Mandatory Access Controls (MAC)

3rd February 2020 | Cybrary

Mandatory Controls, also known as Mandatory Access Controls (MAC), are a type of access control that restricts the user’s ability to access certain restricted data or to perform restricted actions. Privileged Access is often used as a form of mandatory access control, for example, a requirement to be an Administrator or the Root user prevents ordinary users from performing many actions or viewing certain files and directories.

Mandatory controls ensure the enforcement of security parameters are followed regardless of user discretion. Mandatory Access Controls are often set by the company or entity in order to comply with legislative requirements such as HIPAA, PCI, or ITAR. These technical controls do not allow a user to access or grant access to specific files or to perform restricted activities at their own individual discretion. This is in contrast to Discretionary Access Controls (DAC), where users or owners of files or resources can grant access to files, data or resources, at their discretion.

What Does This Mean for My SMB?

Setting up Mandatory Access Controls is something that every single business should adopt. CyberHoot recommends the following MAC prescriptions for MSPs and SMBs:

Remove Administrative Rights to workstations. This prevents accidental malware installation in many cases if a user accidentally launches a malicious program or download.
Review your Data Access permissions and segregate critical Human Resource, Financial, and Intellectual Property data to separate drives, folders, and reduce or remove access permissions to only those with a business justified need for access.

Additionally, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks: