Which of the following would be used to implement Mandatory Access Control (MAC)?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The lattice is a mechanism use to implement Mandatory Access Control (MAC) Under Mandatory Access Control (MAC) you have: Mandatory Access Control - UnderNon Discretionary Access Control (NDAC) you have: Rule-Based Access Control - Role-Based Access Control - Under Discretionary Access Control (DAC) you have: Discretionary Access Control - The Lattice Based Access Control is a type of access control used to implement other access control method.A lattice is an ordered list of elements that has a least upper bound and a most lower bound.The lattice can be used for MAC, DAC, Integrity level, File Permission, and more For example in the case of MAC, if we look at common government classifications, we have the following: TOP SECRET - SECRET -----------------------I am the user at secret CONFIDENTIAL - SENSITIVE BUT UNCLASSIFIED - UNCLASSIFIED - If you look at the diagram above where I am a user at SECRET it means that I can access document at lower classification but not document at TOP SECRET.
The lattice is a list of ORDERED ELEMENT, in this case the ordered elements are classification levels.My least upper bound is SECRET and my most lower bound is UNCLASSIFIED.
However the lattice could also be used for Integrity Levels such as: VERY HIGH - HIGH - MEDIUM----------I am a user, process, application at the medium level LOW - VERY LOW - In the case of of Integrity levels you have to think about TRUST.Of course if I take for example the the VISTA operating system which is based on Biba then Integrity Levels would be used.As a user having access to the system I cannot tell a process running with administrative privilege what to do.Else any users on the system could take control of the system by getting highly privilege process to do things on their behalf.So no read down would be allowed in this case and this is an example of the Biba model.
Last but not least the lattice could be use for file permissions: RWX - RW---------User at this level - R - If I am a user with READ and WRITE (RW) access privilege then I cannot execute the file because I do not have execute permission which is the X under linux and UNIX.
Many people confuse the Lattice Model and many books says MAC = LATTICE,however the lattice can be use for other purposes.
There is also Role Based Access Control (RBAC) that exists out there.It COULD be used to simulate MAC but it is not MAC as it does not make use of Label on objects indicating sensitivity and categories.MAC also require a clearance that dominates the object.
You can get more info about RBAC at:http://csrc.nist.gov/groups/SNS/rbac/faq.html#03 Also note that many book uses the same acronym for Role Based Access Control and Rule Based Access Control which is RBAC,this can be confusing.
The proper way of writing the acronym for Rule Based Access Control is RuBAC, unfortunately it is not commonly used.
References: There is a great article on technet that talks about the lattice in VISTA: http://blogs.technet.com/b/steriley/archive/2006/07/21/442870.aspx also see: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33)
and http://www.microsoft-watch.com/content/vista/gaging_vistas_integrity.html.
Mandatory Access Control (MAC) is a security model used to control access to system resources based on rules set by a system administrator or security policy. MAC is commonly used in government and military settings, where confidentiality and data protection are critical.
To implement Mandatory Access Control (MAC), the correct answer is C. Lattice-based access control.
Lattice-based access control is a form of MAC that provides a strict hierarchical structure for managing access to system resources. In this model, access to resources is determined by a set of labels assigned to both the users and the resources. The labels define the clearance level of each user and the sensitivity level of each resource.
The security policy is defined by a security administrator and is enforced by a security kernel. The kernel enforces access control decisions based on the user's clearance level and the sensitivity level of the requested resource.
The other options, A. Clark-Wilson Access Control, B. Role-based access control, and D. User dictated access control, are not used to implement Mandatory Access Control (MAC).
Clark-Wilson Access Control is a type of Discretionary Access Control (DAC) that enforces separation of duty, which means that specific users are authorized to perform specific tasks, and these tasks are subject to auditing.
Role-based access control (RBAC) is also a form of DAC, which assigns permissions based on the roles of individual users within an organization.
User dictated access control is a term that is not commonly used in the context of access control models. It may refer to a system where users are allowed to set their own access control rules, which would not be appropriate for a secure environment where access control is enforced through a strict security policy.
In summary, to implement Mandatory Access Control (MAC), the correct option is C. Lattice-based access control.