Mandatory Access Control (MAC)

Mandatory Access Control (MAC) – Complete Guide for ISC2 CC Exam

Why is Mandatory Access Control (MAC) Important?

Mandatory Access Control (MAC) is one of the most critical access control models in information security. It is important because it provides the highest level of access control by enforcing strict policies determined by a central authority — typically the system or security administrator — rather than by individual resource owners. MAC is widely used in environments where confidentiality is paramount, such as military, government, and intelligence agencies. Understanding MAC is essential for the ISC2 CC exam because it is a foundational concept in access control theory, and questions about it frequently appear in certification exams.

What is Mandatory Access Control (MAC)?

Mandatory Access Control is an access control model in which access decisions are made by a central authority based on security labels (also called sensitivity labels or classification levels) assigned to both subjects (users, processes) and objects (files, resources, data). Unlike Discretionary Access Control (DAC), where the resource owner decides who gets access, MAC does not allow users to override or modify access policies. The operating system or security kernel enforces the rules, and even the data owner cannot grant access beyond what the policy allows.

Key characteristics of MAC include:

• Labels-based: Every subject and object is assigned a security label (e.g., Top Secret, Secret, Confidential, Unclassified).
• Centrally administered: Only a security administrator or the system itself can change labels and policies.
• Non-discretionary: Users cannot change access permissions on objects they own.
• Policy-driven: Access is determined by comparing the subject's clearance level to the object's classification level.

How Does Mandatory Access Control Work?

MAC works by applying a security policy that compares the security labels of subjects and objects. The two most well-known models that implement MAC principles are:

1. Bell-LaPadula Model (Confidentiality-focused)
This model is designed to protect confidentiality. It operates on two main rules:
• Simple Security Rule (No Read Up): A subject at a lower clearance level cannot read data at a higher classification level. For example, a user with "Secret" clearance cannot read "Top Secret" documents.
• Star (*) Property (No Write Down): A subject at a higher clearance level cannot write data to a lower classification level. This prevents information from leaking from a higher classification to a lower one.

2. Biba Model (Integrity-focused)
This model is designed to protect integrity. It is essentially the inverse of Bell-LaPadula:
• Simple Integrity Axiom (No Read Down): A subject cannot read data at a lower integrity level.
• Star (*) Integrity Axiom (No Write Up): A subject cannot write data to a higher integrity level.

How MAC Works in Practice:

1. A security administrator assigns classification labels to all data objects (e.g., Top Secret, Secret, Confidential, Unclassified).
2. Each user (subject) is assigned a clearance level based on their role, trustworthiness, and need-to-know.
3. When a user attempts to access a resource, the operating system or security kernel compares the user's clearance with the object's classification.
4. Access is granted or denied automatically based on the security policy — the user has no ability to override this decision.
5. Even if a user "owns" a file, they cannot share it with someone who does not have the appropriate clearance level.

Real-World Examples of MAC:
• Military and government systems — classified information is protected using MAC to ensure only personnel with the appropriate clearance can access specific data.
• SELinux (Security-Enhanced Linux) — an implementation of MAC in the Linux operating system developed by the NSA.
• Trusted Solaris — an operating system that implemented MAC for high-security environments.

MAC vs. DAC vs. RBAC — Key Differences:

• MAC: Central authority sets policies; users cannot modify access; based on labels. Most restrictive.
• DAC (Discretionary Access Control): Resource owners decide who gets access; users can modify permissions. Least restrictive.
• RBAC (Role-Based Access Control): Access is based on the user's role within the organization. Moderately restrictive.

Advantages of MAC:
• Provides the strongest protection against unauthorized access
• Prevents data leakage from higher to lower classification levels
• Eliminates the risk of users accidentally or intentionally granting inappropriate access
• Well-suited for environments requiring strict confidentiality

Disadvantages of MAC:
• Complex and costly to implement and maintain
• Inflexible — difficult to adapt to dynamic business needs
• Requires significant administrative overhead
• Not practical for most commercial or everyday business environments

---

Exam Tips: Answering Questions on Mandatory Access Control (MAC)

Tip 1: Know the defining characteristic.
MAC is defined by the fact that access decisions are made by the system based on security labels, not by the data owner. If a question asks about an access control model where users cannot change permissions, the answer is MAC.

Tip 2: Remember "Labels = MAC."
Anytime a question mentions sensitivity labels, classification levels, or security clearances, think MAC. This is the strongest indicator.

Tip 3: MAC = Most restrictive.
If a question asks which access control model is the most restrictive or provides the highest level of security, the answer is MAC.

Tip 4: Associate MAC with military/government.
Questions that reference military environments, classified data, or government security systems are almost always pointing to MAC.

Tip 5: Understand the Bell-LaPadula connection.
The Bell-LaPadula model is the classic example of a MAC implementation focused on confidentiality. Remember: No Read Up, No Write Down. If a question describes these rules, it is referencing a MAC-based model.

Tip 6: Distinguish MAC from DAC.
This is one of the most common exam traps. The key difference: In DAC, the data owner controls access. In MAC, the system/central authority controls access. If the question says the owner sets permissions, it's DAC. If the system enforces labels, it's MAC.

Tip 7: Know that MAC is non-discretionary.
MAC is sometimes referred to as a non-discretionary access control model. However, be careful — RBAC is also considered non-discretionary. The differentiator is that MAC uses security labels, while RBAC uses roles.

Tip 8: Watch for keywords in questions.
Look for these keywords that signal MAC: classification, clearance, sensitivity label, lattice-based, central authority, security policy enforcement, need-to-know combined with clearance levels.

Tip 9: Understand that users cannot override MAC.
A common distractor answer may suggest that a user or data owner can grant exceptions. In a true MAC environment, only the security administrator can change labels or policies — never the end user.

Tip 10: Remember the formula for exam success.
Security labels + Central authority + No user override = Mandatory Access Control (MAC)

By mastering these concepts and exam tips, you will be well-prepared to confidently answer any MAC-related question on the ISC2 CC certification exam.