Fundamental Concepts of Security Models

Fundamental Security models illustrate concepts that can be used when analyzing an existing system or designing a new one and as a result, these models cause we understand complex security mechanisms in information systems. Security model security is one of most important the aspects of CISSP training course.


The Bell-LaPadula model was the first formal confidentiality model of a mandatory access control system. It was developed for the U.S. Department of Defense (DoD) to formalize the DoD multilevel security policy. The DoD classifies information based on sensitivity at three basic levels: Confidential, Secret, and Top Secret.

In this system, users use the system with different approvals and the system processes the data at different classification levels. The Bell-LaPadula model was a mathematical model.

Three main rules are used and enforced in the Bell-LaPadula model:

  • Simple Security Role: A subject at a given security level cannot read data that resides at a higher security level. This model is also known by other names. Including: Simple Security Property, SS Property, no read up (NRU).
  • *-property (star property) rule: This model is also known as “no write down (NWD)”.
  • Strong star property rule: A subject who has read and write capabilities can only perform both of those functions only at the same security level; no higher and no lower.

ITperfection-Server room-Computer Networking Computer Networking ITperfection-Data-Secuirty-Network-Security-Cyber Computer Networking Cyber Security Support Hack-Network Security-HIPPA, CISSP- IT security-Data security-IT service provider- Networking- CISSP-CEH


This model (sometimes referred to as Bell-LaPadula upside down) is a security model that only addresses the integrity of data within a system. The Biba model uses integrity levels to prevent data at any integrity level from flowing to a higher integrity level.

Biba has three main rules to provide this type of protection:

  • *-integrity axiom: A subject cannot write data to an object at a higher integrity level
  • Simple integrity axiom: A subject cannot read data from a lower integrity level
  • Invocation property: A subject cannot invoke service at higher integrity

Clark-Wilson Model

This model integrity model establishes a security framework for use in commercial activities, such as the banking industry.

This model uses the following elements:

  • Users: Active agents
  • Transformation procedures (TPs): Programmed abstract operations, such as read, write and modify and in fact, it Maintains integrity of CDIs.
  • Constrained data items (CDIs): Data inside the control area. It can be manipulated only by TPs.
  • Unconstrained data items (UDIs): Data outside the control area, such as input data. It can be manipulated by users by primitive read and write operations.
  • Integrity verification procedures (IVPs): Check the consistency of CDIs with external reality.

Non-interference Model

This model ensures that the actions of different objects and subjects aren’t seen by (and don’t interfere with) other objects and subjects on the same system.. By implementing this model, the organization can be assured that covert channel communication does not occur because the information cannot cross

A covert channel is a policy-violating communication that is hidden from the owner or users of a data system.

Brewer and Nash Model

The main goal of this model is to protect against conflicts of interest by users’ access attempts. This model states that a subject can write to an object if, and only if, the subject cannot read another object that is in a different dataset. The Brewer and Nash models are also known as the Chinese wall model.

Graham-Denning Model

This model is based on three parts: objects, subjects, and rules. There are eight rules:

  1. Transfer Access
  2. Grant Access
  3. Delete Access
  4. Read Object
  5. Create Object
  6. Destroy Object
  7. Create Subject
  8. Destroy Subject

Harrison-Ruzzo-Ullman (HRU) Model

(HRU) Model maps subjects, objects, and access rights to an access matrix. This model has six primitive operations:

  • Create object
  • Create subject
  • Destroy subject
  • Destroy object
  • Enter right into access matrix
  • Delete right from access matrix

Go CISSP’s Home