top of page

The Clark-Wilson Model

The Clark-Wilson model is for upholding integrity.

Just like the Biba Model – which is also for upholding integrity.

They're not for confidentiality. That’s what the Bell-LaPadula model is for.

And it’s not availability. That’s what backups, high-availability firewalls, offsite storage, hot sites, cold sites, warm sites are for. But, you know, those aren’t really access control models like The Bell or Biba Model, they're just controls.

Clark-Wilson and Biba High Level Goals

At a high-level, both the Clark-Wilson Model and the Biba Model want to do the following three things:

First, they don’t want unauthorized users making changes within a system.

Even if a change occurs by a single letter, number, or character it has lost all integrity.

Unless, it was meant to be changed.

If it wasn’t meant to be changed, then it has truly lost integrity. This is one of the core goals of the Biba and Clark Wilson access control model, to prevent unauthorized modifications to data. To consistently maintain its integrity.

Second, the Biba and Clark Wilson Model uphold integrity by making sure that authorized users aren’t making unauthorized changes.

As in, yes the user is authorized to make changes, but the user can’t make changes which change the integrity of a file, object or resource.

Meaning, they don’t do something accidentally or even intentionally, (even though they are authorized), to mess up the integrity of a system. Even the good guys can destroy a system by making mistakes.

Biba and Clark Wilson try to lessen that risk.

Third, they both make sure internal and external consistency is maintained.

What does this mean?

It’s a little confusing for me because it sounds like something a financial accountant would know more about for some reason.

Internal consistency is making sure that numbers which are supposed to add, actually add and numbers which are supposed to be multiplied, are actually multiplied and not added. Internal transactions do what they are supposed to do.

As for external consistency, that’s when someone like an investment banker tells his or her client that they sold 1000 shares of stock, and actually did sell 1000 shares of their stock. The banker didn’t tell their customer they sold a 1000 shares of their stock, but in actuality winded up selling only 900 and pocketing the rest of the money.

These internal and external consistency things are a way to maintain integrity, and to keep the systems and people in place honest.

As with anything in security really.

What we just talked about are the high-level concepts of what these two models (Clark-Wilson & Biba) want to do as far as maintaining integrity, but not their specific implementation. That’s where they are different. They both want to uphold integrity, but they both go about doing it in different ways. That’s what we have to know for the CISSP exam.

Quick Recap of The Biba Model

The Biba Model has these three rules:

No Write Up Rule, which says a subject can’t write data to an object at a higher integrity level.

No Read Down Rule, which states a subject cannot read data located at a lower integrity level.

The Invocation Rule where a subject can’t request a service at a higher integrity level (depending on classification level: Top Secret/Secret/Confidential).

Those are all the rules of the Biba model. A model which upholds integrity. It is used to prevent data from being changed.

The Clark-Wilson Model does the same thing, but it does so in a completely different way.

With Clark-Wilson, instead of using integrity levels like in the Biba model, it uses a stringent set of change control principles and an intermediary.

The beauty of the Clark-Wilson model is that if a subject is trying to access an object, it does so without having a direct connection to it - without having direct access to the object.

It takes external entities in order to prove and provide the necessary security.

It requires what is known as a well-formed transaction.

Let’s go over the components of the Clark-Wilson Model.

Clark-Wilson Model


It all starts with users, otherwise known as the subjects. The subjects which will access the objects. Users are the ones that need the information. I think the books call users the “active agents”.

Transformation Procedures (TPs)

Then we have Transformation Procedures. Think of them as operations the subject is trying to perform.

Is the subject trying to read a file?

Write to a file?

Or modify a file?

Transformation Procedures are simply operations which can be performed.

Constrained Data Items (CDIs)

There’s Constrained Data Items and Unconstrained Data Items.

Objects which belong in the subset of Constrained Data Items are at a higher level of protection.

In a Clark-Wilson Model, there are two types of protections given to data items, constrained and unconstrained.

In order to read an object located in the Constrained Data Items subset, we have to go through a transformation procedure.

Constrained Data Items can only be manipulated by a Transformation Procedure.

Objects within a Constrained Data Items are so valuable, that in a Clark-Wilson model, a subject has to go through an intermediary to even just access it.

Unconstrained Data Items (UDIs)

Now objects in an Unconstrained Data Item subset, well they probably aren’t that important.

These can be accessed by the subject directly, it doesn’t need to go through an intermediary like a Transformation Procedure. The subject can perform their own read and write operations without going through a Transformation Procedure.

Subjects access objects in a UDI like how they would normally access an object in a networked environment, as if they weren't using a Clark-Wilson Model. Like how we access files or objects in Windows operating systems.

Integrity Verification Procedures (IVPs)

What is an Integrity Verification Procedure?

Are they anything like Transformation Procedure?

Remember how we talked about internal and external consistency?

That’s what Integrity Verification Procedures do, they check the internal and external consistency.

IVPs are a way to audit the transformation procedure.


The Clark-Wilson Model enforces the concept of separation of duties. This is done through the Integrity Verification Procedures.

When the IVP audits the well-formed transactions of the Transformation Procedures, the IVP is independently performing a duty separate from that of the Transformation Procedure.

Separation of duties is performed when the IVP audits the Transformation Procedure.

Makes sense right? It prevents the Transformation Procedure from auditing its own work, and instead has some other entity making sure true integrity is upheld.

So remember this one: Clark-Wilson implements a form of separation of duties in its access control methodology.

And actually, you can also see the Separation of Duties principle when the Transformation Procedure accesses the Constrained Data Item on behalf of the subject. Duties are separated because it isn’t the job of the subject to access the CDI, but rather belongs to the Transformation Procedure.

The Clark-Wilson model is trying to separate a subject completely from an object in a CDI through the use of an intermediary. This separates duties so the subject cannot access the object directly, as it is not part of the subject's duty.

Another exam concept as we’ve said, Clark-Wilson upholds integrity through the use of well-formed transactions in the process of using Transformation Procedures.

Unlike the Biba model which uses integrity levels based on classifications.

I also wanted to mention that the Clark-Wilson follows a trifecta for subject to object access.

Meaning it involves a subject, a program, and an object.

Or a subject, a middleman, and an object.

Shon Harris calls this the Access Triple, where you have the user, which is the subject, a program in the middle which is the Transformation Procedures, and finally the object, which is the Constrained Data Item.

And another exam concept is that a constrained data item cannot be manipulated without first going through the program. Clark-Wilson uses Integrity Verification Procedures to verify and audit all transactions are done in a consistent manner and as they are supposed to be done.

The Clark-Wilson model is almost an improvement over the Biba Model I think because in order to make sure authorized subjects don’t make unintentional changes, there is always a middle-man in between the object and subject

There is always a intermediary which makes sure that the transaction is solid, in other words, a well-formed transaction.

For the full video on the Clark-Wilson, Biba, Bell-LaPadula, MAC Models and many other CISSP videos, become a member:


bottom of page