M-209 cipher machine.

CISSP Domain 3 — Security Architecture and Engineering

Domain 3 — Security Architecture and Engineering

Ross Anderson Matthew Green

Security engineering and security architectural design are, of course, far more complicated and difficult than (ISC)2 material suggests. See the work of Ross Anderson and Matthew Green for the real stories.

Formal Security Models

These are formal and academic. They're listed here in order from most to least likely to appear on the exam. All you need to know about them is:

Cover of ISC2 'CISSP Official Practice Tests'

Definitely buy the practice exam book!
Amazon 1119787637

Cover of ISC2 'CISSP Official Study Guide'

You may also want the study guide book.
Amazon 1119786231

Bell—LaPadula model

The easiest and most obvious, as it's focused on secrecy. Secrets should not flow down in a multi-level security model. Using the usual U.S. Government model, Confidential is the entry-level, the least sensitive controlled-access data; Top Secret is the most sensitive, and Secret is in the middle:

Top Secret

Someone with a Secret clearance should not be able to:

There's no problem if they see Confidential data (read down) or write their output into a space where Top Secrety people can see it (write up).

This concept is too easy, so they put further labels on things:

Simple Security property No read up
Star property No write down

Certification exams are not about how things really work, or how to do things. A large percentage of the questions aren't really about recognizing what is most important. The exam questions are intentionally vague and poorly worded, and function to test your ability to memorize or figure out the certifier's sloppy and inconsistent terminology.

Biba model

The Biba model, on the other hand, is focused on integrity and therefore trustworthiness. The easiest analogy is to think of a village with a monastery, where the monks copy scriptures. You only trust the integrity, thus the meaning or accuracy, of a document from above: Belief or trust flows down, not up.

Chief priest

This has similar formal properties with converse meanings when you compare this to Bell—LaPadula:

Simple Integrity property No read down
(A subject cannot observe an object of lower integrity)
Star property No write up
(A subject cannot modify an object of higher integrity)
Invocation property A subject cannot send logical service requests to an object of higher integrity.
(The monks can't make requests of the chief priests, and the villagers can't ask anyone for help. The more enlightened layers will send new information down when they feel that it's appropriate.)

For both Bell-LaPadula and Biba: Reading is simple, all I have to do is look at the page. Writing is more involved, I must have a pen, and ink, and move the pen. So, "simple" ones have to do with reading, the others, "star", with writing.

Brewer and Nash, or the Chinese Wall model

This focuses on preventing conflicts of interest. A law firm or financial services firm might support clients who compete or conflict with each other. An individual staff member can choose to work with either client, but once they choose, they are limited to dealing with them only.

This is basically the story of the movie Wall Street. The character Bud Fox could have worked for his father's union of aircraft mechanics, or for the Wall Street trader Gordon Gekko, but his penetration of the metaphorical wall leads to trouble for everyone.

Clark—Wilson model

Shout-out to student John Bernheimer for providing the great analogy!

The Clark—Wilson model is the Biba model plus integrity at the transaction level, through the abstraction of well-formed transactions. Think of Amazon. They have an enormous and critical inventory database. Of course you aren't allowed to interact with it directly.

However, your interactions with their web pages do access the database through some limited, trusted, secure API. You click "Put this in my cart" and then "Check out", and each click drives a defined sequence of transactions. Everything you do followed their defined rules, and the end result is that you have modified their database, through the process of purchasing an item. Not directly, all through their trusted API.

You can say what you want to do, "Check out", but you can't specify how to do that. The forbidden "How" could have included dangerous extra parameters or modification of the transaction environment.

Graham—Denning model

The Graham—Denning model defines three categories: objects, subjects, and rights.

Then defines a set of eight primitive commands that subjects can execute to have effects on objects or other subjects.

It's a small set of basic operations, or verbs. Simple is easier to get right, so it's more secure.

Harrison, Ruzzo, Ullman model

This model is like Graham—Denning, but less restrictive. It's also the least likely of this sequence to appear on the exam, "like Graham—Denning but less restrictive" is all I have ever bothered to know.


I'm surprised that CISSP doesn't go deeper into cryptography than it does, given the exam's reputation as academic and rigorous. Here is a set of terms you need to know.

Quantum Defense and Offense

Quantum cryptography is for defense, to protect secrets. It's used for QKD or quantum key distribution, where you use single-photon signalling to securely exchange a key to be used with a conventional symmetric cipher like AES.

Quantum computing is for offense or cryptanalysis, to attack secrets. A general-purpose quantum could quickly solve problems which are otherwise impractically difficult, thus breaking all the asymmetric ciphers we now use to protect key exchange: factoring (RSA), discrete logarithm (ECC, Diffie-Hellman, El Gemal).

Now That You Know Cryptography...

There are some questions where knowing all the technology doesn't give you the correct answer. You must carefully analyze the English prose.

(ISC)2 isn't as bad as CompTIA about doing this, but they still do it on some questions.

Defeat the Certification Exam Language Tricks