A technician wants to implement a dual factor authentication system that will enable the organization to
authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented
during the authorization stage?
Mandatory access control
Role-based access control
This question is asking about “authorization”, not authentication.
Mandatory access control (MAC) is a form of access control commonly employed by government and military
environments. MAC specifies that access is granted based on a set of rules rather than at the discretion of a
user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security
domains, or classifications.
MAC can also be deployed in private sector or corporate business environments. Such cases typically involve
the following four security domain levels (in order from least sensitive to most sensitive):
A MAC environment works by assigning subjects a clearance level and assigning objects a sensitivity label—in
other words, everything is assigned a classification marker. Subjects or users are assigned clearance levels.
The name of the clearance level is the same as the name of the sensitivity label assigned to objects or
resources. A person (or other subject, such as a program or a computer system) must have the same or
greater assigned clearance level as the resources they wish to access. In this manner, access is granted or
restricted based on the rules of classification (that is, sensitivity labels and clearance levels).
MAC is named as it is because the access control it imposes on an environment is mandatory. Its assigned
classifications and the resulting granting and restriction of access can’t be altered by users. Instead, the rules
that define the environment and judge the assignment of sensitivity labels and clearance levels control
MAC isn’t a very granularly controlled security environment. An improvement to MAC includes the use of need
to know: a security restriction where some objects (resources or data) are restricted unless the subject has a
need to know them. The objects that require a specific need to know are assigned a sensitivity label, but they’re
compartmentalized from the rest of the objects with the same sensitivity label (in the same security domain).
The need to know is a rule in and of itself, which states that access is granted only to users who have been
assigned work tasks that require access to the cordoned-off object. Even if users have the proper level of
clearance, without need to know, they’re denied access. Need to know is the MAC equivalent of the principle of
least privilege from DAC