Security Models

website: https://www.geeksforgeeks.org/introduction-to-classic-security-models/

Introduction To Security Models

These models are used for maintaining goals of security, i.e. Confidentiality, Integrity, and Availability. In

simple words, it deals with CIA Triad maintenance. There are 3 main types of Classic Security Models.
• Bell-LaPadula

• Biba
• Clarke Wilson Security Model

1. Bell-LaPadula
This Model was invented by Scientists David Elliot Bell and Leonard .J. LaPadula.Thus this model is

called the Bell-LaPadula Model. This is used to maintain the Confidentiality of Security. Here, the
classification of Subjects(Users) and Objects(Files) are organized in a non-discretionary fashion, with

respect to different layers of secrecy.

It has mainly 3 Rules:

 • SIMPLE CONFIDENTIALITY RULE: Simple Confidentiality Rule states that the Subject can

only Read the files on the Same Layer of Secrecy and the Lower Layer of Secrecy but not the Upper

Layer of Secrecy, due to which we call this rule as NO READ-UP

• STAR CONFIDENTIALITY RULE: Star Confidentiality Rule states that the Subject can

only Write the files on the Same Layer of Secrecy and the Upper Layer of Secrecy but not the Lower
Layer of Secrecy, due to which we call this rule as NO WRITE-DOWN

• STRONG STAR CONFIDENTIALITY RULE: Strong Star Confidentiality Rule is highly secured and
strongest which states that the Subject can Read and Write the files on the Same Layer of Secrecy

only and not the Upper Layer of Secrecy or the Lower Layer of Secrecy, due to which we call this
rule as NO READ WRITE UP DOWN

2. Biba
This Model was invented by Scientist Kenneth .J. Biba. Thus this model is called Biba Model. This is used
to maintain the Integrity of Security. Here, the classification of Subjects(Users) and Objects(Files) are

organized in a non-discretionary fashion, with respect to different layers of secrecy. This works the exact
reverse of the Bell-LaPadula Model.

It has mainly 3 Rules:

• SIMPLE INTEGRITY RULE: Simple Integrity Rule states that the Subject can only Read the files on
the Same Layer of Secrecy and the Upper Layer of Secrecy but not the Lower Layer of Secrecy, due

to which we call this rule as NO READ DOWN

 • STAR INTEGRITY RULE: Star Integrity Rule states that the Subject can only Write the files on the

Same Layer of Secrecy and the Lower Layer of Secrecy but not the Upper Layer of Secrecy, due to

which we call this rule as NO WRITE-UP

• STRONG STAR INTEGRITY RULE: This rule is called the NO READ-WRITE UP DOWN rule because

the user can read and write the files on the same layer of secrecy only but cannot read and write
the files on the upper or lower layer of secrecy.

3. Clarke Wilson Security Model

This Model is a highly secured model. It has the following entities.

• SUBJECT: It is any user who is requesting for Data Items.

• CONSTRAINED DATA ITEMS: It cannot be accessed directly by the Subject. These need to be
accessed via Clarke Wilson Security Model

• UNCONSTRAINED DATA ITEMS: It can be accessed directly by the Subject.

The Components of Clarke Wilson Security Model

• TRANSFORMATION PROCESS: Here, the Subject’s request to access the Constrained Data Items
is handled by the Transformation process which then converts it into permissions and then

forwards it to Integration Verification Process

• INTEGRATION VERIFICATION PROCESS: The Integration Verification Process will

perform Authentication and Authorization. If that is successful, then the Subject is given access
to Constrained Data Items.
 website: https://www.bartleby.com/subject/engineering/computer-science/concepts/types-of-security-models

Concept of security models

The security models are specifically defining the relationship of operating system performance with the
information security models. The effective and efficient security models secure the sensitive and relevant
information or data of the organizations. The security policy is verified by using the information security
models. They deliver a precise set of directions to the computer to follow the implementation of vital
security processes, procedures, and concepts contained in a security program. They define the security
concern in information threads.

Security models are used to evaluate and authenticate the security policy to map the intellectual
property of the information system. They are used to represent the mathematical and analytical ideas
that are developed by programmers. These ideas are mapped with the system specifications through
programming code.

These ideas maintain the goal of CIA property that is confidentiality, integrity, and availability. The CIA
properties are elaborated in detail.

Confidentiality

Confidentiality refers to protecting the data from unauthorized access. Only legitimate users can access
sensitive information. The main goal of confidentiality is to stop information from getting into the
wrong hands. There are many ways to secure data confidentiality such as use of strong passwords,
authentication, data encryption, segregation of data and so forth. Some common threats that exist are
against the rules of confidentiality.

• Encryption cracking.
• Eavesdropping attack.
• Malicious insiders.
• Man-in-the-middle attack.

Integrity

Integrity is used to validate the information. It checks whether the information present is in correct
format or not. It also validates information that is true and correct to its original purposes. Integrity
ensures that the receiver's information is the same as the creator's information. The information can be
edited only by the legal person to prevent unwanted modification. There are no rights provided to
anyone to change or modify the data. In some cases, electromagnetic pulse (EMP) or server crashes are
responsible to break the integrity.

So, integrity ensures the accuracy, trustworthiness, and validity of data throughout its life cycle. It holds
value if it is truthful. There must be mechanisms to restore data in case of unintended changes. Some
challenges that could affect the integrity of information are

• Physical compromise to device.

• Human error.

Data encryption and hashing are the mechanisms that are used to preserve integrity.

Availability

This implies that the network should be accessible to its users at all times. This holds true for both
systems and data. To ensure network availability, network administrators should maintain hardware,
perform regular upgrades, have a fail-over plan, and avoid bottlenecks. Attacks such as DoS or DDoS
can make a network unusable as the network's resources are depleted. Companies and users who rely
on the network as a business tool may suffer from a substantial impact. As a result, sufficient
precautions should be taken to avoid such attacks.

Threat to information availability occurs due to many reasons such as:

• Malicious Code.
• Insufficient bandwidth.
• DDOS (Distributed Denial of Service attack).

There are three main types of classic security models namely

1. Bell-LaPadula model
2. Biba model
3. Clarke Wilson Security model

Bell-LaPadula model

This model was invented by David Elliot Bell and Leonard.J. LaPadula and therefore, this model is
known as Bell-LaPadula. This model is used to ensure the confidentiality of information. It defines the
functions of a multilevel security system. It is the first mathematical model that prevents secret
information from being accessed in an unauthorized manner.
 Bell-LaPadula model

In this picture, the user and the files are arranged in a non-discretionary manner concerning different
layers of secrecy.

It follows three types of basic rules-

• Simple confidentiality rule

• Star confidentiality rule
• Strong star confidentiality rule

Simple confidentiality rule

This rule is called the NO READ-UP rule because it states that only the user can read the files that are on
the same layer and lower layer of secrecy but cannot read the files on the upper layer of secrecy.

Star confidentiality rule

This rule is called the NO WRITE-DOWN rule because it states that the user can write the files on the
same layer of secrecy and upper layer of secrecy but cannot read the files on the lower layer of secrecy.

Strong star confidentiality rule

This rule is called NO READ WRITE UP DOWN because the user can only read and write the files on the
same layer of secrecy but cannot read and write the files on the upper layer of secrecy and the lower
layer of secrecy. This is the highly secured and strongest rule in Bell-LaPadula.
Biba model

The Biba model was named so after its inventor Kenneth.J. Biba. This model is used to ensure the
integrity of information.

It follows 3 rules:

• Simple integrity rules

• Star integrity rules
• Strong star integrity rule

Simple integrity rules

This rule is called the NO READ-DOWN rule because the user can read the files only on the same layer
of secrecy and upper layer of secrecy but cannot read the files on the lower layer of secrecy.

Star integrity rule

This rule is called the NO WRITE-UP rule because users can read the files only on the same and lower
layer of secrecy but cannot read the files on the upper layer of secrecy.

Strong star integrity rule

This rule is called the NO READ-WRITE UP DOWN rule because the user can read and write the files on
the same layer of secrecy only but cannot read and write the files on the upper or lower layer of secrecy.
This rule is highly secured and is the strongest rule in Bell-LaPaulda.

Clarke Wilson Security Model

This model provides the highest security to the security model. It has the following entities:

Clarke Wilson Security Model

Subject

It is the user who requests the data items.

Constrained data items

Users cannot access constrained data items directly. It is accessed according to the Clarke Wilson
Security Model.

Unconstrained data item

Users can access it directly.

The constrained data can be accessed by following processes:

1. Transformation process

The user can request constrained data items that are handled by the transformation process. The
process converts it into permission and then forwards it to the integration verification process.
2. Integration verification process

It performs authorization and authentication. If this verification is successful, then the user is given
access to the constrained data items.

Common Mistakes

There is a mistake in understanding the terms confidentiality and integrity. In simple language,
confidentiality defines that the information should not go to the wrong hands. Integrity shows data
validity. This means that only an authorized and legal person can access the authorized content or
information.

Sprinto website: https://sprinto.com/blog/types-of-security-models/

Table of Content
 What are security models?

 What is the objective of a security model?

 Types of security model

 Benefits of a security model

What are security models?

Information security models are systems that specify which people should have access to
data, and the operation of the operating system, which enables management to organize
access control. The models offer a mathematical mapping of theoretical goals, strengthening
the chosen implementation.

A security model may have no theoretical underpinnings, or it can be based on a formal

computing model, a distributed computation model, an access rights model, or even a
model of distributed computation.

What is the objective of a security model?

The core aim of any security model is to maintain the goals of Confidentiality, Integrity, and
Availability of data. It can achieve these goals by:

• Allowing admins to choose the resources to that users are allowed access.
• Verifying user identities with authentication mechanisms that incorporate password
strength and other variables.
• Allowing users who have been permitted to access resources provisioned and defined
by authorization systems.
• Regulating which functions and rights are given to accounts and users.
• Giving admins access to a user’s list of activities on a request or assignment basis.
• Safeguarding private data, such as account characteristics or user lists.

Types of security model

For the designer: please add a representative image for each of these types.

Since network and cyber security are continuously evolving domains, there have been
numerous security models proposed in the history of time. However, there are three classic
security models which serve as the foundation of many other models. Let’s have a look at
them in detail:

1. Bell-LaPadula

David Bell and Leonard LaPadula, pioneers in computer security, created the Bell-LaPadula
model, a lattice-based security concept, in the 1970s. The Bell-LaPadula model is a multilevel
security system. It establishes a set of access rules and security levels (such as Top Secret,
Secret, and Confidential) that specify how individuals may access objects at various security
levels.

Bell-LaPadula only allows users at or above their own security level to create content.
However, users are limited to seeing anything that is at or below their own security level.

When sensitive information has to be shielded from unwanted access, military and
government institutions commonly employ the Bell-LaPadula model. It is sometimes
employed in civil organizations, such as banks and hospitals, where a robust cyber security
architecture and data protection are vital.
Rules of the Bell-LaPadula model:

• SIMPLE Confidentiality Rule: Simple Confidentiality Rule specifies that the Subject
may only read documents protected by the same layer of secrecy and the lower layer
of secrecy, but not the upper layer of secrecy. For this reason, we refer to this rule as
NO READ-UP.

• STAR Confidentiality Rule: According to the Star Confidentiality Rule, the Subject
may only write files on the same layer of secrecy and the upper layer of secrecy, but
not the lower layer of secrecy. For this reason, the rule is known as NO WRITE-DOWN.

• STRONG STAR Confidentiality Rule: The Strong Star Confidentiality Rule is the
strongest and most secure, stating that the Subject may only read and write files on
the same layer of secrecy and not on an upper or lower layer of secrecy. Because of
this, the rule is known as NO READ WRITE-UP OR DOWN.

Significance of the Bell-LaPadula Security Model

Being among the earliest modern security models to be created, the Bell-LaPadula model is
important. This model has influenced the creation of many security models. The lattice-
based security model structure of the Bell-LaPadula model has additional relevance because
it was unique when it was first developed.

The Bell-LaPadula model is a key security tool that fulfills several functions. The concept
initially sets several security layers to protect information from unauthorized access. The
model gives a technique for controlling access to information at multiple security levels by
offering a set of access rules that govern how subjects can access objects at different
degrees of security. The methodology may also be used to audit information access and
ensure that no unauthorized access occurs.

2. Biba model

The Bell-LaPadula Model’s shortcomings inspired the development of the Biba Model. Data
integrity is not addressed by the Bell-LaPadula paradigm; only data confidentiality is.

The Biba Model, which articulates a set of access control rules for maintaining data integrity,
is a formal state transition system for data security regulations. Data and subjects are
organized or categorized according to how reliable they are. Biba aims to prevent data
corruption at levels rated higher than the topic and minimize data corruption at levels rated
lower than the subject.

Rules of the Biba Model:

No Write-Up (Integrity Axiom): According to this rule, no one is permitted to add to or

change data that has a lower integrity level. This guards against low-quality sources, tainting
information of high quality.

No Read Down (Simple Security Property): A user cannot read an item with a higher
integrity level, as per this rule. This suggests that the data you are allowed to access is not
more important than the data you are not allowed to see or read. For example, in a school, a
student would never need access to the principal’s file.

Importance of the BIBA model: The Biba Model is a collection of rules for a computer
system that aids in maintaining valid and secure data. The name comes from Kenneth J.
Biba’s proposal in 1977. The Biba Model’s main goal is to prevent people without the
necessary authorization from tampering with data.

The model implements stringent integrity-based access restrictions. While users are
prevented from downgrading data integrity, they are also prevented from accessing data
from higher integrity levels. This ensures data isolation and confidentiality.

3. Clark-Wilson model

The Clark-Wilson security model is built upon protecting information integrity from hostile
data-altering attempts. The security model states that the system should maintain
consistency between internal and external data and that only authorized users should be
able to generate and alter data—unauthorized users should not be able to do so at all.

The primary goal of this model is to formalize the idea of information integrity by preventing
data corruption in a system due to errors or malicious intent. An integrity policy specifies
how the system’s data items should behave to maintain their validity when they change
from one system state to another. The model outlines certification and enforcement
procedures as well as the capabilities of the principals deployed inside the system.
The Clark-Wilson security concept prohibits direct access to constrained data objects. You
can use these two processes to access constrained data objects:

1. Transformation process

Constrained data items can be requested by the user and managed by the transformation
process. This process is intended to ensure that data changes maintain data integrity and
follow the prescribed certification standards. It is transformed into authorization by the
procedure before being sent to the integration verification procedure.

2. Integration verification process

It carries out authentication and permission. The user is granted access to the restricted data
items if this verification is successful.

4. Brewer and Nash Model

The Brewer and Nash model, also known as the ‘Chinese Wall Model’ is built to establish a
set of rules to minimize conflict of interest. It aims to prevent access to any sensitive
information that could lead to significant consequences because of personal interest
conflict.

The model advocates for data segregation and dynamic access controls. Dynamic acces
controls are decided based on the user’s previous interaction with the critical information.
The model is however not as widely used as other models.

5. Harrison Ruzzo Ullman Model

The Harrison Ruzzo Ullman Model (HRU) is established to address security concerns related
to information flow . Unlike the BLP model which is based on mandatory access control, the
HRU model adopts discretionary access control. It utilizes an access matrix to understand
permissible actions that subjects (such as users) can perform on objects (such as files).

Benefits of a security model

Implementing an extensive security model has several advantages. Let’s look into the top six
advantages that a security model can provide you:
1. Accurate infrastructure inventory

A security model demands administrators to understand which people, devices, data, apps,
and services are part of the business infrastructure and where they are located. In addition
to assisting with security-related issues, a precise infrastructure inventory is useful for long-
term performance planning.

2. Better alerts and monitoring

When security concerns arise, a robust security model’s features, like SIEM (Types of SIEM
Tools) , security orchestration, automation, and network detection and response, employ a
mix of log and event analysis to identify them and then offer recommendations for how to
fix them. This enables security operations center administrators to notice and respond to
cybersecurity attacks more quickly.

3. Easier security policy creation

Modern security models ease the development of security policies since they allow for the
creation of a single, universal policy that can be applied throughout the organization end to
end. SSO is an excellent example of this, as it controls authentication for all network
resources. The possibility for security vulnerabilities or gaps in some sections of the
infrastructure also becomes much less likely, making the deployment and administration of
security policies from the administrator’s perspective straightforward.

4. Flexibility when transferring applications, data, and services

The requirements for the technology needed to support business shift along with the
business objectives. As a result, applications, data, and information technology services are
frequently relocated inside the corporate infrastructure. A modern security model is
advantageous in this regard as it creates a central rule system for the management of app
and data security. It also necessitates the use of automation tools to move these security
and micro-segmentation policies to the necessary locations.
 ChatGPT

In information security, security models are frameworks that help define and enforce policies for data
protection and access control. These models provide structured approaches to ensuring the

confidentiality, integrity, and availability of information. Here’s an overview of some key security models:

1. Bell-LaPadula Model

• Focus: Confidentiality
• Key Principles:

o No Read Up (Simple Security Property): A subject at a lower security level cannot read

data at a higher level.

o No Write Down (Star Property): A subject at a higher security level cannot write data to

a lower level.
• Purpose: Protects sensitive information by ensuring that data is only accessed by users with the

appropriate clearance level.

2. Biba Model

• Focus: Integrity
• Key Principles:

o No Read Down (Simple Integrity Property): A subject cannot read data from a lower
integrity level, preventing the introduction of less trustworthy data.

o No Write Up (Star Integrity Property): A subject cannot write data to a higher integrity
level, preventing the contamination of more reliable data.

• Purpose: Maintains the integrity of data by preventing lower integrity data from affecting higher
integrity data.

3. Clark-Wilson Model

• Focus: Integrity
• Key Principles:

o Well-formed Transactions: Transactions must be defined and enforced to maintain the

integrity of data.
 o Separation of Duties: Ensures that no single individual has control over all aspects of a

critical transaction.

• Purpose: Provides a framework for enforcing integrity constraints through well-defined

transactions and access controls.

4. Lattice-Based Model

• Focus: Confidentiality and Integrity

• Key Principles:
o Uses a lattice structure to define levels of security. Each subject and object is assigned a

security label, and access is controlled based on these labels.

• Purpose: Allows for a more granular control of access and integrates both confidentiality and

integrity considerations.

5. Brewer-Nash Model (Cinderella Model)

• Focus: Confidentiality and Integrity

• Key Principles:
o Dynamic Access Control: The access control changes dynamically based on the user's

actions and the information they have already accessed.

o Conflict of Interest: Designed to prevent conflicts of interest by ensuring that users

cannot access information that might lead to a breach of ethical standards.

• Purpose: Addresses scenarios where users' actions might create a conflict of interest or bias.

6. Harrison-Ruzzo-Ullman Model

• Focus: Access Control

• Key Principles:

o Provides a formal framework for specifying and analyzing access control policies.
o Defines access rights, permissions, and how they can be modified.

• Purpose: Supports dynamic and flexible management of access controls and policies.

7. Chinese Wall Model

• Focus: Confidentiality and Conflict of Interest

• Key Principles:
 o Access Control Based on Conflict of Interest: Users are allowed to access information

only if it does not lead to a conflict of interest.

o Access Restrictions: Restricts access to information to prevent potential conflicts arising

from users accessing data from competing entities.

• Purpose: Ensures that users' actions do not create a conflict of interest, particularly in business
and consulting contexts.

Each of these models serves a specific purpose and is suitable for different types of information systems

and security requirements. Understanding these models helps organizations design and implement
effective security policies and mechanisms.