Biba vs Clark Wilson

---

It's mentioned in the Security Architecture and Engineering series that the distinguishing differences between Biba and Clark Wilson are as follows:
2. Biba - INTEGRITY !!! (only). Like Bell LaPadula, requires that all subjects & objects have a classification label. Designed to address three integrity issues:

Prevent modifications of objects by unauthorized subjects
Prevent unauthorized modifications of objects by authorized subjects
Protect internal and external object consistency

Improves on Biba by focusing on integrity at the transaction level and addressing three major goals of integrity in a commercial environment:

1. Preventing unauthorized users from making modifications to data or programs. 
2. Preventing authorized users from making improper or unauthorized modifications. 
3. Maintaining internal and external consistency of data and programs.

Those seem the same to me. Can you help clarify the differences?
Thanks!

Jeff,

Great question, let me see what we can do for you.

The discussion in the episode(s) is centered around the different types of security models that we can use to explain how a system would implement some aspect of the CIA triad.

Bell La-Padula is focused on Confidentiality

Biba is focused on Integrity

Clark-Wilson is focused on Integrity

The issue for you appears to be around the comparison between Biba and Clark-Wilson with regards to how they address the three main points of Integrity in a system, as noted below:

Prevent modifications of objects by unauthorized subjects
Prevent unauthorized modifications of objects by authorized subjects
Protect internal and external object consistency

Biba ONLY addresses the first of the three items above.

Clark-Wilson addresses ALL THREE of the items above.

Hope that helps to clarify.

If you have any additional questions while you are going through the show, or while studying, please feel free to be in touch as needed. My direct e-mail is: adam@itpro.tv

Good Luck!!

Cheers,

Adam