M-209 cipher machine.

CISSP Domain 3 — Security Architecture and Engineering

Domain 3 — Security Architecture and Engineering

Ross Anderson Matthew Green

Security engineering and security architectural design are, of course, far more complicated and difficult than (ISC)2 material suggests. See the work of Ross Anderson and Matthew Green for the real stories.

Formal Security Models

These are formal and academic. They're listed here in order from most to least likely to appear on the exam. All you need to know about them is:

Bell—LaPadula model

The easiest and most obvious, as it's focused on secrecy. Secrets should not flow down in a multi-level security model.

Top Secret

Someone with a Secret clearance should not be able to:

That's easy, so they put further labels on things:

Simple Security property No read up
Star property No write down

Biba model

Conversely, focused on integrity and therefore trustworthiness. The easiest analogy is to think of a village with a monastery, where the monks are copying scriptures. You only trust the integrity, thus the meaning or accuracy, of a document from above: Belief or trust flows down, not up.

Chief priest

This has similar formal properties with converse meanings:

Simple Integrity property No read down
(A subject cannot observe an object of lower integrity)
Star property No write up
(A subject cannot modify an object of higher integrity)
Invocation property A subject cannot send logical service requests to an object of higher integrity.
(The monks can't make requests of the chief priests, and the villagers can't ask anyone for help.)

For both Bell-LaPadula and Biba: Reading is simple, all I have to do is look at the page. Writing is more involved, I must have a pen, and ink, and move the pen. So, "simple" ones have to do with reading, the others, "star", with writing.

Brewer and Nash, or the Chinese Wall model

This focuses on preventing conflicts of interest. A law firm or financial services firm might support clients who compete or conflict with each other. An individual staff member can choose to work with either client, but once they choose, they are limited to dealing with them only.

This is basically the movie Wall Street. Bud Fox could have worked for his father's union of aircraft mechanics, or for the Wall Street trader Gordon Gekko, but his penetration of the metaphorical wall leads to trouble for everyone.

Clark—Wilson model

Shout-out to student John Bernheimer for providing the great analogy!

Biba plus integrity at the transaction level, through the abstraction of well-formed transactions. Think of Amazon. They have an enormous and critical inventory database. Of course you aren't allowed to interact with it directly.

However, your interactions with their web pages do access the database through some limited, trusted, secure API. You click "Put this in my cart" and then "Check out", driving a defined sequence of transactions. Everything you do followed their defined rules, and the end result is that you have modified their database, through the process of purchasing an item. Not directly, all through their trusted API.

Graham—Denning model

Defines three categories: objects, subjects, and rights.

Then defines a set of eight primitive commands that subjects can execute to have effects on objects or other subjects.

It's a small set of basic operations, or verbs. Simple is easier to get right, so it's more secure.

Harrison, Ruzzo, Ullman model

Like Graham—Denning, but less restrictive.


I'm surprised that CISSP doesn't go deeper into cryptography than it does, given the exam's reputation as academic and rigorous. Here is a set of terms you need to know.

Quantum Defense and Offense

Quantum cryptography is for defense, to protect secrets. It's used for QKD or quantum key distribution, where you use single-photon signalling to securely exchange a key to be used with a conventional symmetric cipher like AES.

Quantum computing is for offense or cryptanalysis, to attack secrets. A general-purpose quantum could quickly solve problems which are otherwise impractically difficult, thus breaking all the asymmetric ciphers we now use to protect key exchange: factoring (RSA), discrete logarithm (ECC, Diffie-Hellman, El Gemal).