Security models form the blueprint for designing and enforcing organizational security policies. In CISSP Domain 3, understanding these models is crucial for both exam success and practical application. Security models not only define access controls but also help structure systems to protect confidentiality, integrity, and availability.
This article provides a detailed, real-world perspective on security models, trusted computing concepts, and product evaluation standards, combining theory with IT industry insights.
Fundamental Security Models
Security models are frameworks that define how subjects (users) interact with objects (data or resources) under enforced security policies. Different models emphasize different aspects of the CIA triad (Confidentiality, Integrity, Availability).
Brewer-Nash Model (Chinese Wall)
- Designed to prevent conflicts of interest in commercial and consulting environments.
- Dynamically changes access permissions based on a user’s prior actions.
- Commonly used in financial institutions and consultancy firms where data must remain isolated by client.
Practical Insight:
I’ve implemented Brewer-Nash in multi-tenant consulting environments to prevent analysts from inadvertently accessing competitor client data. Dynamic access controls are critical in regulated industries where ethical walls are mandatory.
Clark-Wilson Integrity Model
- Focuses on data integrity, particularly in commercial and financial applications.
- Introduces Unconstrained Data Items (UDIs), Constrained Data Items (CDIs), Integrity Verification Procedures (IVPs), and Transformation Procedures (TPs).
- Ensures transactions are well-formed to maintain both internal and external consistency.
Real-World Use:
Banking systems often enforce Clark-Wilson principles to prevent fraudulent transactions. Every operation on a CDI is validated by TPs and IVPs, reducing errors and insider manipulation.
Bell-LaPadula Model
- Protects confidentiality.
- Simple Security Property (no read up): Users cannot read data at higher classifications.
- Star (*) Property (no write down): Users cannot write information to a lower classification.
- Strong Star Property: Prohibits reading or writing outside of authorized levels.
Industry Note:
Government and military systems frequently use Bell-LaPadula to protect classified information, ensuring sensitive data is never leaked downward.
Biba Integrity Model
- Focuses on integrity rather than confidentiality.
- Simple Integrity Property: Prevents reading of lower integrity objects.
- Star (*) Integrity Property: Prevents writing to higher integrity objects.
- Invocation Property: Prevents invoking subjects at higher integrity levels.
Practical Application:
In manufacturing control systems, Biba ensures that data from less-trusted sources cannot corrupt high-integrity processes, maintaining operational safety and regulatory compliance.
Trusted Computing Base (TCB)
- The foundation of a secure system; a TCB includes hardware, firmware, and software critical to enforcing the system’s security policy.
- The security kernel implements TCB functions.
Insight:
A well-implemented TCB is non-negotiable in high-security environments such as defense, healthcare, and critical infrastructure. Weak TCBs can render all higher-layer security controls ineffective.
Take-Grant, Graham-Denning, Harrison-Ruzzo-Ullman, and Lattice Models
- Take-Grant Model: Manages rights dynamically through take, grant, create, and revoke operations.
- Graham-Denning Model: Defines formal rules for subject and object access rights, emphasizing ownership and control.
- Harrison-Ruzzo-Ullman Model: Specifies access rights changes and system modifications.
- Lattice Model: Implements Mandatory Access Control (MAC) using a lattice structure with hierarchical levels and bounds.
Observation:
Modern IT systems often combine lattice and take-grant principles to enforce multi-level security in complex networks, particularly in cloud and hybrid environments.
Product Evaluation Models and Standards
Security models are complemented by product evaluation frameworks, which ensure systems meet specified security objectives.
Trusted Computer System Evaluation Criteria (TCSEC / Orange Book)
- Developed by the US DoD in 1983.
- Evaluates systems primarily on confidentiality.
- Ratings:
- A – Verified Protection: Highest security.
- B – Mandatory Protection: Enforced access control.
- C – Discretionary Protection: User-defined protections.
- D – Minimal Protection: Fails to meet standard security criteria.
Industry Perspective:
Although largely superseded, the Orange Book laid the foundation for modern evaluation standards like Common Criteria.
ITSEC (Information Technology Security Evaluation Criteria)
- European standard that evaluates confidentiality, integrity, and availability.
- Introduced Target of Evaluation (TOE) and evaluated both functionality (F1–F10) and assurance (E0–E7).
Comparison with TCSEC:
ITSEC provides more granular assurance ratings and is applicable to both hardware and software, making it more flexible for diverse enterprise IT environments.
Common Criteria (CC)
- Universally adopted framework for evaluating security hardware and software.
- Defines Security Target (ST) and Target of Evaluation (TOE).
- Seven Evaluation Assurance Levels (EAL1–EAL7) ranging from basic functional testing to fully formally verified designs.
Real-World Insight:
Organizations purchasing enterprise IT solutions increasingly require Common Criteria certification for compliance and risk management. EAL 4 and above are common in financial and government systems.
Trusted Network Interpretation (Red Book)
- Extends evaluation to networked systems, addressing integrity and availability, not just confidentiality.
- Evaluates:
- DoS prevention: Maintaining availability.
- Compromise protection: Ensuring confidentiality and selective routing.
- Communication integrity: Authentication, integrity, and non-repudiation.
Application:
Critical in modern enterprise networks where cloud integration, VPNs, and zero-trust architectures require continuous network-level assurance.
Security Capabilities in Modern Systems
Memory Protection
- Ensures programs cannot access memory outside their allocated space.
- Protects integrity, prevents crashes, and guards against malicious exploitation.
Trusted Platform Module (TPM)
- Hardware-based security for cryptographic key storage, digital signatures, and authentication.
- TPMs are used in laptops, servers, and network devices for secure boot, disk encryption, and identity management.
Practical Tip:
I’ve deployed TPM-enabled laptops in large organizations to enforce disk encryption and device attestation, reducing risk from lost or stolen endpoints.
Encryption and Decryption
- Core security capability that ensures data confidentiality and integrity.
- Modern IT environments rely on AES-256, TLS 1.3, and elliptic curve cryptography for both at-rest and in-transit protection.
Real-World Advice:
Encryption alone is not sufficient; it must be paired with strong key management and access control policies to prevent misuse.
Conclusion
Understanding CISSP Domain 3 security models is critical for IT professionals and security architects. From Brewer-Nash to Bell-LaPadula and Biba, each model provides unique insights into enforcing confidentiality, integrity, and availability.
Complementing these models with rigorous product evaluation frameworks such as TCSEC, ITSEC, Common Criteria, and Trusted Network Interpretation ensures systems are not only secure in theory but validated in practice.
Expert Insight:
In enterprise deployments, combining security models with modern frameworks like zero trust and TPM-based endpoints ensures a resilient, auditable, and compliant security posture. Understanding these models empowers IT professionals to make informed decisions about architecture, system evaluation, and risk mitigation.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.