Question

here are several access control models and in class we learnt specifically about 3 flavors: Mandatory Access Control (MAC), Role Based Access Control (RBAC), and Discretionary Access Control (DAC). In your own words differentiate these 3 models. Your answer should include a specific example where a specific model is best.

Answer 1

MAC:Mandatory Access control:It is based on a system-wide policy decides who is allowed to have access, individual user dont have rights to alter that access.It relies on the system to control access.This mechanisms have been tightly coupled to a few security models. Few system that supports flexible security mechanism has started using this.

DAC:Discretionary Access control: It is where user can put an access control mechanism to to allow or deny access to an object . it is most widely used in main stream operating system because of its flexibilty.It has several drawbacks also, since DAC let users to decide the access control policies on their data, it faces consistency issue when there is global policy .At a point of time when there malicious program get access, that malicious program running by the owner can change DAC policies on behalf of the owner.

Role Based Access Control (RBAC):In an organization, there are various job functions based on that roles are defined. The permissions to perform certain operations are assigned to specific roles. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account , this simplifies common operations, such as adding a user, or changing a user's department.It enables you to control the access at any level.

For example: if a user belongs to HR function, he will be assigned the rights,access of the sites that is really their need like naukri.com, monster.com etc. They dont need a marketing sites to access similarly a marketing guy does not need to have access of Job sites. So there should be a policy based on the role of HR.There can be a deeper level access control put into place.This is just to make you understand the role based access.

Role based access being widely used in Microsoft Exchange Server 2013

Rule Based Access Control (RBAC):This is to increase the application security.A rule based access control will dynamically assign roles to users based on criteria defined by the custodian or system administrator. For example, if someone is only allowed access to files during certain hours of the day, rule based access control would be the tool of choice.

ADDITIONAL INFO:

(a) Mandatory Access Control (MAC):

Advantages:

(i) Higher level of security due to one administrator to control the access.

(ii) Reduction of security errors.

Disadvantages:

(i) Not flexible.

(ii) Difficult to implement.

(b) Discretionary Access Control (DAC)

Advantages:

(i) Access type can be defined.

(ii) Object ownership transfer between users.

(iii) Access is restricted after several failed attempts.

Disadvantages:

(i) Inherent threats like Trojan horses.

(ii) Difficult to maintain the grant and revoke permissions.

(c) Role Based Access Control (RBAC)

Advantages:

(i) The requirement for support and administration is less.

(ii) Operational efficiency is high.

(iii) Low cost.

Disadvantages:

(i) Network access monitoring is difficult.

(d) Rule Based Access Control (RBAC)

Advantages:

(i) Provides high flexibility.

(ii) Low cost.

Disadvantages:

(i) Difficult to maintain the deny list.