What is a Mandatory Access Control System (MAC)?

Mandatory Access Control (MAC) is a system to allow or deny access to private

information in an organization. What makes MAC different from other system is that it
works on a hierarchy pattern. Under this system, the whole team force must be divided
into categories according to their roles and responsibility and according to the
information they must be allowed to see. To make that happen the administration needs
to put a lot of efforts at the time of planning the information flow properly. It would be
only a one-time effort to set things up in order, after that it would only require updates
as per change in the position/role.

Under MAC, the access flows in a way that an employee with access to higher-level data
will also have access to the data available to their lower-level ranks. If we put it in simple
words, it like a flow chart of information and the person in middle will have access to
ground level data but not any level further up.

Often at workplaces where MAC system is to be used, categorizing the information flow
in different categories like - ground level, confidential, secret and top-secret is
suggested. Every system that an individual might be using would have been given prior
access as per the requirements.
Uses:-

MAC has a wide range of usage in different sectors which requires a system that can
secure confidential data without any constant supervision.
Majorly used in sectors like - government offices, military, health care, financial,
engineering projects, etc.

Advantages:-

 High-level data protection (most secure system among role, mandatory and
discretionary system): With MAC, one can be sure that their most confidential
data is well protected and leaves no room for any leakage.

 Centralized Information: Once data is set in a category it cannot be de-

categorized by anyone other than the head administrator. This makes the whole
system centralized and under the control of only one authority.

 Privacy: Data is set manually by an administrator. No one other than admin can
make changes in category or list of users' accesses to any category. It can be
updated only by admin.

Disadvantages:-

 Careful Setting-Up Process: MAC must be set up with good care otherwise it will
make working chaotic. It is because sometimes a piece of information needs to
be shared among co-workers in the same organization but MAC restricts anyone
to do so.

 Regular Update Required: It requires regular updating when new data is added or
old data is deleted. The administration is required to put some consideration into
the MAC system and ACL list now and then.

 Lack of Flexibility: MAC system is not operationally flexible. It is not an easy task
to initially input all data and create an ACL that won’t create any trouble later.

Conclusion:-

MAC is the most secure system due to which it is recommended in offices where highly
confidential data is needed to be protected and not in any private offices where a less
secure system would be enough.
What is discretionary access control (DAC)?
Discretionary access control decentralizes security decisions to resource owners. The owner
could be a document’s creator or a department’s system administrator. DAC systems use access
control lists (ACLs) to determine who can access that resource. These tables pair individual and
group identifiers with their access privileges.
The sharing option in most operating systems is a form of DAC. For each document you own,
you can set read/write privileges and password requirements within a table of individuals and
user groups. System administrators can use similar techniques to secure access to network
resources.
Advantages of DAC
Conceptual simplicity — ACLs pair a user with their access privileges. As long as the user is in
the table and has the appropriate privileges, they may access the resource.
Responsiveness to business needs — Since policy change requests do not need to go through a
security administration, decision-making is more nimble and aligned with business needs.

Disadvantages of DAC
Over/underprivileged users — A user can be a member of multiple, nested workgroups.
Conflicting permissions may over- or under privilege the user.
Limited control — Security administrators cannot easily see how resources are shared within
the organization. And although viewing a resource’s ACL is straightforward, seeing one user’s
privileges requires searching every ACL.
Compromised security — By giving users discretion over access policies, the resulting
inconsistencies and missing oversight could undermine the organization’s security posture.

What is role-based access control (RBAC)?

Role-based access control grants access privileges based on the work that individual users do. A
popular way of implementing “least privilege‚ policies, RBAC limits access to just the resources
users need to do their jobs.
Implementing RBAC requires defining the different roles within the organization and
determining whether and to what degree those roles should have access to each resource.
Accounts payable administrators and their supervisor, for example, can access the company’s
payment system. The administrators’ role limits them to creating payments without approval
authority. Supervisors, on the other hand, can approve payments but may not create them.
Advantages of RBAC
Flexibility — Administrators can optimize an RBAC system by assigning users to multiple roles,
creating hierarchies to account for levels of responsibility, constraining privileges to reflect
business rules, and defining relationships between roles.
Ease of maintenance — With well-defined roles, the day-to-day management is the routine on-
boarding, off-boarding, and cross-boarding of users’ roles.
Centralized, non-discretionary policies — Security professionals can set consistent RBAC
policies across the organization.
Lower risk exposure — Under RBAC, users only have access to the resources their roles justify,
greatly limiting potential threat vectors.

Disadvantages of RBAC
Complex deployment — The web of responsibilities and relationships in larger enterprises
makes defining roles so challenging that it spawned its own subfield: role engineering.
Balancing security with simplicity — More roles and more granular roles provide greater
security, but administering a system where users have dozens of overlapping roles becomes
more difficult.
Layered roles and permissions — Assigning too many roles to users also increases the risk of
over-privileging users.

What is Privileged Access Management (PAM)?

A recent ThycoticCentrify study found that 53% of organizations experienced theft of privileged
credentials and 85% of those thefts resulted in breaches of critical systems. Privileged access
management is a type of role-based access control specifically designed to defend against these
attacks.
Based on least-privilege access principles, PAM gives administrators limited, ephemeral access
privileges on an as-needed basis. These systems enforce network security best practices such as
eliminating shared passwords and manual processes.

Advantages of PAM
Reduced threat surface — Common passwords, shared credentials, and manual processes are
commonplace even in the best-run IT departments. Imposing access control best practices
eliminates these security risks.
Minimizing permission creep — PAM systems make it easier to revoke privileges when users
no longer need them, thus preventing users from “collecting‚ access privileges.
Auditable logging — Monitoring privileged users for unusual behavior becomes easier with a
PAM solution.

Disadvantages of PAM
Internal resistance — Just as doctors make the worst patients, IT professionals can be resistant
to tighter security measures.
Complexity and cost — Implementing PAM requires investments in time and money within
already-constrained IT departments.
An access control mechanism is a security safeguard (i.e., hardware and software features,
physical controls, operating procedures, management procedures, and various combinations of
these) designed to detect and deny unauthorized access and permit authorized access to an
information system or physical facility.