If you’re planning to take the SY0-501 version of the Security+ exam, you may run across questions with subtle word choices. For example, a question could have one answer correct. However, a subtle change in a phrase in a question would make that answer incorrect.
Consider this question that I recently added to the gcgapremium.com site:
Q. Your organization is planning to implement SELinux in enforcing mode as a mandatory access control (MAC) model. Which of the following roles will specify the subjects that can access certain data objects?
A. Administrator
B. System
C. Owner
D. User
The answer and explanation are available at the end of this post.
Subjects and Objects
Within the context of access control models, you’ll often run across the terms subject and objects.
Subjects are typically users or groups that access an object. Occasionally, the subject may be a service that is using a service account to access an object.
Objects are items such as files, folders, shares, and printers that subjects access. For example, users access files and printers. The access control helps determine how a system grants authorization to objects. Or, said another way, the access control model determines how a system grants users access to files and other resources.
To simplify this you can think of subjects as users, and objects as files. Subjects access files. Subjects can be much more than users and files can be much more than files, but remembering that subjects (users) can access objects (files) it makes it easier to remember.
Mandatory Access Control
The mandatory access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access.
Security-enhanced Linux (SELinux) is one of the few operating systems using the mandatory access control model. If SELinux is in enforcing mode, it enforces the SELinux policy.
Data Roles and Responsibilities
Many people within the organization handle data. However, an organization often assigns specific roles to some people. Each of these roles has specific responsibilities. The Security+ objectives outline list the following roles:
- Owner. The data owner is the individual with overall responsibility for the data. It is often a high-level position such as the chief executive officer (CEO) or a department head. The data owner is responsible for specifying the classification of the data, ensuring the data is labeled to match the classification, and ensuring security controls are implemented to protect the data.
- Steward/custodian. A data steward or data custodian handles the routine tasks to protect data. For example, a data custodian (often referred to as a system administrator) would ensure data is backed up in accordance with a backup policy. The custodian would also ensure that backup tapes are properly labeled to match the classification of the data and stored in a location that provides adequate protection for the classification of the data. Data owners typically delegate tasks to the data custodian.
- Privacy. A privacy officer is an executive position within an organization. This person is primarily responsible for ensuring that the organization is complying with relevant laws. For example, if the organization handles any PHI, the privacy officer ensures the organization complies with HIPAA. If SOX applies to the organization, the privacy officer ensures that the organization is complying with SOX.
Subtle Phrase Changes
Consider the following three questions with subtle phrase changes.
Which of the following roles will specify the subjects that can access certain data objects? Specify indicates someone is stating a fact or requirement clearly and precisely. It would be the data owner.
Which of the following roles will implement the controls so that the subjects can access certain data objects? Administrators (referred to as stewards or custodians in the Security+ objectives) implement security controls specified by data owners.
Which of the following roles will enforce the controls so that subjects can access certain data objects? A system would enforce the settings implemented by administrators.
Remember this
Key data roles within an organization are responsible for protecting data. The owner has overall responsibility for the protection of the data and specifies the subjects that can access certain objects. A steward or custodian handles routine tasks to protect data. A privacy officer is an executive responsible for ensuring the organization complies with relevant laws.
Q. Your organization is planning to implement SELinux in enforcing mode as a mandatory access control (MAC) model. Which of the following roles will specify the subjects that can access certain data objects?
A. Administrator
B. System
C. Owner
D. User
C is correct. The data owner will specify which subjects (such as users) can access certain data objects (such as files). A key word here is “specify” and specify indicates someone is stating a fact or requirement clearly and precisely.
Administrators will implement the model by assigning labels to both subjects and objects. If the question was “Which of the following roles will implement the controls so that the subjects can access certain data objects?”, Administrator would be the correct answer.
After the labels have been assigned, the system will enforce the model by ensuring that only authorized users can access data by ensuring labels match. If the question was “Which of the following roles will enforce the controls so that subjects can access certain data objects?”, than system would be the correct answer.
Users will not specify any permissions for access control in a MAC model.
Chapter 2 of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide covers the MAC model and Chapter 11 covers different data roles
SY0-501 objective 5.8 Given a scenario, carry out data security and privacy practices.