If you’re planning on taking the Security+ exam, you should have a good understanding of mandatory access control (MAC). The MAC model can be used in systems requiring a need to know and it uses labels to identify users and data.
For example, can you answer this question?
Q. Your organization hosts several classified systems in the data center. Management wants to increase security with these systems by implementing two-factor authentication. Management also wants to restrict access to these systems to employees who have a need to know. Which of the following choices should management implement for authorization?
A. USB token and PIN
B. Username and password
C. Mandatory access control
D. Rule-based access control
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
How MAC Model Works
The MAC model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access.
Military units make wide use of this model to protect data. You may have seen movies where they show a folder with a big red and black cover page labeled “Top Secret.” The cover page identifies the sensitivity label for the data contained within the folder. Users with a Top Secret label (a Top Secret clearance) and a need to know can access the data within the Top Secret folder.
Need to know is an important concept to understand. Just because individuals have a Top Secret clearance, it doesn’t mean they should automatically have access to all Top Secret data. Instead, access is restricted based on a need to know. Need to know is similar in concept to the principle of least privilege, but it only applies to data and data permissions. In contrast, the principle of least privilege applies to permissions and rights.
Security-enhanced Linux (SELinux) is one of the few operating systems using the mandatory access control model. SELinux was specifically created to demonstrate how mandatory access controls can be added to an operating system. In contrast, Windows operating systems use the discretionary access control model.
Responsible for Establishing Access
An administrator is responsible for establishing access, but only someone at a higher authority can define the access for subjects and objects.
Typically, a security professional identifies the specific access individuals are authorized to access. This person can also upgrade or downgrade the individuals’ access, when necessary. Note that the security professional does all this via paperwork and does not assign the rights and permissions on computer systems. Instead, the administrator assigns the rights based on the direction of the security professional.
Multiple approval levels are usually involved in the decision-making process to determine what a user can access. For example, in the military an officer working in the security professional role would coordinate with higher-level government entities to upgrade or downgrade clearances. These higher-level entities approve or disapprove clearance requests.
Once an individual is formally granted access, a network administrator would be responsible for establishing access based on the clearances identified by the security professional. From the IT administrator’s point of view, all the permissions and access privileges are predefined.
If someone needed different access, the administrator would forward the request to the security professional, who may approve or disapprove the request. On the other hand, the security professional may forward the request to higher entities based on established procedures. This process takes time and results in limited flexibility.
Q. Your organization hosts several classified systems in the data center. Management wants to increase security with these systems by implementing two-factor authentication. Management also wants to restrict access to these systems to employees who a have need to know. Which of the following choices should management implement for authorization?
A. USB token and PIN
B. Username and password
C. Mandatory access control
D. Rule-based access control
Answer is C. Mandatory access control (MAC) is an access control model that can be used in systems requiring a need to know. It uses labels to identify users and data. If the user has the correct label needed to access the data, the user is authorized access.
Note that the question talks about both authentication (proving your identity) and authorization (granting access based on the proven identity). However, the actual question only asks about authorization
A USB token and a PIN provide two factors of authentication, but the question asks what is needed for authorization.
A username provides identification and a password provides authentication.
A rule-based access control system (rule-BAC) uses rules to trigger a change in permissions based on an event, or rules within an access control list (ACL) on hardware devices such as routers.