M-209 cipher machine.

CISSP Domain 3 — Security Architecture and Engineering

Domain 3 — Security Architecture and Engineering

Ross Anderson Matthew Green

Security engineering and security architectural design are, of course, far more complicated and difficult than (ISC)2 material suggests. See the work of Ross Anderson and Matthew Green for the real stories.

Formal Security Models

These are formal and academic. They're listed here in order from most to least likely to appear on the exam. All you need to know about them is:

Bell—LaPadula model

The easiest and most obvious, as it's focused on secrecy. Secrets should not flow down in a multi-level security model.

Top Secret

Someone with a Secret clearance should not be able to:

That's easy, so they put further labels on things:

Simple Security property No read up
Star property No write down

Biba model

Conversely, focused on integrity and therefore trustworthiness. The easiest analogy is to think of a village with a monastery, where the monks are copying scriptures. You only trust the integrity, thus the meaning or accuracy, of a document from above: Belief or trust flows down, not up.

Chief priest

This has similar formal properties with converse meanings:

Simple Integrity property No read down
(A subject cannot observe an object of lower integrity)
Star property No write up
(A subject cannot modify an object of higher integrity)
Invocation property A subject cannot send logical service requests to an object of higher integrity.
(The monks can't make requests of the chief priests, and the villagers can't ask anyone for help.)

For both Bell-LaPadula and Biba: Reading is simple, all I have to do is look at the page. Writing is more involved, I must have a pen, and ink, and move the pen. So, "simple" ones have to do with reading, the others, "star", with writing.

Brewer and Nash, or the Chinese Wall model

This focuses on preventing conflicts of interest. A law firm or financial services firm might support clients who compete or conflict with each other. An individual staff member can choose to work with either client, but once they choose, they are limited to dealing with them only.

This is basically the movie Wall Street. Bud Fox could have worked for his father's union of aircraft mechanics, or for the Wall Street trader Gordon Gekko, but his penetration of the metaphorical wall leads to trouble for everyone.

Clark—Wilson model

Shout-out to student John Bernheimer for providing the great analogy!

Biba plus integrity at the transaction level, through the abstraction of well-formed transactions. Think of Amazon. They have an enormous and critical inventory database. Of course you aren't allowed to interact with it directly.

However, your interactions with their web pages do access the database through some limited, trusted, secure API. You click "Put this in my cart" and then "Check out", driving a defined sequence of transactions. Everything you do followed their defined rules, and the end result is that you have modified their database, through the process of purchasing an item. Not directly, all through their trusted API.

Graham—Denning model

Defines three categories: objects, subjects, and rights.

Then defines a set of eight primitive commands that subjects can execute to have effects on objects or other subjects.

It's a small set of basic operations, or verbs. Simple is easier to get right, so it's more secure.

Harrison, Ruzzo, Ullman model

Like Graham—Denning, but less restrictive.


I'm surprised that CISSP doesn't go deeper into cryptography than it does, given the exam's reputation as academic and rigorous. Here is a set of terms you need to know.

Quantum Defense and Offense

Quantum cryptography is for defense, to protect secrets. It's used for QKD or quantum key distribution, where you use single-photon signalling to securely exchange a key to be used with a conventional symmetric cipher like AES.

Quantum computing is for offense or cryptanalysis, to attack secrets. A general-purpose quantum could quickly solve problems which are otherwise impractically difficult, thus breaking all the asymmetric ciphers we now use to protect key exchange: factoring (RSA), discrete logarithm (ECC, Diffie-Hellman, El Gemal).

Now That You Know Cryptography...

There are some questions where knowing all the technology doesn't give you the correct answer. You must carefully analyze the English prose.

(ISC)2 isn't as bad as CompTIA about doing this, but they still do it on some questions.

Here's are two examples, from my CompTIA Security+ study suggestion page. In the second one, "BPA" means "Business Partnership Agreement". You can click "See the answer" to be taken to the answer and its explanation, and then "Return to main page" to get back here:

Example Question #1

Question: You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?

E: thumbprint

See the answer

Example Question #2

Question: Your CEO has met with the CEO of another company, and they have agreed to work together to develop a new service. Authentication and identity management will be connected across the two organizations. Given the sensitivity of the development project, User authentication and authorization will use a centralized server running the best available trusted third-party service. Users will receive identity and service tokens from a unified authentication and authorization service, which requires that system clocks be synchronized across the organizations. Applications will be limited to those written with the API of that service. What do you need?

B: Federation
C: Kerberos
F: Kerberization

See the answer