Your company sells toys around the world. You are developing an EC system supported by an RDBMS and write the following SQL code to create a sales order:
01 Begin Transaction
02 Insert Orders(Id, CustomerId, OrderDate) Values(1, 1, ‘2020/08/15’);
03 Insert OrderItems(Id, OrderId, ProductId, Quantity, Price) Values(1, 1, 1, 1, 9.9);
04 Commit Transaction
From the perspective of the Clark-Wilson model, which of the following best describes the entity, Sales Order, expressed in the SQL code? (Source: Wentz QOTD)
A. Transformation Procedures (TPs)
B. Integrity Verification Procedure (IVP)
C. Constrained Data Item (CDI)
D. Unconstrained Data Item (UDI)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Constrained Data Item (CDI).

RDBMS

A relational database management system (RDBMS) is the management system that manages a relational database, which is composed of various conceptual entities (or relations) that are organized into logical tables associated with one another through relationships.

SQL Code

The snippet of SQL code demonstrates the conceptual data entity, Sales Order, is organized in two logical tables, Orders and OrderDetails, joined together through a relationship from OrderDeails to Orders by the field, OrderId.

The Sales Order comprises two records, wrapped up as a transaction, to be inserted into the Orders and OrderDetails tables and saved into the database.

Transformation Procedures (TPs)

• A transaction is a procedure that changes a set of data from a valid state to another. It is also known as the Transformation Procedure (TP) in the Clark-Wilson model.
• Stored procedures processing transactions are good examples of TPs.
• The result of a transaction is validated by another procedure, Integrity Verification Procedure (IVP).
• TP and IVP fulfill the well-formed transaction and separation of duty mentioned in the Clark-Wilson model.
• In the accounting example, a TP would correspond to a double-entry transaction.

Integrity Verification Procedure (IVP)

The purpose of an IVP is to confirm that all of the CDis in the system conform to the integrity specification at the time the IVP is executed. In the accounting example, this correspcnds to the audit function, in which the books are balanced and reconciled to the external environment.

Source: A Comparison of Commercial and Military Computer Security Policies

Constrained Data Item (CDI)

• The set of data or data items modified by a transaction is called Constrained Data Item (CDI). CDI can only be modified by the TP.
• Sales Order is the data entity in the transaction to be modified. It can not be modified at discretionary but in a constrained way. The transaction will roll back the original data state if anything goes wrong.
• As a result, the Sales Order is Constrained Data Item (CDI).

Unconstrained Data Items (UDIs)

Data entities not included in a transaction, e.g., Supplier, Inventory, etc., are called unconstrained data items (UDIs).

Clark-Wilson Model

The Clark-Wilson model employs two mechanisms to avoid fraud and error and ensure consistency:

• Well-formed transaction for internal consistency.
• Separation of duty for external consistency.

For example, in the double-entry bookkeeping system, internal inconsistency can be detected if accounting books are not balanced. On the other hand, the books appear to balance, but the mismatch between real and recorded inventory reveals external inconsistency.

To maintain the integrity of the CDIs, the system must ensure that only a TP can manipulate the CDIs. It is this constraint that motivated the term constrained Data Item.

Given this constraint, we can argue that, at any given time, the CDIs meet the integrity requirements. (We call this condition a “valid state.”) We can assume that at
some time in the past the system was in a valid state, because an IVP was executed to verify this.

To ensure that data items are manipulated only by means of well-formed transactions, it is first necessary to ensure that a data item can be manipulated only by a specific set of programs.

• To ensure separation of duties, each user must be permitted to use only certain sets of programs.
• The separation of duty method is effective except in the case of collusion among employees.

First, with these integrity controls, a data item is not necessarily associated with a particular security level, but rather with a set of programs permitted to manipulate it. Second, a user is not given authority to read or write certain data items, but to execute certain programs on certain data items.

While the system can ensure that only TPs manipulate CDis, it cannot ensure that the TP performs a well-formed transformation. The validity of a TP (or an IVP) can be determined only by certifying it with respect to a specific integrity policy.

Integrity assurance is thus a two-part process:

• certification, which is done by the security officer, system owner, and system custodian with respect to an integrity policy; and
• enforcement, which is done by the system.

Central to this model is the idea that there are two classes of rules: enforcement rules and certification rules. Enforcement rules correspond to the application-independent security functions, while certification rules permit the application-specific integrity definitions to be incorporated into the model.

Source: A Comparison of Commercial and Military Computer Security Policies

Reference

• Clark–Wilson model
• A Comparison of Commercial and Military Computer Security Policies