Certified: The CISSP Prepcast

Welcome to The Bare Metal Cyber CISSP Prepcast. This series helps you prepare for the ISC squared CISSP exam with focused explanations and practical context.
In this episode, we’re diving into foundational Security Models—specifically the Bell-LaPadula model, the Biba model, and the Clark-Wilson model. These are theoretical constructs used to define and enforce security properties within computer systems. Understanding these models is critical not just for passing the CISSP exam but for implementing secure architecture, access control mechanisms, and data governance strategies that support confidentiality, integrity, and compliance.
Security models give us structured ways to reason about system security. They act as blueprints for controlling access, enforcing boundaries, and protecting sensitive information. Each model has specific rules and assumptions, designed to meet a particular set of security objectives. Some focus on preventing unauthorized disclosure. Others emphasize maintaining data accuracy. And some are designed to stop fraud and support accountability in commercial settings.
Let’s start with the importance of security models. These models provide theoretical frameworks that guide how systems are built and evaluated for security. Just like architects follow building codes, cybersecurity professionals rely on models to ensure systems behave securely under defined conditions.
They also support regulatory compliance. By aligning system behavior with tested models, organizations can demonstrate due diligence and structured security design. This is especially important in industries like government, healthcare, banking, and defense, where regulatory standards often reference or imply model-based security principles.
Models bring clarity to complex systems. They help you define access control rules, isolate trust boundaries, identify potential misuse, and justify design choices. Whether you're writing a security policy, designing a software system, or building a cloud architecture, security models help ensure that your strategies are grounded in established logic.
Let’s begin with the Bell-LaPadula model. This is one of the oldest and most well-known security models, developed in the early 1970s for the United States Department of Defense. It was specifically created to enforce confidentiality in military and classified environments.
The Bell-LaPadula model focuses entirely on preventing unauthorized disclosure of information. It uses a multi-level security classification system with defined clearance levels—such as unclassified, confidential, secret, and top secret.
There are two key rules that govern the Bell-LaPadula model. The first is the Simple Security Property—also known as “no read up.” This means that a user with a lower clearance cannot read data classified at a higher level. For example, an employee cleared for confidential data cannot read top secret documents.
The second rule is the *-Property—pronounced “star property”—which states “no write down.” This means that a user cannot write information to a lower classification level. For example, someone working on top secret data cannot write or save information to a lower-level system, like unclassified email or external drives.
Together, these two properties ensure that sensitive data is not leaked to lower clearance levels, either accidentally or maliciously. Bell-LaPadula is highly effective in environments where confidentiality is the top concern and unauthorized disclosure would have catastrophic consequences.
However, it is worth noting that the Bell-LaPadula model does not focus on integrity. It assumes that all subjects with access to high-level information will behave responsibly and does not account for potential data tampering.
Now let’s explore the Biba model, which was developed as a counterpart to Bell-LaPadula. While Bell-LaPadula prioritizes confidentiality, Biba focuses on integrity—ensuring that data is not improperly altered, whether by accident or by malicious activity.
The Biba model uses a different set of rules. It introduces “no read down” and “no write up.” In simple terms, this means users cannot read data from a lower integrity level, and they cannot write to a higher integrity level.
Let’s break that down. “No read down” prevents high-integrity subjects—such as administrators or trusted systems—from reading potentially untrustworthy data from low-integrity sources. This protects critical decision-making systems from being influenced by corrupted or questionable inputs.
“No write up” prevents users or systems at a lower integrity level from contaminating or modifying data in higher-integrity systems. For example, an employee entering information into a database cannot write to the master financial records unless they meet the integrity clearance required.
This model is highly relevant in fields such as finance, healthcare, and manufacturing, where it is vital to maintain the accuracy and trustworthiness of data. It stops bad data from spreading upward and corrupting the systems that depend on accurate input.
The Biba model ensures that once data is classified as high integrity, it remains reliable. However, like Bell-LaPadula, Biba focuses exclusively on one aspect—integrity—and does not provide mechanisms for controlling confidentiality or access control breadth.
For more cyber-related content and books, please visit cyberauthor.me. You'll find best-selling books, training tools, and resources tailored specifically for cybersecurity professionals. You can also explore additional podcast episodes and exam resources at Bare Metal Cyber dot com.
Now let’s turn to the Clark-Wilson model. This model is also focused on integrity but takes a different approach. Instead of using strict hierarchical levels like Bell-LaPadula or Biba, Clark-Wilson defines integrity through well-formed transactions, separation of duties, and strong process control.
The Clark-Wilson model is particularly well suited for commercial environments like banking, retail, or manufacturing—places where fraud prevention and data accuracy are key concerns.
At the heart of the Clark-Wilson model are three core concepts: constrained data items, transformation procedures, and integrity verification procedures. Constrained data items are data that must be protected—such as customer balances or payroll records. Transformation procedures are the only ways this data can be modified. These are tightly controlled programs or workflows that ensure changes are valid. Finally, integrity verification procedures regularly check data to confirm that it has not been tampered with.
This model also introduces the concept of subject-object separation. Only authorized users can execute transformation procedures, and they are never allowed to modify data directly. This separation of duties ensures that no single person can create, approve, and post a transaction alone.
For example, in a banking system, one employee might enter a payment, but a different employee must approve it before it is processed. This dual-control mechanism helps prevent fraud, insider threats, and careless errors.
The Clark-Wilson model also places emphasis on auditing. All changes to constrained data must be logged and reviewed. This not only ensures data integrity but also creates accountability and supports forensic investigation when needed.
While Bell-LaPadula and Biba use mandatory access control models with defined levels, Clark-Wilson is more focused on practical, policy-driven controls. It supports commercial operations by ensuring integrity through structured processes and procedural enforcement.
Let’s now look at continuous application of these security models. Just like security policies and technical controls, models must be reviewed and updated over time. They must be applied consistently across systems and reassessed as your environment, threats, and regulatory landscape evolve.
Audits and assessments help verify adherence to your chosen models. For example, you may audit whether a “no read up” policy is being enforced in high-security systems, or whether access controls supporting least privilege align with the Biba model.
Cross-functional collaboration is key. Applying security models is not the responsibility of security teams alone. Developers, system architects, compliance teams, and business leaders must all participate to ensure that controls are effective and business needs are met.
Training reinforces adoption. Staff must understand the rationale behind access control restrictions, transaction workflows, or separation of duties. When people understand the “why,” they are more likely to support and follow secure practices.
Incident feedback loops provide insight into where models may need to be adapted. If a breach shows that privileged accounts were misused, a deeper application of least privilege or role-based access control may be required. If sensitive data was accessed improperly, a re-evaluation of confidentiality models may be necessary.
Ultimately, the Bell-LaPadula, Biba, and Clark-Wilson models offer different but complementary perspectives on how to structure security in systems. Bell-LaPadula defends confidentiality. Biba enforces integrity. Clark-Wilson supports transactional security and fraud prevention through process control. Together, they provide a foundation for secure design, operational effectiveness, and regulatory compliance.
Thank you for joining the CISSP Prepcast by Bare Metal Cyber. Visit baremetalcyber.com for additional episodes, comprehensive CISSP study materials, and tailored certification support. Deepen your understanding of foundational Security Models, and we'll consistently support your journey toward CISSP certification success.