cisspSecurity Architecture and Engineering· 10 min read· 16 May 2026
Security Models: Bell-LaPadula, Biba, Clark-Wilson, and When to Use Each
Formal security models are mathematical or conceptual frameworks that define how security properties (confidentiality, integrity) are enforced in a system. For the CISSP exam, security models are tested in Domain 3 at the level of: what property does each model protect, what are its rules, and in what context is each model most appropriately applied? The exam will present scenarios and ask you to identify which model is being described or which model is most appropriate.
Why Formal Security Models Matter
Formal security models emerged from the need to provide provable security guarantees for government and military information systems. Rather than relying on informal design decisions, formal models specify precise rules about information flow and access. These rules can be mathematically verified to ensure that the model achieves its intended security property.
For the CISSP, the practical importance is context mapping: government environments primarily need confidentiality (military information must not reach unauthorised parties), while commercial environments primarily need integrity (financial records must be accurate and unmodified). Different models address different properties and are appropriate in different contexts.
Bell-LaPadula Model: Confidentiality for Government
The Bell-LaPadula (BLP) model was developed in the early 1970s by David Bell and Leonard LaPadula for the US Department of Defense. Its purpose is to protect confidentiality in multi-level security systems — systems where users have different clearance levels and data has different classification levels.
Bell-LaPadula defines two primary rules:
The Simple Security Property (no read up, or "ss-property") states that a subject cannot read data at a higher classification level than their clearance. A user with Secret clearance cannot read Top Secret data. This prevents lower-cleared users from accessing sensitive information they are not authorised to see.
The Star Property (no write down, or "*-property") states that a subject cannot write data to a lower classification level than their clearance. A user with Top Secret clearance cannot write data to a Secret or Confidential file. This prevents the covert downgrading of sensitive information — a user could not copy Top Secret content into an Unclassified document.
The Discretionary Security Property states that access is also governed by an access control matrix that specifies who can access what, in addition to the mandatory rules above.
The BLP model enforces confidentiality but deliberately does not address integrity. A Top Secret user can write anything (even corrupted data) to Top Secret files as long as the classification rules are not violated. This is appropriate for government environments where the primary concern is preventing disclosure, not ensuring accuracy.
For the exam: Bell-LaPadula = confidentiality = government/military context. The two rules are "no read up" (cannot read higher classification) and "no write down" (cannot write to lower classification). Remember both rules and their names.
Biba Model: Integrity for Commercial Use
The Biba model was developed in 1977 by Kenneth Biba as the integrity complement to Bell-LaPadula. Where Bell-LaPadula prevents unauthorised disclosure, Biba prevents unauthorised modification.
Biba defines two primary rules that are the inverse of Bell-LaPadula's:
The Simple Integrity Property (no read down) states that a subject cannot read data at a lower integrity level than their own. A high-integrity user or process cannot read low-integrity data (because reading corrupt or untrusted data could contaminate their outputs). A production database server should not read from an untrusted external source because doing so could introduce corrupted data.
The Star Integrity Property (no write up) states that a subject cannot write data to a higher integrity level than their own. A low-integrity user cannot write to a high-integrity resource. This prevents a less trusted subject from corrupting higher-trust data.
Biba enforces integrity but ignores confidentiality. A low-integrity subject might be able to read high-integrity data (which Biba permits) but cannot write to it.
For the exam: Biba = integrity = commercial/financial context. The rules are the inverse of Bell-LaPadula. "No read down" (cannot read lower-integrity data) and "no write up" (cannot write to higher-integrity data).
A memory aid: Bell-LaPadula thinks like a spy (protect secrets from leaking down). Biba thinks like an accountant (do not let dirty data contaminate clean data).
Clark-Wilson Model: Commercial Integrity Through Transactions
The Clark-Wilson model was developed in 1987 by David Clark and David Wilson specifically to address the integrity requirements of commercial systems, where the concern is that data is modified only through well-defined, authorised transactions rather than arbitrary writes.
Clark-Wilson uses different terminology than Bell-LaPadula and Biba:
Constrained Data Items (CDIs) are data elements that must maintain integrity — financial records, medical records, production databases.
Unconstrained Data Items (UDIs) are data that is not subject to integrity constraints — user input, data from external sources.
Integrity Verification Procedures (IVPs) are routines that verify the integrity of CDIs — checksums, hash verifications, data validation procedures.
Transformation Procedures (TPs) are the only authorised means of modifying CDIs. A TP ensures that any modification maintains the internal consistency of the data. For example, a bank transfer TP that debits one account and credits another ensures the sum of all accounts remains constant.
The Clark-Wilson model enforces integrity through two mechanisms: well-formed transactions (data can only be modified by authorised procedures that maintain consistency) and separation of duties (no single user can complete a sensitive transaction alone).
For the exam: Clark-Wilson = commercial integrity = data modified only through authorised transactions. It is the model that best represents how commercial databases and financial systems actually work.
Brewer-Nash Model: Conflict of Interest (Chinese Wall)
The Brewer-Nash model (informally called the Chinese Wall model) addresses conflict of interest in environments where the same individuals or systems could access data from competing organisations. It was developed for consulting and financial advisory contexts.
The core rule: once a subject accesses data from a company in a competitive group (for example, Company A in the oil sector), they are barred from accessing data from any competing company in the same group (Company B in the oil sector). This dynamically updated access restriction prevents a consultant from using information gained from one client to advantage a competing client.
For the exam: Brewer-Nash = conflict of interest = consulting/financial advisory context. It is appropriate when the scenario involves competitive organisations and preventing information cross-contamination.
State Machine Model and Information Flow Model
Two additional models appear less frequently but are worth knowing.
The State Machine model considers a system's security in terms of its states. A secure system must be in a secure state at all times, and every state transition must result in another secure state. If any transition could lead to an insecure state, the system is not secure. This model underpins Bell-LaPadula and Biba.
The Information Flow model focuses on controlling how information flows between subjects and objects, ensuring that information does not flow in ways that violate security policy. Both Bell-LaPadula (no flow from high to low) and Biba (no flow from low to high) are information flow models.
Exam Pattern: Matching Scenarios to the Correct Model
The exam will describe a security requirement or context and ask which model is most appropriate, or describe a model's rules and ask which model is being described.
Government or military context with classification levels → Bell-LaPadula (confidentiality focus).
Commercial or financial context with accuracy and integrity requirements → Biba or Clark-Wilson (integrity focus). Biba is more appropriate for systems with integrity levels; Clark-Wilson is more appropriate for transaction-based systems.
Consulting, investment banking, or advisory context with competitive clients → Brewer-Nash (conflict of interest).
If the question describes a rule like "users cannot read data at a higher level" → Bell-LaPadula's Simple Security Property. If it says "users cannot write to a higher level" → Biba's Star Integrity Property.
Exam Tip
Government = Bell-LaPadula (confidentiality, no read up, no write down). Commercial = Biba or Clark-Wilson (integrity). Brewer-Nash = conflict of interest. The exam tests context matching — always identify the primary security property being protected (confidentiality vs integrity) and the operational context (government vs commercial vs advisory) before selecting a model.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security Architecture and Engineering
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.