Mac vs dac vs rbac

Sachin Work:

Access control is one of the standard services administered by any Data Management System (DMS). Its overall goal is to secure the distributed data from unauthorized or unauthenticated operations. This discussion will discuss the differences between and advantages of MAC, DAC, and RBAC.

Before RBAC, universally implemented methods of access control were traditional DAC and MAC. The availability of RBAC does not prevent the need for MAC and DAC methods, however. "Whenever privacy and data flow are main concerns, these traditional access control systems may be needed"(Ferraiolo, Kuhn, & Chandramouli, 2007), especially for military and government systems that require multilevel secure MAC controls for highly confidential information. Thus, it is essential to know the relationship between RBAC, MAC, and DAC approaches to access control.

MAC makes choices based upon labeling and next permissions. DAC makes choices based upon permissions individually. RBAC makes decisions based on roles. Although mandatory policies (MAC) provide more robust security guarantees than DAC, they are still vulnerable to security threats originated by covert channels. A covert channel allows the transfer of information that violates the security policy

One of DAC's advantages (discretionary access control) is its adaptability in terms of the access control requirements it can support. Indeed, by correctly configuring the authorization state, various confidentiality/integrity requirements can be created. Therefore "DAC has been adopted by most commercial DMSs and supported by the SQL standard"(Ferrari, 2010). DAC gives for owner-controlled administration of access rights to objects. However, one of the disadvantages of DAC is that it doesn't provide great control on the data flow inside the system. Indeed, once an authenticated subject has obtained access to an object, it can transfer the data it contains to an unauthorized subject (for instance, by writing such data into different objects) without bypassing the checks performed by the reference monitor. This makes DAC unsafe to malicious attacks, such as Trojan Horses embedded in application code. For example, if a user opens an infected attachment with a virus, the code can install itself in the background without the user being aware of this action. This code inherits all the permissions that the user has and can carry out all the actions a user can perform on the system.

One challenging problem in handling a large environment is the complexity of security administration. Security administration requires, among other tasks, assigning and revoking permissions to subjects on the objects to be protected. Whenever the number of subjects and objects remains high, such grants can become extremely large. RBAC's advantages are the use of roles which has several well-recognized advantages. Because roles describe organizational functions, and "RBAC model makes the mapping of group access control policies onto a set of permissions easier"(Samarat, 2015). Permission administration is also greatly simplified. First of all, the amount of roles is usually much less than the number of users, and it is simple to add or remove the user from a role. RBAC is more common than both MAC and DAC. Unlike MAC, which was intended to prevent unauthorized data flow, RBAC is policy-independent, meaning that it can sustain a mixture of policies.

References:

Ferrari, E. (2010). Access Control in Data Management Systems. Morgan & Claypool Publishers.

Ferraiolo, D. F., Kuhn, D. R., & Chandramouli, R. (2007). Role-based access control.

Samarati, P. (2015). Data and Applications Security and Privacy XXIX. Springer.

Naren Work:

MAC vs. DAC vs. RBAC

Mandatory Access Controls (MAC) and Discretionary Access Controls (DAC) represent the permissions required to access an object in relation to other objects. However, Role-Based Access Controls describe the grouping of identities and application of permissions to the groups. MAC is an access control framework in which the operating system provides users with access based on data confidentiality and user clearance. It is considered to be the most secure access control model. DAC is identity-based and provides users with some control over their data. In the DAC model, access control is at the owner’s discretion, and the object owner has the authority to control access of the object. According to Cho (2018), “DAC models enforce access controls based on user identities, object ownership, and permission delegation” (p.2). RBAC restricts access to networks based on the role of individuals within an organization. This means that the individuals are only authorized to access information that they need to perform their roles and responsibilities effectively.

There are differences between these three access control models. In MAC, users are given permissions to resources by an administrator. In DAC, access to resources is based on the user’s identity, while in the RBAC model, access to resources is based on the user’s role. In DAC, a user is granted permission to a resource by being placed on an access control list (ACL). In RBAC, users are assigned a role that contains a certain predetermined right and privileges by the administrator. Under RBAC, users may only be given a single role in an organization. The DAC model is based on resource ownership. In the MAC model, only administrators can modify an object’s security label or a user’s clearance. This is that “Mandatory (MAC) policies control access based on mandated regulations determined by a central authority” (Samarati & Vimercati, 2000, p.139). Unlike MAC, where access to system resources is under the control of a system administrator, DAC allows each user to control access to their own data.

These three access control models bring numerous benefits to a security system. One of the primary advantages of MAC is its high level of data protection, as an administrator defines access to objects, and users are unable to alter that access. Moreover, an administrator sets user access rights and object access parameters manually. In MAC, users cannot declassify data or share access to critical data. DAC, on the other hand, is easy to maintain and more flexible since adding new objects and users take less time for the administrator. It is also user friendly since users are able to manage their data and quickly access the data of other users. This implies that “In DAC, users as the complete authority over all resources it owns and also determines the permissions for other users who have those resources and programs” (Swapnaja et al., 2014, p.6). RBAC enables users to easily integrate third-party users into the network by providing them with predefined roles. Furthermore, with an RBAC system in place, organizations can easily meet statutory and regulatory requirements for privacy and confidentiality since IT departments and executives are able to manage the access and use of data.

Security professionals need to understand how these different access control methods work and how to implement them depending on their security culture. These models are often designed into the core of different operating systems and supporting applications. The access control to use often depends on the specific situation and context an organization is considering. According to Phillips (2004), the administration of DAC, RBAC, and MAC with delegation should be controlled to ensure that security policies do not alienate from their initial objectives.

References

Cho, S. J. (2018). Discretionary access control.

Phillips, C. E. (2004). Security assurance for a resource-based RBAC/DAC/MAC security model (Doctoral dissertation, University of Connecticut).

Samarati, P., & de Vimercati, S. C. (2000, September). Access control: Policies, models, and mechanisms. In International School on Foundations of Security Analysis and Design (pp. 137-196). Springer, Berlin, Heidelberg.

Ubale, S., A., Modani, D., G., & Apte S. (2014). Analysis of DAC MAC RBAC access control based models for security. International Journal of Computer Applications, 104(5), 6-13.