Brewer-Nash
What you can access depends on what you already accessed.
David Brewer and Michael Nash · 1989 · Conflict of interest in financial consulting
The problem it solves
A consultant who advises one bank should not also see a competing bank's data. Brewer-Nash builds a wall that rises the moment you access a company, locking you out of its rivals. Access is history dependent.
The big idea
Your access rights are not fixed: they shrink the moment you open a company, because the wall rises to block that company's competitors.
Brewer-Nash is history based. The system remembers every object you have ever read and uses that record to decide what you may touch next. Open one company in a conflict of interest class and you are free to keep working in it, but every rival in that same class is now off limits to you. Two people can therefore have completely different permissions on the same data, decided entirely by who opened what first.
The rules
Group every company against the rivals it competes with, so the system knows which pairs create a conflict.
Conflict of interest classes
Why: The wall only makes sense if the model knows which companies are competitors of each other.
Bundle all of one company's information into a single dataset, and treat every file in it as belonging to that one company.
Company datasets
Why: Access is granted and denied per company, so the data has to be grouped by company first.
You may open a company's data only if it sits in a company you have already worked in, or in a conflict of interest class you have never touched. If you have already read a competitor in that same class, you are locked out.
Simple security rule (the Chinese Wall)
Why: It stops one person from ever seeing two rivals' secrets, which is the whole point of the wall.
Before you opened anything in a class, every company in it was a valid choice; your first read in each class is free and fixes which side of the wall you are on.
Free initial choice
Why: Nobody has a conflict until they have actually read something, so the first pick in each class must be open.
You may write to a company's data only if you cannot read any unsanitized object that belongs to a different company, so you cannot copy one client's secrets into another's files.
Star property (* property)
Why: Without it, a person with two companies open could read live data from one and write it into the other, laundering secrets across the wall. Sanitized data carries no secrets, so it does not trigger the block.
Information that has been scrubbed of anything company-identifying is exempt: anyone may read it, and it never raises a wall.
Sanitized information
Why: Truly anonymized data carries no conflict of interest, so blocking it would add restriction with no benefit.
Try it
Each box is a conflict of interest class. Open one company and you are walled off from its rivals. Unrelated classes stay open.
Banking · conflict class
Oil & Gas · conflict class
Access depends on your history
Open a company. Watch the wall block its competitor.
Worked example
A consultant starting a new engagement.
- 01Allowed
Open Bank A's files.
First touch in the Banking class. Free choice.
- 02Allowed
Open Oil Company X's files.
A different class. No conflict with a bank.
- 03Blocked
Open Bank B's files.
Bank B competes with Bank A. The wall is up.
- 04Allowed
Keep working in Bank A and Oil X.
Your history fixes your sides. The ones you chose stay open.
Limits and gotchas
It is stateful and depends on history
Permissions are not fixed to a person or a role; they change with every access and must be tracked over time. The system has to remember everything each person has read, which is heavier to build and audit than a static rule set.
It targets a narrow problem
The model was designed for consulting and finance conflicts of interest, not for general confidentiality, integrity, or availability. Outside the world of competing clients its conflict of interest classes do not naturally map onto most systems.
The write rule is very restrictive
The star property says you cannot write to a company if you can read any unsanitized object from a different company. In practice this means once you have two companies open with live data you can effectively write to neither, which is far stricter than most real workflows can tolerate.
Sanitization must be trusted
The whole exemption for sanitized data assumes the scrubbing actually removed every identifying trace. If sanitization is incomplete, data that still points back to a company slips past the wall and the protection is silently broken.
Key terms
- Conflict of interest class
- A group of companies that compete with each other, for example all the banks or all the oil companies. Seeing two members of the same class at once is the conflict the model prevents.
- Company dataset
- All of the information belonging to a single company, treated as one unit. Each company dataset sits inside exactly one conflict of interest class.
- Object
- An individual file or piece of data. Every object belongs to one company dataset, which in turn belongs to one conflict of interest class.
- Sanitized data
- Information that has had all company-identifying details removed. It carries no conflict, so it is exempt from the wall and anyone can read it.
- History
- The record of every object a person has already accessed. Brewer-Nash uses this history to decide each new access, which is why the same data can be allowed for one person and denied for another.
- Simple security rule
- The read rule (the Chinese Wall itself): you can read a company's object only if it is in a company you have already accessed or in a conflict of interest class you have not touched, never if you have already read a competitor in the same class.
- Star property
- The write rule: you can write to an object only if you cannot read any unsanitized object in a different company dataset, which blocks copying live secrets from one client into another's files.
Check yourself
Answer to see if you have it. Nothing is saved.
01In Brewer-Nash, what decides whether you are allowed to open a particular company's data?
02A consultant has already read files from Bank A. Bank B is a competitor in the same conflict of interest class. Under the simple security rule, what happens when they try to open Bank B?
03Why does the star property forbid writing while you can still read a different company's unsanitized data?
04Which kind of information is exempt from the Chinese Wall, so accessing it raises no wall and never blocks anyone?
How it connects
Key takeaway
The one line
Brewer-Nash = Chinese Wall = access decided by your history. Open one, the wall blocks its rivals.