The Bell-LaPadula model is used to enforce access control within the government and military. It was developed by David Elliott Bell and Leonard J. LaPadula, hence the funny name. The Bell-LaPadula model focuses on confidentiality. While the formal model may not be applicable for most uses, the terminology and concepts are still important to passing the CISSP exam. As you review the model, think of the military uses of clearance levels, it will make understanding easier.
Unclassified < Confidential < Secret < Top Secret
In a nutshell, the Bell-LaPadula model prevents a user with a Secret clearance from viewing a Top Secret document (no read up). It also prevents a user from putting Top Secret information within a Secret document (no write down). In this model, the entities are divided into subjects and objects. Think of subjects as users and objects as computers or documents. To determine whether access is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode.
No read up
Fred wants to read a document. Using the Bell-LaPadula model, we’d first determine the classification of the document (the object). Then we’d determine the clearance of Fred (the subject). If the document is classified as Top Secret, but Fred only has a Secret clearance, then we wouldn’t let Fred read it. If Fred had a clearance that was equal to or higher than the document, like Top Secret, then we’d allow this. Similarly, if the document had a classification that was equal to or lower than Fred’s clearance, then we’d also allow it.
No write down
Fred would like to add a page to the document. First we’d first determine the classification of the page he wants to add. Then we’d determine the classification of the document. If the page that Fred wants to add is classified as Top Secret, and the document he wants to add it to is classified Secret, then we’d tell Fred “no”, and send him on his way. If Fred wanted to add a page that was equal to, or lower classification level than the book, then we’d allow this. Likewise, if the book had a classification that was equal or higher than the classification of the page Fred wants to add, then this would be fine.
Image courtesy Ninja M.
No related posts.
Follow us on Twitter
Follow us on Facebook
Subscribe to RSS Feed
It was pretty easy for me to understand how someone would not be able to “read up”, or get access to a document or file that they were not cleared for but I had a hard time understanding “writing down”. This article made it easy for me to understand.
“Fred wants to read a document. Using the Bell-LaPadula model, we’d first determine the classification of the document (the subject). Then we’d determine the clearance of Fred (the subject).”
Shouldn’t this be “the document (the object)”?
Anon – Thanks for the correction, I updated the post.