4.2.3. Other Models: Brewer-Nash and State Machine
Brewer-Nash Model (Chinese Wall):
Addresses conflict of interest — specifically in consulting and financial advisory contexts where advisors serve competing clients. Named after its authors; "Chinese Wall" is the common name used in financial services.
Core concept: Access to data is dynamically restricted based on what data the subject has already accessed. Once a consultant accesses data about Company A, they are automatically prohibited from accessing data about Company A's competitors.
Rule: A subject who has accessed data in conflict class X cannot subsequently access data in the same conflict class from a competing organization.
Use case: Investment bank analysts who advise on M&A cannot access information about competing deals after they've seen confidential deal information. The "wall" goes up automatically when the analyst accesses the first deal.
Graham-Denning Model:
Addresses how objects and subjects are created and deleted, and how access rights are transferred. Defines eight protection rules:
- Transfer access right
- Grant access right
- Delete access right
- Read object
- Create object
- Destroy object
- Create subject
- Destroy subject
Why it matters for the exam: It models the administrative operations of an access control system — who can create users, delete objects, and transfer rights. More procedural than BLP or Biba.
Harrison-Ruzzo-Ullman (HRU) Model:
Defines when a protection system is safe — whether it's possible to determine if a given right can ever be leaked to an unauthorized subject. Proved that safety in general-purpose systems is undecidable (you cannot always prove a system is safe). Practically important because it demonstrates the limits of formal verification.
Summary comparison:
| Model | Property | Level | Best For |
|---|---|---|---|
| Bell-LaPadula | Confidentiality | Multi-level | Government/classified systems |
| Biba | Integrity (lattice) | Multi-level | Systems where integrity contamination is the threat |
| Clark-Wilson | Integrity (procedure) | Commercial | Financial, healthcare, audit-required systems |
| Brewer-Nash | Conflict of interest | Dynamic | Consulting, financial advisory, legal |
| Graham-Denning | Access administration | Procedural | Access control system design |
| HRU | Safety (theoretical) | Abstract | Security system analysis |
⚠️ Exam Trap: A question asks which model is best for a hospital EHR system where doctors update patient records and all changes must be audited. The answer is Clark-Wilson — not Biba. Biba would restrict whether a doctor (classified by integrity level) can write to a patient record (also classified). Clark-Wilson models the requirement that records are only modified through authorized, audited procedures (transformation procedures), which is exactly how EHR access should work.
Reflection Question: A law firm serves both the plaintiff and defendant in different cases. A paralegal who works on plaintiff cases should not be able to access defendant case files, and vice versa. This restriction should be applied dynamically based on which files the paralegal has already accessed. Which formal model should govern access to case files, and describe specifically how the model's rules would be implemented?
