Security architectureIntermediate25 min read

What Is Clark-Wilson? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

The Clark-Wilson model is a way to keep data accurate and trustworthy. It makes sure that only approved people can change data, and they must follow specific steps. Every change is also recorded so you can always check what happened. Think of it like a bank where only a manager can approve a transfer, and every transfer is logged.

Commonly Confused With

Clark-WilsonvsBiba Model

The Biba model is an integrity model that uses subject and object integrity labels. It prevents low-integrity subjects from writing to high-integrity objects (no write up) and high-integrity subjects from reading low-integrity objects (no read down). Clark-Wilson does not use labeling. Instead, it focuses on enforcing well-formed transactions through Transformation Procedures and separating duties among roles. While Biba is simple and rigid, Clark-Wilson is more practical for commercial systems because it allows controlled changes based on roles and processes.

Biba: A secret-level user cannot write to a top-secret file. Clark-Wilson: A payroll clerk cannot change salary data without an approved request and an audit log entry.

Clark-WilsonvsBell-LaPadula Model

Bell-LaPadula is a confidentiality model that prevents unauthorized reading of data. It uses labels and enforces no read up and no write down. Clark-Wilson does not address reading at all; it focuses entirely on protecting the integrity of data when it is modified. In a Bell-LaPadula system, you can change data as long as your clearance level is appropriate. In Clark-Wilson, you need to follow a specific, logged transaction process, regardless of your clearance.

Bell-LaPadula: A user with top-secret clearance can read any document, but cannot write a secret document to a public server. Clark-Wilson: Even a top-secret user cannot change a patient's diagnosis without using the official update program.

Clark-WilsonvsBrewer-Nash Model (Chinese Wall)

The Brewer-Nash model is about preventing conflicts of interest in commercial firms. It ensures that a user who accesses data for one client cannot also access data for a competing client. Clark-Wilson is unrelated to conflict of interest. Both models use the concept of roles, but Brewer-Nash focuses on dynamic separation of duties to avoid conflicts, while Clark-Wilson uses static separation of duties to ensure that approval and execution are handled by different people.

Brewer-Nash: A consultant working for Coca-Cola cannot access Pepsi’s trade secrets. Clark-Wilson: A manager who approves a purchase order cannot also authorize payment for that same order.

Must Know for Exams

For the CISSP exam, the Clark-Wilson model is a core topic within Domain 3: Security Architecture and Engineering. It is one of the most important integrity models you need to know, alongside Biba and the Brewer-Nash model. The exam will test your ability to differentiate between confidentiality models (Bell-LaPadula) and integrity models (Clark-Wilson, Biba). Specifically, you must be able to identify the components of Clark-Wilson: Constrained Data Item (CDI), Unconstrained Data Item (UDI), Transformation Procedure (TP), and Integrity Verification Procedure (IVP). You must also understand the certification and enforcement rules.

Expect scenario-based questions where you are asked which model best applies to a situation. For example, if a question describes a financial system where transactions must be logged and the person who approves a payment cannot be the same person who initiates it, the correct answer is Clark-Wilson. If the scenario is about preventing a low-clearance user from writing to a high-integrity file, Biba is more appropriate.

Another common question type asks you to identify the principle that Clark-Wilson uses that other models do not. The key answer is separation of duty. The exam may also present a situation where a system enforces well-formed transactions but lacks separation of duty, and you must identify that the Clark-Wilson implementation is incomplete. You may see questions that test your understanding of the difference between certification rules (defined by a security officer, verifying that TPs and IVPs are correct) and enforcement rules (built into the system, ensuring only certified operations run).

CISSP is not the only exam where this appears. The CISA (Certified Information Systems Auditor) exam also touches on Clark-Wilson concepts because auditors care about segregation of duties and data integrity. The CISM exam may mention it in the context of information security governance. However, for the scope of this glossary (related exams: ISC2 CISSP), the primary exam is CISSP, and you should be ready for multiple-choice questions that either directly ask for the name of the model that enforces well-formed transactions and separation of duty, or that ask you to map the components to their definitions. One trap is confusing Clark-Wilson with Biba: remember that Biba deals with subject and object integrity labels, while Clark-Wilson deals with transactions and roles. Another trap is thinking that Clark-Wilson is about confidentiality; it is not. Mastering these distinctions will earn you easy points on the exam.

Simple Meaning

Imagine you work in a large library. The library has a rule: only the head librarian can change a book's location in the catalog. If a volunteer finds a book out of place, they cannot just edit the catalog themselves. Instead, they must fill out a form and give it to the head librarian, who then checks the book, updates the record, and logs the change. This is the heart of the Clark-Wilson model. It is a security idea that focuses on keeping data correct and consistent, not just secret.

The model was created in the 1980s by David Clark and David Wilson. They wanted to protect data from being changed in wrong or unauthorized ways. In everyday life, think about an online store. When you buy something, the system does not let anyone directly change the product price or your account balance. Instead, there are clear rules: you add items to your cart, pay, and the system updates the inventory and your balance. If someone tried to change the price directly in the database, that would be blocked because it is not a proper, approved transaction.

The model uses two key ideas: well-formed transactions and separation of duty. A well-formed transaction is a set of steps that must all happen in order for the data to be valid. For example, to transfer money from one account to another, you must first check the balance, then deduct the amount, then add it to the other account, and finally log everything. If you skip a step, the system rejects the change. Separation of duty means that the person who requests a change cannot be the same person who approves or carries it out. This prevents fraud. In the library example, the volunteer cannot also be the head librarian. In business, a person who creates a purchase order cannot also approve payment. By combining these rules, the Clark-Wilson model keeps data reliable, especially in financial systems, databases, and any environment where accuracy is more important than secrecy.

Full Technical Definition

The Clark-Wilson model is a formal security architecture designed to enforce data integrity in computer systems, particularly in commercial and government environments. It was introduced by David Clark and David Wilson in a 1987 paper, and it addresses integrity goals that the Bell-LaPadula model (focused on confidentiality) does not cover. The model is built around three core principles: preventing unauthorized users from making changes, preventing authorized users from making improper changes, and maintaining internal and external consistency of data.

At its core, the Clark-Wilson model defines several key components. A Constrained Data Item (CDI) is any piece of data that must be kept accurate and that is subject to integrity controls. Examples include account balances, stock levels, or medical records. An Integrity Verification Procedure (IVP) is a function that checks whether a CDI is in a valid state. For instance, an IVP might verify that the total balance in all bank accounts equals the bank’s total cash on hand. Transformation Procedures (TPs) are the only allowed operations that can change a CDI. Each TP is a well-defined transaction that takes a CDI from one valid state to another. For example, a TP for a bank transfer would check the source account has enough funds, deduct the amount, credit the destination, and log the operation. Unconstrained Data Items (UDIs) are data that do not require integrity control, such as public information.

The model enforces access control through certification and enforcement rules. Certification rules are defined by security officers or system administrators and specify which TPs are allowed to operate on which CDIs, and which users or roles can execute those TPs. Enforcement rules are built into the system and ensure that only certified TPs modify CDIs, that IVPs are run to validate system integrity, and that all changes are logged. A critical aspect is separation of duty: the model requires that the person certifying a TP (proving it is correct) be different from the person who later executes it. This prevents a single user from bypassing controls.

In practice, the Clark-Wilson model is implemented in database management systems, financial transaction systems, and operating systems with mandatory integrity controls. For example, in a relational database, you might define stored procedures (TPs) that are the only way to update critical tables. Users have no direct INSERT, UPDATE, or DELETE privileges on those tables; they can only call the stored procedures, which enforce business rules and logging. The model also requires that the system maintain an audit log of every TP execution, including who ran it, when, and what data was changed. This supports non-repudiation and forensic analysis.

For CISSP exam purposes, the Clark-Wilson model is frequently compared to the Biba model. While Biba focuses on preventing low-integrity subjects from writing to high-integrity objects, Clark-Wilson is more practical for commercial systems because it deals with well-formed transactions and separation of duty. It is considered a foundational model for integrity, and understanding its components (CDI, UDI, TP, IVP) and its two sets of rules (certification and enforcement) is essential for the Security Architecture and Engineering domain.

Real-Life Example

Think about how a payroll system works in a company. You, as an employee, cannot just walk into the payroll office and type a new salary figure into the database. That would be a disaster. Instead, the company uses a process very similar to the Clark-Wilson model. First, there is a rule that only the payroll manager can change salary data. That is your Constrained Data Item (CDI), the salary record. The salary record must always be correct, so the system has a built-in Integrity Verification Procedure (IVP) that runs every morning and checks that the total payroll matches the budget approved by the finance department.

Now, you work hard and get a promotion. Your manager sends an approved request to payroll. The payroll clerk does not just update the database directly. Instead, they use a Transformation Procedure (TP), perhaps a specific software screen called "Update Salary." This TP does several things in order: it checks that your manager’s approval is valid, it looks up your current salary, it deducts the old amount from the total budget and adds the new amount, it updates your record, and it logs every action. The system will not allow the clerk to change any salary without going through this TP. This is the well-formed transaction.

But wait, there is more. The Clark-Wilson model also insists on separation of duty. So the person who approved your raise (your manager) cannot be the same person who enters it (the payroll clerk), and the person who audits the logs later is someone else entirely. If the payroll clerk tried to give themselves a raise, they would need another person to approve it, and that other person would not approve because it is against policy. This stops internal fraud. In the real world, companies use access control lists, role-based access controls, and audit systems to implement these ideas. The model does not care much about keeping salaries secret (confidentiality) but cares deeply that they are correct and that every change is proper and traceable. That is why banks, hospitals, and government agencies love the Clark-Wilson model.

Why This Term Matters

In the real world of IT, data integrity is often more critical than confidentiality. Think about a bank: you want your account balance to be exactly right, every time. If a hacker sees your balance, that is bad, but if a glitch changes your balance from $5,000 to $0, you will not trust the bank anymore. The Clark-Wilson model provides a structured way to ensure that data is never changed accidentally or maliciously. It is not just a theoretical model; it is baked into many enterprise systems, compliance frameworks, and regulatory requirements.

For example, financial systems that handle transactions must comply with the Sarbanes-Oxley Act (SOX), which demands strong internal controls. The Clark-Wilson model directly supports SOX by enforcing separation of duties and audit trails. Similarly, healthcare systems handling patient records under HIPAA need to ensure that only authorized personnel change data and that changes are logged. The model’s focus on well-formed transactions and certification rules aligns with these regulations.

In practice, IT professionals implement Clark-Wilson concepts using database triggers, stored procedures, and role-based access control. For instance, a database administrator might set up views and stored procedures so that users cannot directly update a table of patient diagnoses. They must call a stored procedure that validates the doctor’s authorization, creates an audit log entry, and then makes the change. This prevents data corruption from both errors and malicious insiders.

Another reason the model matters is that it helps organizations recover from incidents. Because every change is logged as part of a TP, you can trace exactly what happened if data becomes inconsistent. You can run an IVP to check the current state, find the bad transaction, and undo it. Without such structure, finding and fixing data corruption is like searching for a needle in a haystack. For IT certification learners, understanding Clark-Wilson is crucial because it is frequently tested on the CISSP exam, especially in the Security Architecture and Engineering domain, and it represents a mature, practical approach to integrity that contrasts with simpler models like Biba.

How It Appears in Exam Questions

On the CISSP exam, Clark-Wilson questions typically appear as scenario-based items in the Security Architecture and Engineering domain. You will rarely be asked to define the model in isolation. Instead, you will be given a description of a system and asked to identify which security model best matches it. For example: 'A bank has implemented a system where all account updates must go through approved transaction programs, and the user who authorizes a transfer cannot be the same user who executes it. Which security model does this align with?' The answer is Clark-Wilson.

Another common pattern is a question that lists components and asks you to identify the model. For instance: 'Which of the following is a component of the Clark-Wilson model? A) Subject, B) Object, C) Constrained Data Item, D) Label.' The correct answer is C. You must know that CDI is a term unique to Clark-Wilson. Similarly, you may see questions that mix up terms from Bell-LaPadula (like 'simple security property') with Clark-Wilson terms. The exam expects you to keep the models straight.

Troubleshooting-type questions are less common but do appear. For example: 'A system using the Clark-Wilson model has been implemented, but users are still able to corrupt data. What is the most likely reason?' The answer might be that the Integrity Verification Procedure (IVP) is not running frequently enough, or that the Transformation Procedures (TPs) do not enforce separation of duty. Another possibility is that the certification rules were not properly defined for all TPs. You need to understand that the model relies on both certification and enforcement; if either is weak, integrity fails.

Configuration-based questions might ask: 'An administrator wants to implement Clark-Wilson in a relational database. Which of the following is the best approach?' Correct answer: 'Create stored procedures as TPs and grant users only execute rights on those procedures, while denying direct table access.' Questions may also ask about auditing: 'Which requirement of the Clark-Wilson model ensures that changes are traceable?' Answer: 'All TPs must log the identity of the user, the time, and the change.' Be prepared for these exact patterns. The exam does not ask you to code or configure, but you must know the practical implications of the model.

Study CISSP

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are an IT administrator at a medium-sized hospital. The hospital uses an electronic health records (EHR) system. One day, a nurse notices that a patient’s allergy information was changed without explanation. The patient had an allergic reaction to a new medication. The hospital is now at risk of a lawsuit. Your manager asks you to implement better controls to prevent unauthorized or improper changes to patient data.

You decide to model your solution after the Clark-Wilson model. First, you identify the Constrained Data Items (CDIs), these are the patient allergy records, medication history, and diagnosis fields. These must always be accurate. You then work with the security officer to define Integrity Verification Procedures (IVPs). One IVP runs every hour and checks that all allergy entries are consistent with the notes from the doctor. If the IVP finds a mismatch, it alerts the security team.

Next, you design Transformation Procedures (TPs). Instead of allowing any user to directly edit a diagnosis field, you create a stored procedure called 'UpdatePatientAllergy.' This TP does the following: it confirms the user has the role of doctor or senior nurse, it checks that the patient ID exists, it compares the new allergy information with the lab test results, it updates the CDI, and it logs the user ID, timestamp, and old and new values. The stored procedure is the only way the allergy data can be changed. You revoke all direct update permissions on the EHR database tables.

You also enforce separation of duty. The doctor who diagnoses the allergy must be different from the person who enters the data into the system. In your system, the doctor approves the change through a separate interface, and the nurse who enters it cannot also approve it. Finally, you set up an audit log that reports any attempt to run a TP outside of business hours or from an unusual workstation. The result is that every change is traceable, and no unauthorized modifications can occur. This scenario is exactly what the CISSP exam expects you to understand as a real-world application of the Clark-Wilson model.

Common Mistakes

Thinking Clark-Wilson is a confidentiality model like Bell-LaPadula.

Clark-Wilson was designed specifically for data integrity, not secrecy. Bell-LaPadula focuses on preventing unauthorized reading of classified data, while Clark-Wilson prevents unauthorized or improper changes to data.

Memorize: Bell-LaPadula = confidentiality (no read up, no write down). Clark-Wilson = integrity (well-formed transactions, separation of duty).

Confusing Clark-Wilson with the Biba model.

Biba uses a lattice of integrity levels and prevents low-integrity subjects from writing to high-integrity objects (no write up). Clark-Wilson does not use integrity levels; it relies on transactions, roles, and separation of duty.

Remember: Biba is about levels (low-to-high). Clark-Wilson is about processes (transactions and approvals). When you see 'separation of duty,' think Clark-Wilson.

Believing that Transformation Procedures (TPs) can be any database query.

A TP must be a well-defined, certified transaction that takes a CDI from one valid state to another. It cannot be ad hoc or arbitrary. Allowing any SQL UPDATE statement as a TP defeats the purpose.

In implementation, TPs are typically stored procedures or application functions that enforce business rules, logging, and validation before changing data.

Ignoring the need for Integrity Verification Procedures (IVPs).

Some learners think that once TPs are set up, the system is automatically valid. But IVPs are needed to periodically check that data has not been corrupted by a software bug or a coordinated attack. Without IVPs, you might not detect problems until it is too late.

Always include an IVP in your understanding of Clark-Wilson. The model requires both TPs (to change data) and IVPs (to verify the state).

Assuming that Clark-Wilson eliminates the need for backups or other integrity controls.

Clark-Wilson is a logical model that addresses access control and transaction integrity. It does not cover physical integrity, data redundancy, or disaster recovery. Backups and error checking are still necessary.

Use Clark-Wilson as one layer in a defense-in-depth strategy. Combine it with regular backups, hashing, and intrusion detection for complete data protection.

Exam Trap — Don't Get Fooled

{"trap":"The exam presents a scenario where a system allows only authorized users to run pre-approved update programs, but there is no separation of duty. It asks: 'Which security model is being partially implemented?' Many learners choose Clark-Wilson because they see 'pre-approved update programs.'

","why_learners_choose_it":"They associate 'pre-approved update programs' with Transformation Procedures, which is a core Clark-Wilson concept. They forget that Clark-Wilson also requires separation of duty. The model is incomplete without it."

,"how_to_avoid_it":"Always check if the scenario includes separation of duty. If it only mentions well-formed transactions but not that the approving person must be different from the executing person, Clark-Wilson is not fully implemented. The correct answer might be 'a custom integrity model' or 'partially implemented Clark-Wilson.'

On the exam, look for clues like 'the same user can both authorize and execute the transaction.'

Step-by-Step Breakdown

1

Identify Constrained Data Items (CDIs)

First, you determine which pieces of data are critical and need integrity protection. These are the CDIs. Examples include bank account balances, patient medical records, or inventory stock levels. These items must always be accurate and any change must be controlled.

2

Define Integrity Verification Procedures (IVPs)

Next, you create procedures that check whether the CDIs are in a valid state. An IVP might run a query that sums all account balances and compares it to the bank's total cash. If the numbers don't match, the system alerts an administrator. IVPs must be certified as correct by a security officer.

3

Create Transformation Procedures (TPs)

You design specific, certified operations that are the only way to change CDIs. Each TP must take a CDI from one valid state to another. For example, a TP called 'TransferFunds' would check balances, subtract from one account, add to another, and log the action. TPs are usually implemented as stored procedures or restricted application functions.

4

Enforce Access Control over TPs and CDIs

The system must enforce that only authorized users can execute TPs, and that those users cannot directly modify CDIs outside the TP. This is done by granting users permission to run the stored procedure while denying them direct read/write access to the underlying tables. Access control lists and role-based permissions are used here.

5

Implement Separation of Duty

The person who certifies a TP (proves it works correctly) must be different from the person who executes it. Also, the person who approves a specific transaction (such as a manager approving a purchase) must be different from the person who carries it out (the clerk). This prevents a single user from bypassing controls and committing fraud.

6

Set Up Audit Logging for All TP Executions

All TPs must log every execution. The log records who ran the TP, when, which CDI was changed, the old value, and the new value. This creates a non-repudiable trail. If a problem is found, the logs can be used to identify the specific transaction and recover the data.

7

Perform Regular Integrity Checks Using IVPs

Finally, run Integrity Verification Procedures at scheduled intervals. These checks verify that the CDIs are still in a valid state. If an IVP fails, the system must stop TPs until the cause is identified and fixed. This step ensures ongoing integrity, not just at the time of change.

Practical Mini-Lesson

To implement the Clark-Wilson model in practice, IT professionals need to think about how to enforce the model within existing systems. The most common technique is to use database stored procedures as Transformation Procedures. Here is how you do it in a typical relational database like SQL Server or Oracle.

First, identify the tables that hold CDIs. For a banking scenario, this might be the 'Accounts' table. You then revoke all direct INSERT, UPDATE, and DELETE permissions on the 'Accounts' table from all user roles. Instead, you create a stored procedure called 'UpdateAccountBalance' that accepts the account ID, the new balance, and the user ID as parameters. Inside the stored procedure, you write code that validates the new balance is positive, checks that the applicant has the proper role, and updates the row. You also insert an audit record into an 'AuditLog' table. You then grant the EXECUTE permission on that stored procedure to the appropriate roles (e.g., TellerRole, ManagerRole). This ensures no user can bypass the TP.

Next, you create an Integrity Verification Procedure. This could be a scheduled job that runs a query: SELECT SUM(Balance) FROM Accounts and compares it to a control total stored in a separate system. If the sums do not match, the procedure sends an alert. You should also consider running IVPs after every transaction to detect problems quickly. In high-availability systems, the IVP might be a stored procedure that runs after every TP.

What can go wrong? One common issue is privilege escalation. If a stored procedure is written poorly, a user might be able to inject SQL or call other procedures. Always use parameterized queries inside TPs. Another problem is that separation of duty can be undermined if the same person has multiple roles. For example, if a manager has both the ManagerRole and the AuditorRole, they could approve their own changes and also audit them. Role-based access control must be enforced so that roles cannot be combined in a way that violates separation. A regular review of role assignments is necessary.

Professionals also need to consider the performance impact. TPs that log every change and run IVPs after every transaction can slow down the system. In practice, some organizations use asynchronous logging or batch IVPs. However, for high-integrity systems (like financial systems), the performance cost is acceptable. Finally, remember that Clark-Wilson is a model, not a product. No software has a 'Clark-Wilson mode.' You have to implement its principles using the security features of your operating system, database, and application server. Understanding these practical steps will help you both in the exam and in real-world system design.

Memory Tip

Clark-Wilson = Clear Well-formed Intent (CWI). Think: Clear rules, Well-formed transactions, Intent logs, and Independent roles (separation of duty).

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the main goal of the Clark-Wilson model?

The main goal is to ensure data integrity by preventing unauthorized or improper changes to critical data. It does this through well-formed transactions, separation of duty, and audit logging.

How does Clark-Wilson differ from the Biba model?

Biba uses integrity levels and prevents low-integrity subjects from writing to high-integrity objects. Clark-Wilson does not use levels; it focuses on roles, transactions, and separation of duty. It is more suited for commercial systems like banks.

What is a Constrained Data Item (CDI)?

A CDI is any piece of data that the Clark-Wilson model protects. It must be kept accurate and can only be changed through approved Transformation Procedures. Examples include bank account balances or medical records.

What is the difference between certification rules and enforcement rules?

Certification rules are defined by a security officer and specify which Transformation Procedures (TPs) are allowed on which CDIs. Enforcement rules are built into the system and ensure that only certified TPs run, that IVPs check integrity, and that logs are kept.

Why is separation of duty important in Clark-Wilson?

Separation of duty prevents a single person from both approving and executing a transaction, which reduces the risk of fraud or error. For example, the person who authorizes a payment must be different from the person who processes it.

Can Clark-Wilson be implemented in a simple file system?

It is very difficult because file systems lack stored procedures and role-based auditing. Clark-Wilson is best implemented in a database management system with stored procedures, or in applications with strong role-based access control.

Is Clark-Wilson still relevant today?

Yes, absolutely. Financial systems, healthcare records, and any system that requires high data accuracy use Clark-Wilson principles. It is also a key topic in the CISSP exam and is referenced in compliance frameworks like SOX and HIPAA.

Summary

The Clark-Wilson model is a foundational integrity model that focuses on protecting data from unauthorized or improper changes. Unlike confidentiality models like Bell-LaPadula, Clark-Wilson does not care about who can read the data; it cares about who can change it and how. The model is built around Constrained Data Items (CDIs), which are critical data that must be accurate, and Transformation Procedures (TPs), which are the only allowed operations that can modify CDIs. Integrity Verification Procedures (IVPs) periodically check that the CDIs are in a valid state. The model also enforces separation of duty, meaning that the person who approves a change cannot be the same person who executes it, and all changes are logged for audit.

For IT certification learners, particularly those studying for the CISSP exam, Clark-Wilson is a must-know topic. It appears in scenario-based questions that ask you to identify which security model is being used, or to identify the component that is missing from an implementation. Common mistakes include confusing Clark-Wilson with Biba or Bell-LaPadula, or forgetting that separation of duty is a core requirement. Real-world implementation often involves database stored procedures, role-based access control, and comprehensive audit logging. The model is still highly relevant in banking, healthcare, and any industry where data accuracy is paramount.

Exam takeaway: When you see a question that mentions well-formed transactions, separation of duty, and audit logs for data changes, think Clark-Wilson. Remember the acronym CWI: Clear rules (certification), Well-formed transactions (TPs), and Intent logs (audit). With this understanding, you will be well-prepared for both the exam and practical system design.