What is mandatory access control (MAC)?
Mandatory access control (MAC) is a security strategy that restricts the ability individual resource owners have to grant or deny access to resource objects in a file system. MAC criteria are defined by the system administrator, strictly enforced by the operating system (OS) or security kernel, and cannot be altered by end users.
MAC is a method or access control policy aimed at restricting access to a resource (also known as an object) based on two key factors: the sensitivity of the information contained in that resource and the authorization level of the user trying to access that resource and its information.
Security teams or admins define whether a resource is sensitive or not by applying a security level, such as "Restricted," "Confidential," "Secret," or "Top Secret," to it and assigning the resource to a security category, such as "Department M" or "Project X." Together, the security level and security category constitute the security label. Admins also assign a security clearance level to each authorized user to determine which resource they can access.
Once the label is applied and the MAC policy is finalized, users can only access those resources (or the information within resources) that they are entitled to access. For example, User A may be entitled to access the information within a resource labeled "Department M Restricted," but User B may not have the same authority. Similarly, User B may be entitled to access the resource labeled "Project X Confidential," but User A may not be authorized to do so.
Why is mandatory access control used?
MAC is an important method of data access control. It is often used to protect information which if compromised or loss may cause damage to the organization. This information may be private, sensitive, confidential or restricted. Examples include the following:
- Trade secrets.
- Strategic or merger and acquisition plans.
- Intellectual property.
- Personally identifiable information.
- Financial information and transactions.
- Protected health information.
- Customer information.
In the wrong hands, these types of information can cause financial or reputational harm to a business or government. That's why it's crucial to protect the information, maintain its confidentiality, integrity and availability -- also known as the CIA triad -- and ensure that only authorized users can access the information. Here's where implementing MAC can be useful.
How is mandatory access control used?
Often employed in government and military facilities, mandatory access control works by assigning a classification label to each file system object. In addition, each user is assigned a security or clearance level. They may access the object or resource only if their security level is equal to or greater than the resource's classification label ("Restricted," "Confidential," etc.).
When a person or device tries to access a specific resource, the OS or security kernel will check the entity's credentials to determine whether access will be granted. While MAC is the most secure access control setting available, it requires careful planning and continuous monitoring to keep all resource objects' and users' classifications up to date.
The administrator plays a key role in setting and enforcing MAC and maintaining its hierarchical model. This person or these persons set all user permissions and controls who can access what. Due to such centralized and tight administration, non-admin users cannot set their own permissions. They also cannot access resources that correspond to a security level that's higher than theirs in the hierarchy.
What are the basic principles of mandatory access control?
MAC is based on several principles that, when followed, help control access to data, protect the data, and maintain its confidentiality. One such principle is that MAC is always centrally managed by an administrator. This person is responsible for setting security clearances for users and security labels for resources.
Another principle is that users can only access the resources for which they have been granted clearance. Next, users cannot make changes to their permissions or clearance levels, even if they own the resource. Finally, no user can grant privileges to other users or change the MAC rules governing access control. They also cannot access or edit someone else's information without explicit permission to do so.
Benefits and drawbacks of mandatory access control
MAC is considered a highly secure way of controlling access to sensitive or confidential resources and the information contained within them. It is particularly useful for preserving the confidentiality of data. Since the administrator controls which user has access to which resource, users also cannot make access changes, which might compromise the security of a resource. These benefits make MAC suitable for protecting sensitive data in government and military settings.
One disadvantage of MAC is that it can be difficult to manage because the burden of configuring and maintaining all accesses falls on the administrator, particularly as the number of systems and users increases. For the same reason, MAC is not suitable for applications with many users, such as internet-based applications.
Another drawback of MAC is that it can be expensive to implement. Clearing users to access one or more resource types can be time consuming and costly. The cost and effort increase further when different confidentiality levels or security domains must be applied within the same IT system. For these reasons, the method is not often used in budget-constrained corporate environments.
What is the difference between mandatory access control and discretionary access control?
As the highest level of access control, MAC can be contrasted with lower-level discretionary access control (DAC), which lets individual resource owners make their own policies and assign security controls.
Unlike MAC, DAC provides users some control over their data resources. For example, document creators can determine who can access the document and what kind of privileges those users will have. The administrator is not required to control accesses and set privileges.
Another difference is that MAC implementation is based on resource sensitivity levels and permissions are not stored in access control lists (ACLs). In contrast, permissions in DAC are stored in ACLs, which are created and maintained by the administrator.
DAC is somewhat easier to implement since it doesn't require centralized administration. However, it is a less secure method of controlling data access since it doesn't require assigning labels to objects and clearances to users.
Learn more about how identity and access management plays a role in the importance of business frameworks.
How do mandatory access control and application sandboxing differ?