Data breaches and cyber attacks are a constant threat in today’s digital world, exposing sensitive information and compromising security. How can we prevent unauthorized access to our data and systems? One solution is mandatory access control (MAC), a security model that enforces strict rules for who and what can access resources.
What is Mandatory Access Control?
Mandatory Access Control (MAC) is a form of [access control](https://www.binaryte.com/blog/access-control-what-it-is-how-it-works- and-how-to-implement-it) that restricts access to resources based on the security attributes of the resources and the users. A resource can be a file, a folder, a port, a device, etc., while a user can be a person, a process, or a thread. Resources and users each have a set of security attributes, such as labels or tags, that indicate their degree of sensitivity or classification. For example, a security attribute can be Top Secret, Secret, Confidential, or Unclassified. Whenever a user tries to access a resource, a rule that is enforced by the system checks these security attributes and decides whether the access can happen. Any action by any user on any resource is evaluated against the set of rules (also known as policy) to determine if the action is permitted.
Why Mandatory Access Control?
MAC is important because it enables organizations to implement organization- wide security policies that are consistently enforced across all users and resources within the boundary of an information system. Users do not have the power to override or change these policies, either by mistake or on purpose. This prevents unauthorized disclosure, alteration, or destruction of sensitive information. MAC is often used in military, government, or high-security settings where information needs to be strictly controlled and protected.
How MAC Operates
The main components and mechanisms of MAC are:
Security labels
These are identifiers that are attached to users and resources to indicate their degree of sensitivity or classification. For example, a security label can be Top Secret, Secret, Confidential, or Unclassified. Security labels can also include categories or compartments that further specify the kind or scope of information. For example, a security label can be Top Secret/SCI (Sensitive Compartmented Information) or Secret/NATO (North Atlantic Treaty Organization).
Security clearance
This is an authorization that is granted to users to access information of a certain degree of sensitivity or classification. For example, a user can have a Top Secret clearance that allows them to access Top Secret information. Security clearance can also include categories or compartments that further specify the kind or scope of information that a user can access. For example, a user can have a Top Secret/SCI clearance that allows them to access Top Secret/SCI information.
Access matrix
This is a data structure that defines the rules for each user-resource pair in the system. For example, an access matrix can specify that user A can read resource X but not write to it, while user B can write to resource X but not read it. An access matrix can also specify other types of actions such as execute, append, delete, etc.
Reference monitor
This is a component of the system that enforces the rules defined by the access matrix. It intercepts every request from a user to a resource and checks whether the request is allowed or denied based on the security attributes of both entities. If the request is allowed, it grants access; if not, it denies access and logs the event.
Kinds of MAC Models
There are different ways to implement MAC in an information system. Some of the common kinds of MAC models are:
Lattice-based model
This is a mathematical model that defines a partial order relation among security labels based on their degree of sensitivity or classification. For example, Top Secret > Secret > Confidential > Unclassified. A user can only access a resource if its security label dominates or is equal to the security label of the resource. For example, a user with Top Secret clearance can access a resource with Secret label but not vice versa.
Bell-LaPadula model
This is an extension of the lattice-based model that adds two more rules: no read up and no write down. These rules prevent information leakage from higher to lower levels of sensitivity or classification. For example, a user with Secret clearance cannot read a resource with Top Secret label (no read up) and cannot write to a resource with Confidential label (no write down).
Biba model
This is an inverse of the Bell-LaPadula model that focuses on preserving the integrity of information rather than its confidentiality. It adds two opposite rules: no read down and no write up. These rules prevent information corruption from lower to higher levels of integrity or trustworthiness. For example, a user with High integrity cannot read a resource with Low integrity (no read down) and cannot write to a resource with Medium integrity (no write up).
Pros and Cons of MAC
MAC has several advantages and disadvantages when compared to other forms of access control, such as Discretionary Access Control (DAC) or Role-Based Access Control (RBAC).
Pros:
High level of security and protection for sensitive information
MAC enforces strict and uniform policies across the system based on the sensitivity of the data and the clearance of the users. Users cannot change or override these policies, which prevents unauthorized access or modification of the data. The system also checks and verifies the security attributes and rules automatically, which reduces the risk of human error or malicious intent.
Simplified administration and maintenance of the policies
MAC centralizes the control and management of the security attributes and rules, which makes it easier for the system administrator to define and update them. The system also automates the checking and enforcing of the policies, which reduces the workload and complexity for the administrator.
Support for multilevel security (MLS) systems
MAC can handle information with different levels of sensitivity or classification within the same system, such as confidential, secret, or top secret. The system can also enforce different forms of MAC, such as multilevel security or multilateral security, depending on the needs of the organization.
Cons:
High upfront planning and design
MAC requires a lot of effort and time to define the security attributes and rules for all users and resources in the system, such as the security levels, clearances, labels, and code words. The system administrator has to manually configure these parameters and ensure that they are consistent and accurate.
Rigid and inflexible structure
MAC imposes a fixed and hierarchical structure that may not accommodate changing business needs or user preferences. Users cannot change or override the policies, which may limit their functionality and usability of the system. The system also does not allow for exceptions or deviations from the rules, which may cause inconvenience or frustration for the users.
High performance overhead
MAC may incur a high performance overhead due to the constant checking and verification of the security attributes and rules. The system has to compare the credentials of the users and the resources every time an access request is made, which may slow down the system or consume more resources.
Conclusion
Mandatory Access Control (MAC) is a form of access control that limits access to resources based on the sensitivity of the resource and the authorization of the user. MAC is often used in high-security settings where information needs to be strictly controlled and protected. MAC has several pros, such as providing a high level of security, reducing human error, simplifying administration, and supporting multilevel security. However, MAC also has some cons, such as requiring upfront planning, imposing rigidity, limiting functionality, and incurring performance overhead.