For full text search please use the '?' prefix. e.g. ? Onboarding

Mandatory Access Control (MAC)

Présentation 1

  • A central authority regulates access rights based on multiple levels of security. MAC involves assigning classifications to system resources and the security kernel or operating system. Only users or devices with the required information security clearance can access protected resources. Organizations with varying levels of data classification, like government and military institutions, typically use MAC to classify all end users. You can use role-based access control to implement MAC.

  • Avec ce modèle, un administrateur système attribue à chaque utilisateur et objet un niveau de sécurité et une catégorie. Le système d'exploitation compare automatiquement les deux niveaux et attribue ou non l'accès.

Présentation 2

Access rights are regulated by a central authority based on multiple levels of security.

MAC is common in government and military environments where classifications are assigned to system resources and the operating system or security kernel will grant or deny access based on the user's or the device's security clearance.

It is difficult to manage but its use is justified when used to protected highly sensitive data.

Présentation 3

Do not confuse this with Apple MAC, this model is not even remotely related to it. This model is the complete opposite of the DAC model. In a mandatory access control (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based on a MAC model greatly reduces the number of rights, permissions, and functionality a user has for security purposes.

You would have surely seen movies where Ethan Hunt or Jason Bourne try to access top secret or confidential files which they do not have access too. Well, the MAC model uses security labels to help implement it. Security labels are attached to all objects; thus, every file, directory, and the device has its own security label with its classification information. Now Jason Bourne may have a security clearance of secret, but in order to find his identity, his requests may have a security label with the classification of top secret. In this case, he will be denied because his clearance is not equivalent or does not dominate (is not equal to or higher than) the classification of the object.

This type of model is used in environments where information classification and confidentiality is of utmost importance, such as military institutions, government agencies, and government contract companies.

The problem with DAC was that the malware could inherit all permissions which the user had and could install itself on the system. However, in the MAC systems, this isn't the case. Since users that work within a MAC system cannot install software, the operating system does not allow any type of software, including malware, to be installed while the user is logged in. But while MAC systems might seem an answer to all our security prayers, they have very limited user functionality, require a lot of administrative overhead, are very expensive, and are not user-friendly. DAC systems are general-purpose computers, while MAC systems serve a very specific purpose.

Backlinks