Common Access Control Models You Should Know for the CISSP Exam

By Lawrence C. Miller, Peter H. Gregory

Models are used to express access control requirements in a theoretical or mathematical framework that precisely describes or quantifies real access control systems. Common access control models include Bell-LaPadula, Access Matrix, Take-Grant, Biba, Clark-Wilson, Information Flow, and Non-interference.

Bell-LaPadula, Access Matrix, and Take-Grant models address confidentiality of stored information. Biba and Clark-Wilson address integrity of stored information.


The Bell-LaPadula model was the first formal confidentiality model of a mandatory access control system. (We discuss mandatory and discretionary access controls in Chapter 7.) It was developed for the U.S. Department of Defense (DoD) to formalize the DoD multilevel security policy. As we discuss in Chapter 3, the DoD classifies information based on sensitivity at three basic levels: Confidential, Secret, and Top Secret. In order to access classified information (and systems), an individual must have access (a clearance level equal to or exceeding the classification of the information or system) and need-to-know (legitimately in need of access to perform a required job function). The Bell-LaPadula model implements the access component of this security policy.

Bell-LaPadula is a state machine model that addresses only the confidentiality of information. The basic premise of Bell-LaPadula is that information can’t flow downward. This means that information at a higher level is not permitted to be copied or moved to a lower level. Bell-LaPadula defines the following two properties:

  • Simple security property (ss property): A subject can’t read information from an object that has a higher sensitivity label than the subject (also known as no read up, or NRU).
  • property (star property): A subject can’t write information to an object that has a lower sensitivity label than the subject (also known as no write down, or NWD).

Bell-LaPadula also defines two additional properties that give it the flexibility of a discretionary access control model:

  • Discretionary security property: This property determines access based on an Access Matrix — more on that model in the following section.
  • Trusted subject: A trusted subject is an entity that can violate the *-property but not its intent.

A state machine is an abstract model used to design computer programs; the state machine illustrates which “state” the program will be in at any time.

Access Matrix

An Access Matrix model, in general, provides object access rights (read/write/execute, or R/W/X) to subjects in a discretionary access control (DAC) system. An Access Matrix consists of access control lists (columns) and capability lists (rows). See the table for an example.

An Access Matrix Example

Subject/Object Directory: H/R File: Personnel Process: LPD
Thomas Read Read/Write Execute
Lisa Read Read Execute
Harold None None None


Take-Grant systems specify the rights that a subject can transfer to or from another subject or object. These rights are defined through four basic operations: create, revoke, take, and grant.


The Biba integrity model (sometimes referred to as Bell-LaPadula upside down) was the first formal integrity model. Biba is a lattice-based model that addresses the first goal of integrity: ensuring that modifications to data aren’t made by unauthorized users or processes. (See Chapter 3 for a complete discussion of the three goals of integrity.) Biba defines the following two properties:

  • Simple integrity property: A subject can’t read information from an object that has a lower integrity level than the subject (also called no read down).
  • integrity property (star integrity property): A subject can’t write information to an object that has a higher integrity level than the subject (also known as no write up).


The Clark-Wilson integrity model establishes a security framework for use in commercial activities, such as the banking industry. Clark-Wilson addresses all three goals of integrity and identifies special requirements for inputting data based on the following items and procedures:

  • Unconstrained data item (UDI): Data outside the control area, such as input data.
  • Constrained data item (CDI): Data inside the control area. (Integrity must be preserved.)
  • Integrity verification procedures (IVP): Checks validity of CDIs.
  • Transformation procedures (TP): Maintains integrity of CDIs.

The Clark-Wilson integrity model is based on the concept of a well-formed transaction, in which a transaction is sufficiently ordered and controlled so that it maintains internal and external consistency.

Information Flow

An Information Flow model is a type of access control model based on the flow of information, rather than on imposing access controls. Objects are assigned a security class and value, and their direction of flow — from one application to another or from one system to another — is controlled by a security policy. This model type is useful for analyzing covert channels, through detailed analysis of the flow of information in a system, including the sources of information and the paths of flow.


A non-interference model ensures that the actions of different objects and subjects aren’t seen by (and don’t interfere with) other objects and subjects on the same system.