Security Models and Security Policies

Explain Introduction.

Explain The Bell-LaPadula Model.

Explain The Biba Integrity Model.

Explain The Clark-Wilson Integrity Model.

This is the domain of security models and security policies.

Security models are formal, often mathematical descriptions of security properties that a system must satisfy.

They provide the conceptual framework that underlies access control implementations: the rules that determine who can read, write, execute, or otherwise interact with system…

This is the domain of security models and security policies.

Security models are formal, often mathematical descriptions of security properties that a system must satisfy.

They provide the conceptual framework that underlies access control implementations: the rules that determine who can read, write, execute, or otherwise interact with system…

Security policies are the organizational expression of security requirements: written documents that define rules of behavior, acceptable use, and operational procedures.

The Bell-LaPadula (BLP) model , developed by David Bell and Leonard LaPadula for the U.S.

Department of Defense in the 1970s, is a formal mathematical model focused on confidentiality .

It is designed for environments where information must be strictly controlled based on classification levels (e.g., Unclassified, Confidential, Secret, Top Secret) — a multilevel…

BLP defines two core security properties: 1.

The Biba model , developed by Kenneth Biba in 1977, is the logical complement to Bell-LaPadula, focusing on integrity rather than confidentiality.

It uses a similar structure of subjects with integrity levels and objects with integrity levels, but with inverted rules: 1.

Simple Integrity Property ("no read down") : A subject may not read objects with a lower integrity level.

A high-integrity process should not read data from an untrusted (low-integrity) source, as it could corrupt the high-integrity process's operations or conclusions.

The Clark-Wilson model , proposed by David Clark and David Wilson in 1987, takes a different approach to integrity, grounded in commercial business practices rather than military…

It recognizes that integrity in a business context means something specific: data should only be modified through authorized, auditable procedures that maintain internal…

The model introduces several key concepts: - Constrained Data Items (CDIs) : Data items whose integrity must be maintained (e.g., account balances, medical records).

- Unconstrained Data Items (UDIs) : Input data that has not yet been validated (user input, external data).

The Brewer-Nash model , proposed by David Brewer and Michael Nash in 1989, addresses conflicts of interest in commercial consulting and financial contexts.

The classic scenario: a consulting firm works for multiple competing clients in the same industry, such as competing investment banks.

Consultants who have accessed information about one bank should not be able to access information about competing banks.

The model introduces conflict of interest classes : groups of companies whose information should be kept separate.

In Discretionary Access Control (DAC) , the owner of a resource controls access to it.

DAC is flexible and intuitive, but it has a fundamental weakness: once a subject has been granted access, they may be able to pass that access to others (through copying files,…

This creates the Trojan horse problem : malware running as a user with read access to a file can exfiltrate that file.

DAC provides no protection against compromised subjects acting within their authorized permissions.

In Mandatory Access Control (MAC) , access control is determined by system policy rather than resource owners' discretion.

The system assigns security labels (classifications) to both subjects (clearance levels) and objects (sensitivity levels), and access decisions are enforced by the operating…

MAC systems implement the Bell-LaPadula model (or variants of it) in practice.

Users cannot override MAC policies — they cannot share files across classification levels even if they want to.

Role-Based Access Control (RBAC) is the most widely used access control model in enterprise environments.

Rather than assigning permissions directly to individual users, RBAC assigns permissions to roles (job functions — database administrator, help desk agent, payroll clerk,…

This abstraction provides several important security benefits: - Least privilege : Users can be assigned to roles that provide only the permissions needed for their job function.

- Separation of duties : Sensitive functions can be distributed across multiple roles that no single user holds simultaneously (e.g., the role that creates a vendor cannot also be…

Attribute-Based Access Control (ABAC) is a more expressive and flexible model in which access decisions are made based on a set of attributes associated with the subject (user),…

ABAC is significantly more powerful than RBAC — it can express fine-grained, context-sensitive policies that RBAC cannot easily represent — but it is more complex to manage and…

ABAC is implemented through policy languages like XACML (eXtensible Access Control Markup Language) and is increasingly used in cloud platforms (AWS IAM policies are essentially…

No implicit trust : No user, device, or network location is inherently trusted, regardless of whether they are "inside" the network.

Verify explicitly : All access must be authenticated and authorized using all available signals: user identity, device health, location, time, behavior analytics.

Least privilege access : Provide the minimum access necessary for the task, for the minimum necessary duration.

Assume breach : Design and operate as if the attacker is already inside.

The NIST Special Publication 800-207 (Zero Trust Architecture) provides the authoritative framework.

Key components include: - Strong Identity Verification : MFA, certificate-based device authentication, identity governance.

- Device Health Verification : Continuous compliance checking (OS patch level, EDR presence, disk encryption) before granting access.

- Microsegmentation : Network is divided into small segments, each requiring explicit authorization to cross.

Defense in depth is a security principle derived from military strategy: rather than relying on any single security control, implement multiple independent layers of security such…

A firewall and a WAF are both "security controls," but they address different threats and should both be present.

Defense in Depth connects to risk, controls, and evidence.

A security policy is a formal document that expresses an organization's security requirements, rules, and expected behaviors.

Policies provide the bridge between abstract security objectives and concrete operational practices.

They communicate management's commitment to security, establish standards that technical controls implement, and provide the baseline for compliance and enforcement.

A policy document has three essential attributes: 1.

Acceptable Use Policy (AUP) : Defines what constitutes acceptable and unacceptable use of organizational IT resources (computers, email, internet, cloud services).

Every employee should acknowledge the AUP as part of onboarding.

Key elements: authorized purposes, prohibited content/activities, monitoring notice, consequences for violations.

Password Policy : Defines requirements for password creation (length, complexity), management (not reusing passwords, not sharing), and storage.

Security policies are not written once and forgotten — they require ongoing care: 1.

Identify Need : What risk or compliance requirement is driving this policy?

What behavior is it intended to govern?

Draft : Working group involving security, legal, HR, business stakeholders.

The NIST Cybersecurity Framework (CSF) , first published in 2014 and updated as CSF 2.0 in 2024, provides voluntary guidance for organizations to manage and reduce cybersecurity…

The framework is voluntary but has been widely adopted and referenced in U.S.

government contracts and regulatory guidance.

The NIST CSF uses the concept of Implementation Tiers (1-4, from Partial to Adaptive) to characterize the maturity of an organization's risk management practices, and Profiles to…

ISO/IEC 27001 is an international standard for Information Security Management Systems (ISMS) .

Unlike NIST CSF, which is a flexible framework, ISO 27001 is a formal standard against which organizations can be certified through independent audits.

Certification demonstrates to customers, partners, and regulators that the organization has a systematic, documented, and continuously improving information security management…

ISO 27001 specifies requirements for establishing, implementing, maintaining, and continuously improving an ISMS.

The CIS Critical Security Controls (CIS Controls) , maintained by the Center for Internet Security, are a prioritized set of 18 security controls derived from analysis of the most…

They are organized into three Implementation Groups (IGs) of increasing maturity: - IG1 (Basic Cyber Hygiene) : Controls 1-6, addressing inventory, patching, access control, and…

- IG2 (Expanded) : IG1 plus additional controls for organizations with more resources and greater risk.

- IG3 (Organizational) : The full set, for organizations facing sophisticated threats.

An important — and frequently misunderstood — distinction: compliance is not security .

Compliance means meeting the requirements of a specific standard, regulation, or framework at a specific point in time.

Security means actually reducing risk effectively.

The two often overlap but are not identical.

Security governance refers to the framework of leadership, organizational structures, accountability, and processes through which security decisions are made and enforced.

Key elements include: - Chief Information Security Officer (CISO) : Executive ownership of the security program, reporting to the CEO or Board.

- Security Steering Committee : Cross-functional body (IT, legal, HR, business units, finance) providing oversight and aligning security with business objectives.

- Risk Management : Formal processes for identifying, assessing, treating, and monitoring information security risk, integrated with enterprise risk management.

Introduction

The Bell-LaPadula Model

The Biba Integrity Model

The Clark-Wilson Integrity Model

Where Introduction applies.

Where The Bell-LaPadula Model applies.

How the difference changes the security decision.

Identify the asset or process at risk.

Choose a preventive, detective, or corrective control.

Explain what evidence would prove the control is working.

Define one core concept in plain language.

Compare two controls or threats from the week.

Apply one idea to a campus or business system.

Evaluate why a solution might fail in practice.

Collect evidence, not just screenshots.

Explain what the artifact proves.

Connect the proof back to risk and control selection.

Security Models and Security Policies

Security is a decision process, not just a tool list.

Use the reading to justify practical choices.