rules: the Simple Integrity Axion and the * Integrity Axiom.
Simple Integrity Axiom
The Simple Integrity Axiom is “no read down:” a subject at a specific classification level cannot read data at a lower classification. This prevents subjects from accessing information at a lower integrity level. This protects integrity by preventing bad information from moving up from lower integrity levels.
* Integrity Axiom
The * Integrity Axiom is “no write up:” a subject at a specific classification level cannot write to data at a higher classification. This prevents subjects from passing information up to a higher integrity level than they have clearance to change. This protects integrity by preventing bad information from moving up to higher integrity levels.
Biba takes the Bell-LaPadula rules and reverses them, showing how confidentiality and integrity are often at odds. If you understand
Bell-LaPadula (no read up:
no write down), you can extrapolate Biba by
reversing the rules:
no read down:
no write up.
Clark-Wilson is a real-world integrity model that protects integrity by requiring subjects to access objects via programs. Because the programs have specific limitations to what they can and cannot do objects. Clark-Wilson effectively limits the capabilities of the subject. Clark-Wilson uses two primary concepts to ensure that security policy is enforced; well informed transactions and Separation of Duties.
Well-Formed Transactions describe the Clark-Wilson ability to enforce control over applications. This process is comprised of the “access control triple” user; transformation procedure, and constrained data item.
A transformation procedure (TP) is a well-formed transaction, and a constrained data item (CDI) is data that requires integrity. Unconstrained data items (UDI) are data that do not require integrity. Assurance is based upon integrity verification procedures (IVPs) that ensure that data are kept in a valid state.
About this book
CISSP Study Guide
by Eric Conrad et al.
Published Aug. 2010
Available in paperback or eBook
For each TP, an audit record is made and entered into the access control system. This provides both detective and recovery controls in case integrity is lost.
Certification, Enforcement, and Separation of Duties
Within Clark-Wilson, certification monitors integrity, and enforcement preserves integrity. All relations must meet the requirements imposed by the separation of duty. All TPs must record enough information to reconstruct the data transaction to ensure integrity.
Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.
The purpose of separation of duties within the Clark-Wilson model is to ensure that authorized users do not change data in an inappropriate way. One example is a school’s bursar office. One department collects money and another department issues payments. Both the money collection and payment departments are not authorized to initiate purchase orders. By keeping all three roles separate, the school is assured that no one person can fraudulently collect, order, or spend the school’s money. The school depends on the honesty and competency of each person in the chain to report any improper modification of an order, payment or collection. It would take a conspiracy among all parties to conduct a fraudulent act.
Reprinted with permission from Elsevier Inc. Copyright 2011. "CISSP Study Guide" by E. Conrad, S. Misenar and J. Feldman. For more information about this title and similar books, please visit the book’s page on the Syngress web site.