CISSP Flashcards: Security Architecture, Models, Frameworks, Defense in Depth

Defense in depth is a security strategy that deploys multiple layers of controls so that if one layer fails, others continue to protect the asset. Layers typically include perimeter defenses like firewalls, network segmentation, host-based controls like endpoint protection, application security, data protection like encryption, and physical security. The concept comes from military strategy where multiple defensive lines slow and weaken an attacker. No single control is perfect, so layering compensates for individual weaknesses.

The Bell-LaPadula model is a formal security model that enforces confidentiality through mandatory access controls. It has two primary rules: the simple security rule, or "no read up," which prevents a subject from reading data at a higher classification level; and the star property, or "no write down," which prevents a subject from writing data to a lower classification level. This prevents information from flowing from higher sensitivity levels to lower ones. Bell-LaPadula was designed for military environments where preventing unauthorized disclosure is the primary concern.

The Biba model enforces data integrity, the opposite focus of Bell-LaPadula's confidentiality. Its two rules are the simple integrity axiom, or "no read down," preventing subjects from reading data at a lower integrity level to avoid contamination; and the star integrity axiom, or "no write up," preventing subjects from writing data to a higher integrity level to avoid corruption. Biba prevents less trusted subjects from modifying more trusted data. While Bell-LaPadula prevents disclosure of secrets downward, Biba prevents corruption of trusted data from below.

The Clark-Wilson model enforces integrity through well-formed transactions and separation of duties in commercial environments. It defines constrained data items that can only be modified by authorized transformation procedures, unconstrained data items that are user input, and integrity verification procedures that check data consistency. Users cannot directly access data but must go through approved programs. This models how real business systems work: a bank teller cannot directly edit account balances but must use the banking application.

Zero trust is a security architecture that eliminates implicit trust based on network location and instead requires continuous verification of every user, device, and connection before granting access. Its core principle is "never trust, always verify." Key components include strong identity verification through multi-factor authentication, least privilege access, micro-segmentation of networks, device health validation, continuous monitoring and analytics, and encryption of all data in transit. Zero trust assumes that threats exist both outside and inside the network perimeter.

The Zachman Framework is a two-dimensional classification scheme for organizing the descriptive representations of an enterprise. It uses six communication questions as columns: what, how, where, who, when, and why. And six perspectives as rows: planner, owner, designer, builder, subcontractor, and user. The intersection of each column and row produces a unique artifact that describes one aspect of the enterprise from one perspective.

Security zones divide a network into segments with different trust levels and access controls, limiting lateral movement if an attacker compromises one zone. Common zones include the external untrusted zone or internet, the demilitarized zone or DMZ hosting public-facing services, the internal trusted zone for corporate resources, and restricted zones for sensitive systems like databases and financial applications. Firewalls, routers with access control lists, and virtual local area networks enforce boundaries between zones. ---