Words of the Day: MAC and DAC
Author(s): Dr. Glen E. Newton, Posted on April 14th, 2016
Multiple choice: MAC and DAC are
a.) Cartoon characters in a 1970’s Saturday morning TV show. “Look, Mom, MAC and DAC are teaching the baby bird to fly.”
b.) Common settings for the rotors on the Enigma machine. “Kommander Hessler, I cannot decrypt the message; I must have MAC and DAC reversed.”
c.) The original title of a musical about silent movie mogul Mack Sennett. “Mack, why do you call Mabel ‘Ditzy And Charming’?”
If you selected (a) through (c), you’re just guessing. The correct answer is “(d) Mandatory Access Control and Discretionary Access Control.”
Access control includes capabilities for protecting files that must be shielded from unauthorized reading and malicious or unintentional modification while allowing them to be shared as necessary. This can be achieved by using discretionary access control (DAC) and mandatory access control (MAC). DAC controls are discretionary because the file owner can grant access to other users at his discretion, whereas MAC controls are mandatory because the file owner cannot grant another user the right to override them.
Discretionary access control includes the basic methods of protection, such as object ownership and access control lists found in commodity operating systems such as Microsoft Windows. GUARDFILEs in ClearPath Forward MCP environments are a form of access control list. (See Thinking Security: Can I Get In There)
Access control records in ClearPath Forward OS 2200 are similar to MCP GUARDFILEs and Windows access control lists. They let the file’s owner set controls for who can access the file. They are available in OS 2200 security level 1, the next higher security level above fundamental security. Security level 1 also lets you organize user-ids into groups that are referenced by access control records. This provides a convenient way to give the same access rights to many users while maintaining separate user-ids for system access, billing, and auditing.
Security level 1 lets you implement mandatory access control through clearance levels, a feature that is available only in mission critical operating systems such as OS 2200. Clearance levels can be very useful if you require a hierarchical structure to your access authority. Files are automatically classified in a range from most confidential to public domain depending on the clearance level of the creator and can only be accessed by those who possess a sufficient clearance level.
In security level 2, user-id records identify not only a clearance level range for a user, but also a set of compartments that can be accessed. Compartment sets are another form of mandatory access control. A compartment is a logical grouping based on interest or category, such as accounting, payroll, and personnel. A user can access a file only if his executing compartment set (a subset of all the compartments allowed for his user-id) includes all of the compartment sets that the file belongs to.
ClearPath Forward systems provide for multi-level data confidentiality, integrity, and availability protection. MAC and DAC are components of the defense in depth that provides multiple layers of protection against attacks that can harm your enterprise. From physical security to network perimeter firewalls to safeguards in the hardware, firmware, and software on data center servers, each layer contributes to the safety of your data and your customers’ access to it.
By the way, “MAC” also means “Message Authentication Code” in the context of cryptography; its partner would be HMAC. That’s a topic for another time.