4.2.2. Integrity Models: Biba and Clark-Wilson
💡 First Principle: While BLP and Biba are abstract mathematical models, Clark-Wilson was designed for real commercial systems where integrity means "data was modified only through authorized, audited procedures." The difference is crucial: Biba defines integrity as a lattice of trust levels; Clark-Wilson defines integrity as consistency and proper procedure.
Clark-Wilson Model — Commercial Integrity:
Developed for commercial environments (financial systems, healthcare records). Addresses a limitation of Biba — real integrity isn't just about who can write; it's about whether changes follow approved processes with audit trails.
Core concepts:
| Concept | Definition | Example |
|---|---|---|
| CDI (Constrained Data Items) | Data items whose integrity must be protected | Bank account balances, medical records, financial transactions |
| UDI (Unconstrained Data Items) | Data not subject to integrity controls | Free-form notes, unchecked input |
| IVP (Integrity Verification Procedure) | Checks that CDIs are in a valid, consistent state | Database constraint checks, transaction validity checks |
| TP (Transformation Procedure) | Only authorized operations that can modify CDIs, with audit logging | Properly authorized financial transaction code |
Rules:
- CDIs can only be modified by TPs
- TPs must maintain CDI validity (IVP must pass before and after TP execution)
- Only authorized users can execute specific TPs on specific CDIs
- All TP executions are logged with the user, time, and data changed (audit trail)
Why Clark-Wilson matters for the exam: It models how real financial and healthcare systems should work. Separation of duties is built in — the TP is the authorized procedure, and who can invoke which TP is controlled. The audit log is mandatory, making this a model for accountability, not just integrity.
