Under the mandatory access control model, also known as MAC, both users and resources are assigned security labels. To access a resource, the user must have a security clearance matching or exceeding the resource’s security classification.
Unlike under discretionary access control, users under mandatory access control cannot readily hand out access at their discretion. Instead, access is set by a high level administrator. Under many DAC systems, obtaining a new security clearance often requires the approval of multiple administrators and security professionals.
Mandatory access control is a highly secure access control model, making it the model of choice for matters of national security. However, it is highly bureaucratic by nature, and can be burdensome to maintain. Though it can be absolutely worth it to protect critical assets, its inflexibility makes mandatory access control a poor fit for many business applications.
How Mandatory Access Control Works
Mandatory access control relies on a system of security labels. Every resource under MAC has a security classification, such as Classified, Secret, and Top Secret. Likewise, every user has one or more security clearances. To access a given resource, the user must have a clearance matching or exceeding the resource’s classification. So if Greg wants to access a Secret file on the Hoover Dam, he would need to have a Secret or Top Secret security clearance on that topic.
These security labels tend to be fairly specific. Greg’s Top Secret clearance for the Hoover Dam would not grant him access to the nuclear plant in Poughkeepsie. Instead, he would have to apply for an additional security clearance to access resources pertaining to the Poughkeepsie Nuclear Plant.
These national security designations each have a clear definition, as defined by the Code of Federal Regulations:
Top Secret refers to that national security information which requires the highest degree of protection, and shall be applied only to such information as the unauthorized disclosure of which could reasonably be expected to cause exceptionally grave damage to the national security. Examples of exceptionally grave damage include armed hostilities against the United States or its allies, disruption of foreign relations vitally affecting the national security, intelligence sources and methods, and the compromise of vital national defense plans or complex cryptologic and communications systems. This classification shall be used with the utmost restraint.
Secret refers to that national security information or material which requires a substantial degree of protection, and shall be applied only to such information as the unauthorized disclosure of which could reasonably be expected to cause serious damage to the national security. Examples of serious damage include disruption of foreign relations significantly affecting the national security, significant impairment of a program or policy directly related to the national security, and revelation of significant military plans or intelligence operations. This classification shall be used sparingly.
Confidential refers to other national security information which requires protection, and shall be applied only to such information as the unauthorized disclosure of which could reasonably be expected to cause identifiable damage to the national security.
Any resources with no security classification would be considered unclassified, and would be available to the public. Note that ‘unclassified’ is not itself a security label; rather, it is the absence of one. A resource can not be assigned an unclassified label. But by being stripped of its security label, it becomes unclassified.
Security classifications can change over time – in fact, they’re designed to change. All classified documents undergo an automatic classification review after 25 years, after which most documents are declassified. There are nine exceptions that can prevent a document from being declassified. But at the 50-year mark, only two of these exemptions remain valid, and at the 75-year mark, a document can only remain classified via special permission.
The Need-to-Know Principle
To ensure maximum security, mandatory access control often goes hand-in-hand with the need-to-know principle. This rule holds that users should only have access to the resources they need to do their job. To access something under a strict MAC system, you would need not only the right clearance, but also a clear justification as to why you need to access the resource.
Under mandatory access control, obtaining a new security clearance often requires multiple levels of approval. To obtain a new security clearance on the Poughkeepsie plant, for instance, Greg would ask a security officer who would then submit a request to a higher-up official. This official would then submit their approval to an IT officer, who would then put the new clearance into effect.
Even with those layers of approval, Greg would still have to provide a need-to-know justification each time he wanted to access classified resources pertaining to the Poughkeepsie plant.
As you can see, mandatory access control demands a great deal of bureaucracy. While it’s worth it to protect matters of national security, all this administrative upkeep can make MAC impractical for most business uses.
Commercial Security Labels
When businesses implement mandatory access control, they often classify data based on the following levels of access:
- Internal information is open to employees. This might include company newsletters or announcements. At companies with a high degree of transparency, it can even include information such as detailed revenue breakdowns. Though this information is not publicly available, it would not cause tangible harm to the company if made public.
- Confidential or Sensitive information requires a specific authorization to access. This can include information such as company strategy, product plans, and any dealings that have not yet been announced to the company at large. This information could cause serious damage to the company if made public.
- Restricted or Highly Sensitive information would cause serious damage to the company if made public. This includes personally identifiable information such as social security numbers and credit card numbers, and would present a serious legal risk to the company if made public.
Alternatives to Mandatory Access Control
Mandatory access control comes with some real strengths and weaknesses. It’s the most secure access control model, which is why it is the method of choice for sensitive government matters. But it’s also a very involved and bureaucratic system, making it a poor fit for many business uses.
More frequently, businesses will use the more flexible discretionary access control model. Under this system, every resource has an owner, who can then give out access at their discretion. Though this model is very flexible, it can often be very insecure if not implemented correctly. It can also get pretty convoluted as it scales – it’s much easier to manage a company with 20 employees than one with 1,000 employees, especially when each of those employees might be the owner of specific resources.
Many businesses use role-based access control. This model allows a company to group users, and then set access based on those groups or roles. An employee in the marketing group, for instance, would have access to the resources they need to accomplish their work in marketing.
These systems are not mutually exclusive. It might make sense to implement discretionary access control across a company, for instance, and then layer in mandatory access control to protect the most sensitive assets, such as customers’ personal information.
The Windows operating system does this. Though Windows operates on a foundation of discretionary access, the operating system itself and its security features are protected under a system of mandatory access control. By implementing an extra layer of security around these key areas, Microsoft was able to seriously reduce the number of malware attacks happening in Windows, shoring up a critical vulnerability through a combination of access control models.