Fundamental Concepts of Security Models & how they work

Concepts of Security Models

Fundamental Concepts of Security Models

A security model in an information system are the set of procedures to evaluate and authenticate security policies in order to map the intellectual goals of the policy to an information system by specifying explicit data structures and techniques necessary to implement the security policy. A security model is usually represented in mathematics and analytical ideas, which are mapped to system specifications and then developed by programmers through programming code. Several security models have been developed to enforce security policies. The following section provides fundamental concepts of security models which must be familiar with it as a CISSP candidate.

Bell-LaPadula Model

The Bell-LaPadula model works with a multilevel security system. In this system, a user uses it with different approvals, and then it processes the data at different classification levels. The Bell-LaPadula model was the first mathematical model, and it was developed in the 1970s to prevent secret information from being accessed in an unauthorized manner.

Three main rules are used and enforced in the Bell-LaPadula model:

  • Simple security rule

It states that a subject at a given security level cannot read data that resides at a higher security level.

  • *-property (star property) rule

It states that a subject at a given security level cannot write information to a lower security level.

  • Strong star property rule

It states that a subject who has read and write capabilities can only perform both of the functions at the same security level; nothing higher and nothing lower.

So, for a subject to be able to read and write to an object, the subject’s approval and the object classification must be equal.

Biba Model

The Biba model is a security model that addresses the integrity of data within a system. It is not concerned with security levels and confidentiality. The Biba model uses integrity levels to prevent data at any integrity level from flowing to a higher integrity level.

Biba has three main rules to provide this type of protection:

  • The * (star) integrity axiom

The subject cannot write data to an object at a higher integrity level.

  • The simple integrity axiom

The subject cannot read data from a lower integrity level.

  • The invocation property

The subject cannot invoke service at higher integrity.

Learn more about these models in our certification course of CISSP here.

Clark-Wilson Model

The Clark-Wilson model was developed after Biba and has different methods of protecting the integrity of information.

This model uses the following elements:

  • Users:Active agents
  • Transformation procedures (TPs):Programmed abstract operations, such as read, write and modify
  • Constrained data items (CDIs):Can be manipulated only by TPs
  • Unconstrained data items (UDIs):Can be manipulated by users by primitive read and write operations
  • Integrity verification procedures (IVPs):Check the consistency of CDIs with external reality.

Non-interference Model

The non-interference model ensures that data at different security domains does not interfere with each other. By implementing this model, the organization can be assured that covert channel communication does not occur because the information cannot cross security boundaries. Each data access attempt is independent and has no connection with any other data access attempt. A covert channel is a policy-violating communication that is hidden from the owner or users of a data system.

Brewer and Nash Model

The Brewer and Nash models are also known as the Chinese Wall model. It states that a subject can write to an object if, and only if, the subject cannot read another object that is in a different dataset. It was created to provide access controls that can change dynamically depending upon a user’s previous actions. The main goal of this model is to protect against conflicts of interest by users’ access attempts.

Graham-Denning Model

The Graham-Denning Model is based on three parts: objects, subjects, and rules. It provides a more granular approach for interaction between subjects and objects.

There are eight rules:

  • Rule 1: Transfer Access
  • Rule 2: Grant Access
  • Rule 3: Delete Access
  • Rule 4: Read Object
  • Rule 5: Create Object
  • Rule 6: Destroy Object
  • Rule 7: Create Subject
  • Rule 8: Destroy Subject

Harrison-Ruzzo-Ullman Model

The Harrison-Ruzzo-Ullman (HRU) Model maps subjects, objects, and access rights to an access matrix. It is considered as a variation to the Graham-Denning Model.

HRU has six primitive operations:

  • Creates object
  • Creates subject
  • Destroys subject
  • Destroys object
  • Enters right into access matrix
  • Deletes right from access matrix

Additionally, HRU’s operations differ from Graham-Denning because it considers subject as a object.


In an information security environment, Security model is a collection of methods and techniques to authenticate security policies of an enterprise. Security Model provides precise controls to enforce the fundamental security concepts and monitors the processes. Considering the need of a security model, an organization can apply existing security models, or make explicit changes in it to create new customized model based on their particular requirements. These models can be abstract or intuitive.


Scroll to Top

Sign-Up with your email address to receive news, new content updates, FREE reports and our most-awaited special discount offers on curated titles !