4.2. Security Models

💡 First Principle: Formal security models provide mathematically precise definitions of security properties. They answer the question "exactly what does it mean for this system to maintain confidentiality (or integrity)?" in terms of rules about what subjects can do to objects. Without formal models, "secure" is subjective; with them, it is verifiable.

These models were developed in the 1970s and 1980s, primarily for US government classified systems. They remain the theoretical foundation for modern access control and are tested on the CISSP because they clarify thinking about what different security controls actually guarantee. A system implementing Bell-LaPadula is provably maintaining confidentiality — but it says nothing about integrity. These distinctions matter when choosing the right model for a real scenario.

Why this matters: The exam presents scenarios and asks which model applies. The discriminator is always the security property: confidentiality (Bell-LaPadula), integrity (Biba or Clark-Wilson), conflict of interest (Brewer-Nash), or multi-level classification management.

⚠️ Common Misconception: "Bell-LaPadula and Biba are interchangeable confidentiality and integrity models." They address different properties with rules that actually oppose each other. BLP's "no write down" (information flows up) contradicts Biba's "no write up" (integrity flows down). Implementing both simultaneously requires careful design because their rules conflict.