Access control ensures that only authenticated and authorized entities can access resources. If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of implementing identity and access management controls. This includes an access control model that uses labels (sometimes referred to as sensitivity labels or security labels) to determine access.
For example, can you answer this question?
Q. A security administrator needs to implement an access control system that will protect data based on the following matrix.
Document Type | Security Level | Security Label |
Employment documents | Private | Employee |
Salary and compensation documents | Private | Payroll |
Internal phone listing documents | Private | Employee |
(Note that this matrix only represents a subset of the overall requirements.) Which of the following models is the administrator implementing?
A. DAC
B. MAC
C. Role-BAC
D. ABAC
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Mandatory Access Control
The mandatory access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access.
Military units make wide use of this model to protect data. You might have seen movies where they show a folder with a big red and black cover page labeled “Top Secret.” The cover page identifies the sensitivity label for the data contained within the folder. Users with a Top Secret label (a Top Secret clearance) and a need to know can access the data within the Top Secret folder.
Need to know is an important concept to understand. Just because individuals have a Top Secret clearance doesn’t mean they should automatically have access to all Top Secret data. Instead, access is restricted based on a need to know.
Security-enhanced Linux (SELinux) is one of the few operating systems using the mandatory access control model. SELinux was specifically created to demonstrate how mandatory access controls can be added to an operating system. In contrast, Windows operating systems use the discretionary access control model.
Labels and Lattice
The MAC model uses different levels of security to classify both the users and the data. These levels are defined in a lattice. The lattice can be a complex relationship between different ordered sets of labels. These labels define the boundaries for the security levels.
The figure shows how the MAC model uses a lattice to divide access into separate compartments based on a need to know. The lattice starts by defining different levels of Top Secret, Secret, Confidential, and For Official Use. Each of these labels defines specific security boundaries. Within these levels, the lattice defines specific compartments. For example, the Top Secret level includes compartments labeled Nuclear Power Plant, 007, and Happy Sumo.
MAC model lattice
Imagine that Homer has a Top Secret clearance with a Nuclear Power Plant label. This gives him access to data within the Nuclear Power Plant compartment. However, he does not have access to data in the 007 or Happy Sumo compartment unless he also has those clearances (and associated labels).
Higher-level clearances include lower-level clearances. For example, because Homer has a Top Secret clearance, he can be granted access to Secret and lower-level data. Again though, he will only be able to access data on these lower levels based on his need to know.
As another example, imagine that Lisa has a Secret level clearance. Administrators can grant her access to data on the Secret level and lower levels, based on her need to know. For example, they might grant her access to the Research data by assigning the Research label to her, but not necessarily grant her access to Three-eyed Fish or Legal Issues data. However, they cannot grant her access to any data on the Top Secret level.
Establishing Access
An administrator is responsible for establishing access, but only someone at a higher authority can define the access for subjects and objects. Typically, a security professional identifies the specific access individuals are authorized to access. This person can also upgrade or downgrade the individuals’ access, when necessary. Note that the security professional does all this via paperwork and does not assign the rights and permissions on computer systems. Instead, the administrator assigns the rights based on the direction of the security professional.
Multiple approval levels are usually involved in the decision-making process to determine what a user can access. For example, in the military an officer working in the security professional role would coordinate with higher-level government entities to upgrade or downgrade clearances. These higher-level entities approve or disapprove clearance requests.
Once an individual is formally granted access, a network administrator would be responsible for establishing access based on the clearances identified by the security professional. From the IT administrator’s point of view, all the permissions and access privileges are predefined.
If someone needed different access, the administrator would forward the request to the security professional, who may approve or disapprove the request. On the other hand, the security professional may forward the request to higher entities based on established procedures. This process takes time and results in limited flexibility.
Q. A security administrator needs to implement an access control system that will protect data based on the following matrix.
Document Type | Security Level | Security Label |
Employment documents | Private | Employee |
Salary and compensation documents | Private | Payroll |
Internal phone listing documents | Private | Employee |
(Note that this matrix only represents a subset of the overall requirements.) Which of the following models is the administrator implementing?
A. DAC
B. MAC
C. Role-BAC
D. ABAC
Answer is B. This is a mandatory access control (MAC) model. You can tell because it is using security labels. None of the other models listed use labels.
A discretionary access control (DAC) model has an owner, and the owner establishes access for the objects.
A role-based access control (role-BAC) model uses roles or groups to assign rights and permissions.
An attribute-based access control (ABAC) model uses attributes assigned to subjects and objects within a policy to grant access.
See Chapter 2 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on access control models.