The Clark-Wilson Model
Author : Yongge Wang
Confidentiality, integrity, and availability are three essential properties for both military and commercial information security systems. In a military environment, the main objective is to prevent disclosure of information. For a commercial system (like a bank system), however, the main concern is to ensure that data integrity is protected from improper modifications and inappropriate actions performed by unauthorized users. The Clark- Wilson security policy model seeks to formalize the principles of accounting security that have accumulated over centuries of experiential bookkeeping. The Clark-Wilson (CW) model consists of subject/program/object triples and rules about data, application programs and triples. In the following, we will briefly discuss the triples and rules.
All formal access control models that pre-date the Clark-Wilson model use the concept of an ordered subject/object pair — that is, a user and an item or collection of data, with a fixed relationship (e.g. read or write) between the two. Clark and Wilson recognized that the relationship could be implemented by an arbitrary program. Accordingly, they devised an ordered subject/program/object triple. They use the term transformational procedure (TP) for a program to make it clear that it has integrity-relevance because it modifies or transforms data according to a rule or procedure. Data modified by transformational procedures are called constrained data items (CDI). This is because they are constrained in the sense that only transformational procedures may modify them and that integrity verification procedures (IVP) exercise constraints on them to ensure that they have certain properties, of which consistency and conformance to the real world are two of the most significant.
Unconstrained data items (UDI) are all other data – chiefly the keyed input to transformational procedures. Once subjects have been constrained so that they can gain access to objects only through specified transformational procedures, transformational procedures can be embedded with whatever logic is needed to effect limitation of privilege and separation of duties. Transformational procedures can themselves control access of subjects to objects at a finer level of granularity than that available to the system. What is more, they can exercise finer controls (e.g. reasonableness and consistency checks on unconstrained data items) for such purposes as double-entry bookkeeping, thus making sure that whatever is subtracted from one account is added to another. To be specific, access control is by means of triples (subject, TP, CDI) which are so structured that a shared control policy is enforced. According to Amoroso’s formulation (as illustrated in the textbook):
- The system will have an IVP for validating the integrity of any CDI
- The application of a TP to CDI must maintain its integrity
- A CDI can only be changed by TP
- Subjects can only initiate certain TPs on certain CDIs
- Triples must enforce an appropriate separation of duty policy on subjects
- Certain special TPs on UDI can produce CDIs as output
- Each application of a TP must cause enough information to reconstruct it to bewritten to a special append-only CDI
- The system must authenticate subjects attempting to initiate a TP
- The system must only permit special subjects (i.e. security officers) to make anyauthorization-related lists.
We can split these principles into two categories: well-formed transactions and separation of duty.
Separation of duty states that no single person should perform a task from beginning to end, but that the task should be divided among two or more people to prevent fraud by one person acting alone.