Mandatory Access Control (MAC) – Complete Guide for SSCP Exam
Why Mandatory Access Control (MAC) Is Important
Mandatory Access Control (MAC) is one of the most critical access control models in information security. It is essential for environments that handle highly sensitive or classified data, such as military, government, and intelligence agencies. MAC enforces strict security policies that prevent unauthorized disclosure of information. Understanding MAC is vital for SSCP candidates because it forms a foundational concept in the Access Controls domain and is frequently tested on the exam.
MAC is important because:
- It provides the highest level of security among all access control models.
- It prevents users from overriding or modifying access policies, reducing the risk of insider threats.
- It ensures data confidentiality through system-enforced rules rather than user discretion.
- It is mandated in environments processing classified information (e.g., systems compliant with the Bell-LaPadula model).
What Is Mandatory Access Control (MAC)?
Mandatory Access Control is an access control model in which the operating system or security kernel enforces access decisions based on security labels (also called sensitivity labels or classification labels). Users and subjects are assigned clearance levels, and objects (files, resources, data) are assigned classification levels. Access is granted or denied based on a comparison of these labels.
Key characteristics of MAC include:
- System-enforced: Access decisions are made by the system, not by individual users or data owners.
- Label-based: Every subject (user, process) and object (file, database) carries a security label.
- Non-discretionary: Users cannot change the classification of objects or grant access to other users. Only administrators or security officers with the appropriate authority can modify labels.
- Hierarchical and compartmentalized: Labels often include a hierarchical component (e.g., Top Secret > Secret > Confidential > Unclassified) and a set of compartments or categories (e.g., NATO, Nuclear, Project X).
Examples of MAC implementations include:
- SELinux (Security-Enhanced Linux)
- Trusted Solaris
- Windows Mandatory Integrity Control (MIC)
- Military and government classified systems
How Does Mandatory Access Control Work?
MAC operates through a combination of security labels, clearance levels, and security policies enforced by a trusted computing base (TCB).
Step 1: Assigning Labels
Every subject (user or process) is assigned a clearance level (e.g., Top Secret). Every object (file, directory, network resource) is assigned a classification level (e.g., Secret). Labels may also include categories or compartments (e.g., a user cleared for Top Secret with access to the "NATO" compartment).
Step 2: Applying Security Rules
The system enforces rules based on security models. The most commonly associated model is the Bell-LaPadula Model, which focuses on confidentiality:
- Simple Security Rule (No Read Up): A subject cannot read an object at a higher classification level. For example, a user with Secret clearance cannot read a Top Secret document.
- Star Property (No Write Down): A subject cannot write to an object at a lower classification level. For example, a user with Top Secret clearance cannot write data to a Secret file, preventing information leakage to lower levels.
- Strong Star Property: A subject can read and write only at their own level.
Another related model is the Biba Model, which focuses on integrity:
- Simple Integrity Axiom (No Read Down): A subject cannot read objects at a lower integrity level.
- Star Integrity Axiom (No Write Up): A subject cannot write to objects at a higher integrity level.
Step 3: Enforcement by the Security Kernel
The reference monitor (a component of the security kernel) mediates every access attempt. It compares the subject's clearance and categories against the object's classification and categories. If the subject's clearance dominates the object's classification and the subject possesses all required compartments, access is granted. Otherwise, access is denied.
Step 4: Administrative Control
Only a security administrator or designated authority can change labels on subjects or objects. Regular users have no ability to alter access permissions or share their access with others. This is what distinguishes MAC from Discretionary Access Control (DAC), where the data owner controls permissions.
MAC vs. DAC – Key Differences
- In DAC, the data owner decides who can access resources. In MAC, the system decides based on labels and policies.
- DAC is more flexible but less secure. MAC is more rigid but provides stronger security guarantees.
- In DAC, users can transfer or delegate permissions. In MAC, users cannot alter access controls.
- MAC is typically used in high-security environments; DAC is common in commercial and general-purpose systems.
MAC vs. RBAC
- Role-Based Access Control (RBAC) assigns permissions based on organizational roles rather than security labels.
- RBAC is considered non-discretionary but is not the same as MAC. RBAC does not use classification or clearance labels.
- MAC is more restrictive and is specifically designed for environments requiring formal security models.
Exam Tips: Answering Questions on Mandatory Access Control (MAC)
1. Remember the defining feature: MAC is system-enforced, not user-enforced. If a question describes a scenario where the system or operating system controls access based on labels, the answer is MAC.
2. Labels are the hallmark of MAC: Whenever you see references to sensitivity labels, classification levels, clearance levels, or security labels, think MAC.
3. Users cannot change permissions in MAC: If a question asks which model prevents users from modifying access controls or sharing access with others, the answer is MAC. In DAC, users can change permissions because they own the data.
4. Associate MAC with the Bell-LaPadula Model: Questions about "no read up" and "no write down" are tied to Bell-LaPadula, which is a MAC-based confidentiality model. If the question focuses on integrity, think Biba Model.
5. Know the environment: MAC is used in military, government, and high-security environments. If a scenario describes classified data handling, choose MAC.
6. Distinguish MAC from RBAC: Both are non-discretionary, but they work differently. MAC uses labels; RBAC uses roles. Do not confuse them. If the question mentions roles or job functions, it is likely RBAC. If it mentions clearance or classification, it is MAC.
7. Understand the lattice concept: MAC is often described using a lattice-based model. The lattice defines upper and lower bounds of access. Subjects can only access objects that fall within their authorized range on the lattice.
8. Watch for tricky wording: Some questions may describe a scenario and ask you to identify the access control model. Focus on who makes the access decision: if it is the system based on predefined labels, it is MAC. If it is the owner of the resource, it is DAC. If it is based on roles, it is RBAC. If it is based on attributes and policies evaluated in real time, it could be ABAC.
9. Know real-world implementations: Be familiar with SELinux as a prominent example of MAC. Questions may reference it as a practical implementation.
10. Remember the trade-off: MAC offers strong security but at the cost of flexibility and administrative overhead. It is the most restrictive model. If a question asks which model is the most restrictive or provides the strongest protection, choose MAC.
Summary: Mandatory Access Control is a system-enforced, label-based access control mechanism that provides the highest level of data protection by preventing users from altering security policies. For the SSCP exam, focus on understanding how labels and clearances work, the Bell-LaPadula and Biba models, and the key differences between MAC, DAC, and RBAC. Recognizing the keywords—labels, classification, clearance, system-enforced—will help you quickly identify MAC-related questions and select the correct answers.
