This was the first formal state machine model developed to protect confidentiality. The Bell-LaPadula model focuses on data confidentiality, unlike Biba model (which focuses on integrity). It is also called "read down, write up" model. This implies trusted subjects may read content below their security level and write content above their security level. Bell-LaPadula Model The model defines two mandatory access control (MAC) rules: The Simple Security Property states that a subject at a given security level may not read an object at a higher security level . The * (star) Security Property states that a subject at a given security level may not write to any object at a lower security level . Limitations Only addresses Confidentiality (out of the three - confidentiality, integrity and availability) Covert channel communication is not addressed comprehensively