When discussing Authorization Models in SSCP Domain 2: Security Operations and Administration, we explore how systems decide what an authenticated user is allowed to do. While most commercial environments use Discretionary Access Control (DAC), the highest security environments rely on Mandatory Access Control (MAC).
MAC is the most rigid and restrictive access control model available. It is not based on the user’s discretion or ownership; rather, it is enforced system-wide by the operating system or a centralized security authority. For the SSCP, you must understand that MAC is fundamentally about labels and rules applied to every piece of data and every user.
The Core Principle: Labels and Lattice
The MAC model eliminates user choice entirely. Every subject (a user or process) and every object (a file, database record, or resource) is assigned a mandatory security label.
1. Security Labels (The Classification)
The security authority defines a set of classification levels (e.g., Top Secret, Secret, Confidential, Unclassified) and a set of compartments (e.g., Nuclear, Space, Finance).
- Subject Label: Defines the maximum level of clearance a user has (e.g., a user might be cleared for “Secret / Space”).
- Object Label: Defines the sensitivity of the resource (e.g., a file is labeled “Confidential / Finance”).
2. The Lattice (The Hierarchy)
The combination of the level and the compartment creates a security lattice. Access is granted only when the subject’s clearance level dominates or matches the object’s classification.
Crucially, MAC enforces access based on two fundamental integrity and confidentiality rules, preventing the unauthorized flow of information:
The Two Fundamental MAC Rules
MAC is designed to strictly enforce Confidentiality (preventing information from leaking up to lower clearance levels) and Integrity (preventing unauthorized modification of highly secure objects).
1. The Simple Security Property (Read Rule)
This rule is focused on Confidentiality. It dictates who can read an object:
A subject can only read an object if the subject’s clearance level is equal to or higher than the object’s classification level.
- No Read Down: A user with a “Secret” clearance cannot read an object labeled “Top Secret.”
- Yes Read Down: A user with a “Top Secret” clearance can read an object labeled “Secret.” (This is why it’s sometimes called “read down.”)
2. The * (Star) Security Property (Write Rule)
This rule is focused on Integrity and prevents subjects from modifying objects at a different security level. It dictates who can write to an object:
A subject can only write to an object if the subject’s clearance level is equal to or lower than the object’s classification level.
- No Write Up: A user with a “Secret” clearance cannot write or modify an object labeled “Top Secret.” This prevents a malicious or careless user from injecting low-integrity data into a high-integrity system.
- Yes Write Up: A user with a “Top Secret” clearance can write to an object labeled “Secret.” (This is why it’s sometimes called “write down,” as the information flows to a lower level.)
Implementing MAC: Models in Practice
MAC is not typically deployed in standard commercial environments due to its complexity and administrative burden. It is reserved for systems where the security requirement is non-negotiable, such as military, defense, and national security applications.
- Bell-LaPadula (BLP): The first and most famous MAC model. Its primary focus is Confidentiality (preventing unauthorized read access). It uses the two rules above (Simple and Star Security Properties) to prevent information flow to lower levels.
- Biba: The Biba model is the inverse of BLP. Its primary focus is Integrity (preventing unauthorized modification). It uses similar rules to ensure “no write down” and “no read up.”
Administrative and Operational Burden
MAC is administered by a centralized authority (usually a Security Policy Administrator) that establishes and maintains the vast number of labels and rules.
- Pros: Provides the highest level of security assurance and is highly effective at preventing the unauthorized disclosure of information.
- Cons: Extreme Complexity and High Administrative Overhead. Any new object or user requires the central administrator to assign a label, which can slow down operations significantly.
Resources for Further Study
Understanding the technical rigidity and the specific rules of BLP and Biba are fundamental for the SSCP exam.
Extensive Website References
- NIST SP 800-192: Security Policy and Model Implementation Guide
- Reference: Search for “NIST SP 800-192 Access Control Models”
- Value: Provides a high-level government overview of the differences between MAC, DAC, and Role-Based Access Control (RBAC).
- The Trusted Computer System Evaluation Criteria (TCSEC) – Orange Book
- Reference: Search for “TCSEC Orange Book MAC”
- Value: The foundational document that defined the security requirements for MAC systems, especially those using Bell-LaPadula.
- CISSP Study Materials on MAC Models
- Reference: Search for “Bell-LaPadula Biba MAC Explained”
- Value: While a higher certification, the common explanations of BLP’s “no read down” and Biba’s “no write down” rules are essential for the SSCP.
Recommended Video Resources
| Focus Area | Recommended Video Search Topic | Key Takeaway |
| Bell-LaPadula Rules | “Bell LaPadula Model Simple Security Star Property” | A visual explanation of the rules, focusing on how BLP enforces Confidentiality by restricting read access to lower-level subjects. |
| MAC vs. DAC | “Mandatory Access Control vs Discretionary Access Control” | Compares MAC’s system-enforced labels against DAC’s user-driven permissions, highlighting why MAC is the more secure choice. |
| The Biba Model | “Biba Integrity Model Explained” | Focuses on the “no read up” and “no write down” rules that prevent the mixing of high-integrity data with low-integrity data, prioritizing Integrity. |