🏗️ Domain 3 – Security Architecture and Engineering
🔐 D3.1 – Security Models (🇬🇧 / 🇫🇷)
This memo covers the most well-known security models used in access control and system design for CISSP.
Ce mémo couvre les modèles de sécurité les plus connus utilisés dans la conception des systèmes et le contrôle d’accès.
🟦 Bell–LaPadula Model (Confidentiality-focused)
- Purpose: Protect confidentiality of classified data
- Rules:
- 🔒 Simple Security Property: No Read Up
- ✍️ Star () Property*: No Write Down
- Used by: Military, government, classified systems
- Type: Mandatory Access Control (MAC), Lattice-based
🧠 FR : Empêche un utilisateur de lire des données plus sensibles (no read up) ou d’écrire vers des niveaux inférieurs (no write down).
🟨 Biba Model (Integrity-focused)
- Purpose: Protect data integrity
- Rules:
- 🔒 Simple Integrity Property: No Read Down
- ✍️ Star () Integrity Property*: No Write Up
- Used by: Commercial and financial systems (where data accuracy is key)
- Type: Lattice-based
🧠 FR : Un utilisateur de haut niveau ne lit pas des données moins fiables (no read down) et un utilisateur bas ne peut pas corrompre les données hautes (no write up).
🟩 Clark–Wilson Model (Transactional Integrity)
- Purpose: Ensure well-formed transactions and separation of duties
- Core concepts:
- ✅ Subjects can only access data via Transformation Procedures (TPs)
- ✅ Data is protected via Constrained Data Items (CDIs)
- ✅ Uses Access Control Triples (Subject – TP – Object)
🧠 FR : Un utilisateur ne peut jamais modifier directement les données sensibles ; il passe toujours par une application ou procédure autorisée (TP).
🟥 Brewer–Nash Model (Chinese Wall Model)
- Purpose: Prevent conflict of interest in dynamic environments (e.g. financial consultants)
- Rule: A user who accesses data from one company cannot access data from its competitor
- Type: Context-based / dynamic
🧠 FR : Si je travaille avec la Banque A, je ne peux pas ensuite voir les fichiers de la Banque B (concurrente).
🟧 Graham–Denning Model
- Purpose: Define how subjects and objects are securely created, deleted, and managed
- Based on: 8 security rules (e.g. assign owner, grant access, delete subject)
- Focus: Rights management and access control operations
🧠 FR : Modèle structuré avec 8 règles pour gérer les droits entre utilisateurs et objets.
🟪 Take–Grant Model
- Purpose: Model how access rights are passed between subjects
- Operations: Take, Grant, Create, Revoke
- Representation: Directed graph
🧠 FR : Ce modèle montre comment un droit d’accès peut être pris ou donné via un graphe d’autorisations.
🟫 Lattice-Based Access Model
- Purpose: Assign users and objects to levels and compartments
- Used in: Mandatory Access Control systems (MAC)
- Concept: Users can only access data within their clearance level
🧠 FR : Modèle basé sur une hiérarchie de niveaux (top secret > secret > public…). Utilisé dans les environnements classifiés.
🔵 Non-Interference Model
- Purpose: Prevent actions at higher levels from influencing lower levels
- Goal: Ensure complete isolation (no observable impact between security levels)
🧠 FR : Les utilisateurs bas ne doivent même pas pouvoir déduire qu’un utilisateur haut a agi. Aucune interférence observable.
🎯 Summary Table
| Model | Focus | Key Rule |
|---|---|---|
| Bell–LaPadula | Confidentiality | No Read Up / No Write Down |
| Biba | Integrity | No Read Down / No Write Up |
| Clark–Wilson | Integrity via control | Access via TPs only |
| Brewer–Nash | Conflict of interest | Chinese Wall dynamic access |
| Graham–Denning | Access control ops | 8 rules: create, assign, revoke... |
| Take–Grant | Delegation of rights | Take / Grant / Revoke |
| Lattice-based | Multi-level access | Clearance-based access |
| Non-Interference | Isolation | No observable influence |
🧠 Mnemonics (English)
- Bell–LaPadula = Don't leak secrets
- Biba = Don't let low-integrity data corrupt the system
- Clark–Wilson = Only trusted programs touch sensitive data