top of page


"blogger, InfoSec specialist, super hero ... and all round good guy" 



Clark-Wilson Security Model

The Clark-Wilson security model is based on preserving information integrity against the malicious attempt of tampering data. The security model maintains that only authorized users should make and be allowed to change the data, unauthorized users should not be able to make any changes, and the system should maintain internal and external data consistency.

The Clark-Wilson model requires well-formed transaction. A well-formed transition is that operations and data feeds and processing are consistent within the system. According to Sonya Blake on paper she wrote for the University of Pennsylvania posted on softpanorama, “The principle of well-formed transaction is defined as a transaction where the user is unable manipulate data arbitrarily, but only in constrained (limitations or boundaries) ways that preserve or ensure the integrity of the data. A security system in which transactions are well-formed ensures that only legitimate actions can be executed. Ensures the internal data is accurate and consistent to what it represents in the real world” (Blake).

Concepts of separation of duties are also a big part of the Clark-Wilson model. The implementer, auditor, and certifier have to be different people in an effective implementation of the model (Blake).

According to an article posted on softpanorama, Sonya Blake:

Wilson and Clark were among the many who had observed by 1987 that academic work on models for access control emphasized data’s confidentiality rather than its integrity (i.e., the work exhibited greater concern for unauthorized observation than for unauthorized modification). Accordingly, they attempted to redress what they saw as a military view that differed markedly from a commercial one. In fact, however, what they considered a military view was not pervasive in the military.”

You can imagine there are times when data integrity may be paramount and considered even much more important than data confidentiality. This could be in many military situations where attack orders using technological, atomic, and biological warfare must be absolutely 100% ensured they have not been tampered (Crimson Tide anyone?).

In a perfect world we would have data confidentiality, integrity, and availability.

Unfortunately we do not live in a perfect world, and sometimes sacrifices need to make sense. When designing security models to protect information, the Clark-Wilson model is standard choice when the priority of data integrity outweighs data confidentiality.


Cyber Defense. (n.d.). : Clark-Wilson Model. Retrieved July 20, 2014, from

Blake, S. (2000, May 17). The Clark-Wilson Model. The Clark-Wilson Model. Retrieved July 20, 2014, from


Commenting has been turned off.
bottom of page