A technician wants to implement a dual factor authentication system that will enable the organization to authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented during the authorization stage?
B. Mandatory access control
C. Single sign-on
D. Role-based access control
Correct Answer: A
Section: Access Control and Identity Management
This question is asking about “authorization”, not authentication.
Mandatory access control (MAC) is a form of access control commonly employed by government and military environments. MAC specifies that access is granted based on a set of
rules rather than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security domains, or classifications.
MAC can also be deployed in private sector or corporate business environments. Such cases typically involve the following four security domain levels (in order from least sensitive to
A MAC environment works by assigning subjects a clearance level and assigning objects a sensitivity label—in other words, everything is assigned a classification marker. Subjects or
users are assigned clearance levels. The name of the clearance level is the same as the name of the sensitivity label assigned to objects or resources. A person (or other subject,
such as a program or a computer system) must have the same or greater assigned clearance level as the resources they wish to access. In this manner, access is granted or
restricted based on the rules of classification (that is, sensitivity labels and clearance levels).
MAC is named as it is because the access control it imposes on an environment is mandatory. Its assigned classifications and the resulting granting and restriction of access can’t be
altered by users. Instead, the rules that define the environment and judge the assignment of sensitivity labels and clearance levels control authorization.
MAC isn’t a very granularly controlled security environment. An improvement to MAC includes the use of need to know: a security restriction where some objects (resources or data)
are restricted unless the subject has a need to know them. The objects that require a specific need to know are assigned a sensitivity label, but they’re compartmentalized from the rest
of the objects with the same sensitivity label (in the same security domain). The need to know is a rule in and of itself, which states that access is granted only to users who have been
assigned work tasks that require access to the cordoned-off object. Even if users have the proper level of clearance, without need to know, they’re denied access. Need to know is the
MAC equivalent of the principle of least privilege from DAC
A: Biometrics is used in authentication. Biometrics includes fingerprints and retina scans. This question is asking about “authorization”, which generally comes after authentication.
C: Single sign-on is used to access multiple systems with a single login. Single sign-on is used for authentication, not authorization.
D: Role-based access control (RBAC) defines access to resources based on job role. We need to authorize access to sensitive systems on a need-to-know basis. Therefore, the
default access should be “no access” unless the person can prove a ‘need to know’. RBAC would give everyone performing a role access to the sensitive system.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 278-284