A technician wants to implement a dual factor authentication system that will enable the
organization to authorize access to sensitive systems on a need-to-know basis. Which of the
following should be implemented during the authorization stage?
A.
Biometrics
B.
Mandatory access control
C.
Single sign-on
D.
Role-based access control
Explanation:
This question is asking about “authorization”, not authentication.
Mandatory access control (MAC) is a form of access control commonly employed by government
and military environments. MAC specifies that access is granted based on a set of rules rather
than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often
called sensitivity labels, security domains, or classifications.MAC can also be deployed in private sector or corporate business environments. Such cases
typically involve the following four security domain levels (in order from least sensitive to most
sensitive):
Public
Sensitive
Private
Confidential
A MAC environment works by assigning subjects a clearance level and assigning objects a
sensitivity label—in other words, everything is assigned a classification marker. Subjects or users
are assigned clearance levels. The name of the clearance level is the same as the name of the
sensitivity label assigned to objects or resources. A person (or other subject, such as a program or
a computer system) must have the same or greater assigned clearance level as the resources
they wish to access. In this manner, access is granted or restricted based on the rules of
classification (that is, sensitivity labels and clearance levels).
MAC is named as it is because the access control it imposes on an environment is mandatory. Its
assigned classifications and the resulting granting and restriction of access can’t be altered by
users. Instead, the rules that define the environment and judge the assignment of sensitivity labels
and clearance levels control authorization.
MAC isn’t a very granularly controlled security environment. An improvement to MAC includes the
use of need to know: a security restriction where some objects (resources or data) are restricted
unless the subject has a need to know them. The objects that require a specific need to know are
assigned a sensitivity label, but they’re compartmentalized from the rest of the objects with the
same sensitivity label (in the same security domain). The need to know is a rule in and of itself,
which states that access is granted only to users who have been assigned work tasks that require
access to the cordoned-off object. Even if users have the proper level of clearance, without need
to know, they’re denied access. Need to know is the MAC equivalent of the principle of least
privilege from DAC