What Is Mandatory Access Control (MAC)?

Javed Shah

Access control is a security measure that can prevent unauthorized access to sensitive information. But how can mandatory access control help with security?

What is mandatory access control? Mandatory access control (MAC) is a type of access control where the policy administrator, not the user, can grant or restrict access to certain files.

What Is Access Control?

As users navigate through physical and digital systems, they tend to brush up against resources and assets that they should or should not have access to. This is particularly true in digital systems where the lateral movement to different storage, application, or processing areas can lead to dangerous security threats that undermine the entire infrastructure. 

To maintain separation of assets and resources, security administrators use what are known as “access controls” that define who can access those resources. 

Essentially, once a user is authenticated and authorized to enter a system via a user account or identity, an access control system sets conditions that determine who, when, where, and sometimes how that user can navigate the system. 

While this concept seems simple on its surface, there are several different access control schemas that help secure resources against unauthorized access:

Rule-Based Access Control 

This approach grants permissions to users based on a structured set of rules and policies. These rules create a “context” from which resource access can be derived. These rules are laid out in an Access Control List (ACL) attached to an “object” (the resource, whether it’s processing permissions, data, account access, etc.).

Some common forms of rule-based access include limiting system access to given times of the day, or locations (for example, limiting access to devices at or near an office location). 

Role-Based Access Control 

Role-based access is an approach where user roles within an organization dictate access permissions. The organization will have a defined organizational hierarchy and a clearly set list of permissions based on roles within that hierarchy. Any user designated within a given role will gain the permissions of that role. 

Role-based access is quite common. The most typical places we find role-based permissions are multi-user systems. For example, a public-facing service provider (like an email or cloud service provider) may have several different types of accounts (users, VIP users, administrators, moderators, etc.), each with their own permissions and access controls. A role-based system would restrict who can access what within that system to allow for a shared space. 

Attribute-Based Access Control

Attribute-based systems are somewhat more granular than both role- and rule-based systems. Attribute-based systems, rather than looking at a list of rules related to resources (like rule systems) or roles (like a role system) can pull dynamic information from user accounts to field more fluid and responsive access systems. 

For example, suppose a company works with classified data. In that case, individual users could receive designations for access to SECRET data designations–this would be an attribute of the user, not a role or a resource.

These access control approaches aren’t necessarily exclusive. For example, it’s possible to use both attribute- and role-based systems to fine-tune the system and data security.

Mandatory Access Control

No matter what the specifics of the control system, at some point, implementation and maintenance fall onto some sort of authority. In Mandatory Access Control (MAC) systems, that authority falls squarely on the shoulders of system administrators. 

The process of access designation follows a similar path across MAC systems:

  • Administrators create, configure, and implement access policies. These policies are based on specific pieces of information–but at this point, the admins are creating the categories themselves (roles, user attributes, resource attributes, etc.). 
  • These administrators implement these access categories where necessary, either as fields of user information, data object metadata, system information, and so on.
  • During authorization, the system will look at the security attributes of the “subject” of access (user, object, system, etc.) and determine whether permission exists. 

Discretionary Access Control

Conversely, Discretionary Access Control (DAC) gives customers and business end-users more capabilities in terms of setting their own access controls. While a security administrator may implement roles and permissions throughout the system, the user may override those permissions to grant access to individual users who, based on their business credentials, should actually have access. 

This approach can provide some flexibility in terms of how a business gives access to users. However, it also creates potential vulnerabilities when local business administrators fail to update or configure their local permissions. This makes DAC a high-maintenance solution that, while flexible, needs regular attention. 

What Are the Differences Between Mandatory and Discretionary Access Control?

MAC and DAC are rather polarized. While some access control schemes can work together in some capacity, it’s relatively difficult (if not impossible) to effectively field both DAC and MAC without stepping over one another. 

With that said, these incompatibilities are partly due to the differences between the two approaches. Mandatory and Discretionary differ in a few key ways:

  • Protection: Mandatory discretion offers more stable and predictable protection when implemented well. Discretionary access control can provide key flexibility for an organization but also introduce potential conflicts between individual and organization-wide permissions.
  • User Control: Additionally, mandatory controls aren’t incredibly flexible outside of their schema, and for a good reason–to address security issues related to access from an organizational level. However, there are legitimate instances where individuals in an organization should receive access to specific resources even if their role or user attributes don’t allow it. 
  • Maintainability: Mandatory access controls are typically formulated from the top-down and centrally planned. That means that they can support robust authorization throughout a system, with security and regulatory demands implemented in one place.
    On the other hand, DAC can get messy if an end-user is implementing local access control haphazardly or without maintaining their permissions list in cases where employees leave the company or are terminated. 

Support Effective Mandatory Access Control with Powerful 1Kosmos Identity Management

Strong authentication and identity management are the cornerstones of any good access control system. With these controls in place, your organization can ensure that only real and authorized users navigate your systems through sufficient physical and logical access. 

1Kosmos provides a streamlined user experience with biometric, passwordless authentication and liveness-testing measures to ensure that users are who they say they are. Through this, you can build mandatory and other access controls. 

With 1Kosmos BlockID, you get the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone. 
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user. 
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target. 
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK. 

Learn more about 1Kosmos Physical and Logical Access control by clicking here.

 

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.