Chapter excerpt: Information security models for the CISSP exam

SearchSecurityChannel.com Staff

    Requires Free Membership to View

    Login

In CISSP Study Guide, authors Eric Conrad, Seth Misenar and Joshua Feldman describe information security models, such as the Bell-LaPadula Model (BLP), Biba and Clark-Wilson integrity models. These models relate to Domain 5 of the CISSP exam: security architecture and design.

The following excerpt comes from Chapter 6: Domain 5: Security architecture and design (pdf).

Integrity Models

Models such as Bell-LaPadula focus on confidentiality, sometimes at the expense of integrity. The Bell-LaPadula “No Write Down” rule means subjects can write up: a Secret subject can write to a Top Secret object. What if the Secret subject writes erroneous information to a Top Secret object? Integrity models such as Biba address this issue.

Biba Model
While many governments are primarily concerned with confidentiality, most businesses desire to ensure that the integrity of the information is protected at the highest level. Biba is the model of choice when integrity protection is vital. The Biba model has two primary rules: the Simple Integrity Axion and the * Integrity Axiom.

About Biba

Biba takes the Bell-LaPadula rules and reverses them, showing how confidentiality and integrity are often at odds. If you understand
Bell-LaPadula (no read up:
no write down), you can extrapolate Biba by
reversing the rules:
no read down:
no write up.

Simple Integrity Axiom
The Simple Integrity Axiom is “no read down:” a subject at a specific classification level cannot read data at a lower classification. This prevents subjects from accessing information at a lower integrity level. This protects integrity by preventing bad information from moving up from lower integrity levels.

* Integrity Axiom
The * Integrity Axiom is “no write up:” a subject at a specific classification level cannot write to data at a higher classification. This prevents subjects from passing information up to a higher integrity level than they have clearance to change. This protects integrity by preventing bad information from moving up to higher integrity levels.

Clark-Wilson
Clark-Wilson is a real-world integrity model that protects integrity by requiring subjects to access objects via programs. Because the programs have specific limitations to what they can and cannot do objects. Clark-Wilson effectively limits the capabilities of the subject. Clark-Wilson uses two primary concepts to ensure that security policy is enforced; well informed transactions and Separation of Duties.

Well-Formed Transactions
Well-Formed Transactions describe the Clark-Wilson ability to enforce control over applications. This process is comprised of the “access control triple” user; transformation procedure, and constrained data item.

About this book

CISSP Study Guide
by Eric Conrad et al.
640 pages
Published Aug. 2010
Available in paperback or eBook

A transformation procedure (TP) is a well-formed transaction, and a constrained data item (CDI) is data that requires integrity. Unconstrained data items (UDI) are data that do not require integrity. Assurance is based upon integrity verification procedures (IVPs) that ensure that data are kept in a valid state.

For each TP, an audit record is made and entered into the access control system. This provides both detective and recovery controls in case integrity is lost.

Certification, Enforcement, and Separation of Duties
Within Clark-Wilson, certification monitors integrity, and enforcement preserves integrity. All relations must meet the requirements imposed by the separation of duty. All TPs must record enough information to reconstruct the data transaction to ensure integrity.

Exam warning
Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.

The purpose of separation of duties within the Clark-Wilson model is to ensure that authorized users do not change data in an inappropriate way. One example is a school’s bursar office. One department collects money and another department issues payments. Both the money collection and payment departments are not authorized to initiate purchase orders. By keeping all three roles separate, the school is assured that no one person can fraudulently collect, order, or spend the school’s money. The school depends on the honesty and competency of each person in the chain to report any improper modification of an order, payment or collection. It would take a conspiracy among all parties to conduct a fraudulent act.

Download the entire chapter.


Reprinted with permission from Elsevier Inc. Copyright 2011. "CISSP Study Guide" by E. Conrad, S. Misenar and J. Feldman. For more information about this title and similar books, please visit the book’s page on the Syngress web site.

This was first published in September 2011

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top