Discretionary Access Controls (DAC)

Discretionary Access Controls, also known as DAC, are types of cybersecurity measures that allow or restrict access based upon the discretion of the employee as opposed to the file or resource owner. For example, if Bob has administrative rights to his computer, he can install any software he wants at his own discretion. Likewise, if a file folder labeled Human Resources is world-readable on the file server, then employees could access these restricted files at their discretion (risking termination possibly in so doing).  However, it is at the discretion of the employee whether a file is installed or accessed.  In contrast to DAC, mandatory access controls (or MAC) establish technology restrictions preventing employees from installing software on their computer by removing Administrative rights from each end user.  They prevent access to HR files by setting restrictive permissions on the directories in which those files are stored and limit access to HR employees only.  MAC prevents actions from occurring even when an employee attempts them.  DAC allows employee actions to occur even when a governance policy states such activities are not allowed.

What Does This Mean For My SMB?

Setting up Discretionary Access Controls (DACs) is something that every single business should adopt. CyberHoot recommends that MSPs and SMBs establish governance policies to guide employee behaviors and decision-making when MAC controls are not possible.  This would include the following:

1. Adopting a password manager to make compliance to discretionary password length requirements in online SaaS applications easier to accomplish.
2. Guiding and training employees on why the length of a password matters more than complexity so they choose wisely when creating unique passwords for all their individual online accounts.
3. Establishing an Information Handling Policy that requires employees to shred sensitive documents rather than throwing them into the recycle bin.  This same policy prohibits unencrypted emailing of critical and sensitive data.  These are discretionary controls depending upon employee awareness and good behaviors.

Additional Best Practices for Securing MSPs and SMBs

CyberHoot also recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:

• Require two-factor authentication on any SaaS solution or critical accounts
• Require 14+ character Passwords in your Governance Policies
• Train employees to spot and avoid email-based phishing attacks
• Check that employees can spot and avoid phishing emails by testing them
• Backup data using the 3-2-1 method
• Incorporate the Principle of Least Privilege
• Perform a risk assessment every two to three years

To learn more about Discretionary Controls, watch this short video: