CISSP Security Models

Fundamental concepts of CISSP Security Models

A security model is a blueprint to implement security on an information system and forms the foundation of the organisations security policy.

Types of CISSP Security Model:

Brewer-Nash Model — The Brewer Nash model is sometimes referred to as the Chinese Wall model, because it creates a secure wall between a users files and other users and prevents users from accessing one another’s files. The brewer Nash Model was created to provide access controls that can change dynamically depending upon a user’s previous actions. This allows access control between data belonging to different clients. The Brewer and Nash model prevents conflicts of interest.

Clark-Wilson — The Clark-Wilson integrity model establishes a security framework for use in commercial activities, such as the banking industry. Clark-Wilson addresses all three goals of integrity and identifies special requirements for inputting data based on the following items and procedures:

  • Unconstrained data item (UDI): Data outside the control area, such as input data.
  • Constrained data item (CDI): Data inside the control area. (Integrity must be preserved.)
  • Integrity verification procedures (IVP): Checks validity of CDIs.
  • Transformation procedures (TP): Maintains integrity of CDIs.

The Clark-Wilson integrity model is based on the concept of a well-formed transaction, in which a transaction is sufficiently ordered and controlled so that it maintains internal and external consistency.

Bell-LaPadula — The Bell LaPadula model focuses on the “confidentiality” aspect of the CIA triad. The basic premise of Bell-LaPadula is that information can’t flow downward. This means that information at a higher level is not permitted to be copied or moved to a lower level. The Bell-LaPadula model is defined by the following properties:

  • Simple security property (ss property)—This property states that a subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. This is sometimes referred to as “no read up.”
  • Star * security property—This property states that a subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. This is also known as “no write down.”
  • Strong star * property—This property states that a subject cannot read/write to object of higher/lower sensitivity.

Trusted Computing Base — TCB is a security model that has a feature that in theory has one name or label but, when implemented into a solution, takes on the name or label of the security kernel.

Biba — So instead of focusing on Confidentiality like the Bell-LaPadula model, the Biba model focuses on the integrity aspect of the CIA Triad. . Here, “the subject at a certain level cannot read data at a lower integrity level”. Similarly, the “subject cannot modify data at a higher integrity level”. This lattice-based model has the following defining properties:

  • Simple integrity property—This property states that a subject at one level of integrity is not permitted to read an object of lower integrity.
  • Star * integrity property—This property states that an object at one level of integrity is not permitted to write to an object of higher integrity.
  • Invocation property—This property prohibits a subject at one level of integrity from invoking a subject at a higher level of integrity.

Take-Grant Model

The Take-Grant model is another confidentiality-based model that supports four basic operations: take, grant, create, and revoke. This model allows subjects with the take right to remove take rights from other subjects. Subjects possessing the grant right can grant this right to other subjects. The create and revoke operations work in the same manner: Someone with the create right can give the create right to others and those with the revoke right can remove that right from others.

Graham Denning model—This model uses a formal set of protection rules for which each object has an owner and a controller.

Harrison-Ruzzo-Ullman model—This model details how subjects and objects can be created, deleted, accessed, or changed.

Lattice model—This model is associated with MAC. Controls are applied to objects and the model uses security levels that are represented by a lattice structure. This structure governs information flow. Subjects of the lattice model are allowed to access an object only if the security level of the subject is equal to or greater than that of the object. Every subset has a least upper bound and a greatest lower bound.

Product Evaluation Models/ Security document sand Guidelines

Product evaluation models are used to verify that the information systems achieve a set of security goals These provide a level of trust and assurance that these systems will operate in a given and predictable manner and that they have undergone testing and validation to strict specific standards.

TCSEC (Orange book)

The TCSEC also is known as the ‘Orange book’ was first published in 1983. It contains a set of standards that were used by the US Department of Defense(DoD) to evaluate its systems. The different ‘Orange book’ criteria are

  • A—Verified protection. An A-rated system is the highest security division.
  • B—Mandatory security. A B-rated system has mandatory protection of the TCB.
  • C—Discretionary protection. A C-rated system provides discretionary protection of the TCB.
  • D—Minimal protection. A D-rated system fails to meet any of the standards of A, B, or C and basically has no security controls

The TSEC focused more on the ‘confidentiality’ aspect of the CIA tried to evaluate its systems. The TCSEC has been superseded by the ‘Common criteria’.

Information Technology Security Evaluation Criteria

ITSEC is a European standard developed in the 1980s to evaluate confidentiality, integrity, and availability of an entire system. ITSEC was unique in that it was the first standard to unify markets and bring all of Europe under one set of guidelines. ITSEC designates the target system as the Target of Evaluation (TOE). The evaluation is actually divided into two parts: One part evaluates functionality and the other evaluates assurance. There are 10 functionality (F) classes and 7 assurance (E) classes. Assurance classes rate the effectiveness and correctness of a system. Table 5.5 shows these ratings and how they correspond to the TCSEC ratings.

Table 5.5. ITSEC Functionality Ratings and Comparison to TCSEC

(F) Class(E) ClassTCSEC Rating
F6TOEs with high integrity requirements
F7TOEs with high availability requirements
F8TOEs with high integrity requirements during data communications
F9TOEs with high confidentiality requirements during data communications
F10Networks with high confidentiality and integrity requirements

Common Criteria

TCSEC and ITSEC were not universally adopted and  ‘Common criteria’ came into existence and it soon became the universally adopted product evaluation criteria.  ‘Common criteria’ can be applied to both hardware and software products. In CC, we have to determine the ST(security target) and ToE(Target of evaluation), conformance claims and security requirements and perform product evaluation accordingly.

When it comes to purchasing, Information Systems, buyers would often consider only systems that have gone through formal evaluation processes in advance (preferably third-party) and have received some kind of security rating.

It has seven different assurance levels (EALs) with EAL 1 being the lowest level of assurance and EAL 7 being the highest level of assurance.

  • EAL 0: Inadequate assurance
  • EAL 1: Functionally tested
  • EAL 2: Structurally Tested
  • EAL 3: Methodically Tested and Checked
  • EAL 4: Methodically Designed, Tested and reviewed
  • EAL 5: Semi-Formally Designed and Tested
  • EAL 6: Semi-Formally Verified Design and tested
  • EAL 7: Formally Verified Design and Tested

Trusted Network Interpretation (Red book)

The purpose of the Trusted Network Interpretation is to examine security for network and network components. Whereas the Orange Book addresses only confidentiality, the Trusted Network Interpretation book examines integrity and availability. It also is tasked with examining the operation of networked devices. Three areas of reviews include

  • DoS prevention—Management and continuity of operations.
  • Compromise protection—Data and traffic confidentiality, selective routing.
  • Communications integrity—Authentication, integrity, and nonrepudiation.

Security Capabilities of Information Systems

Memory protection

It is a core security component that must be designed and implemented into an operating system. It must be enforced regardless of the programs executing in the system. Otherwise, instability, violation of integrity, denial of service, and disclosure are likely results.

Trusted Platform Module (TPM)

TPM is used to implement a broad range of cryptography-based security protection mechanisms. A TPM is an example of HSM (Hardware Security Model). An HSM is a cryptoprocessor used to manage and store digital encryption keys, accelerate crypto operations, support faster digital signatures and improve authentication. An HSM can be a chip on a motherboard, an external peripheral, a network-attached device, or an extension card (which is inserted into a device, such as a router, firewall, or rack-mounted server blade).HSMs include tamper protection to prevent their misuse even if an attacker gains physical access.


Encryption scrambles the data, making it unreadable, but decryption reverses that process to its original state. This protects confidentiality and Integrity.

Leave a Reply

Your email address will not be published. Required fields are marked *