Mandatory Controls, also known as Mandatory Access Controls (MAC), are a type of access control that restricts the user’s ability to access certain restricted data or to perform restricted actions. Privileged Access is often used as a form of mandatory access control, for example, a requirement to be an Administrator or the Root user prevents ordinary users from performing many actions or viewing certain files and directories.
Mandatory controls ensure the enforcement of security parameters are followed regardless of user discretion. Mandatory Access Controls are often set by the company or entity in order to comply with legislative requirements such as HIPAA, PCI, or ITAR. These technical controls do not allow a user to access or grant access to specific files or to perform restricted activities at their own individual discretion. This is in contrast to Discretionary Access Controls (DAC), where users or owners of files or resources can grant access to files, data or resources, at their discretion.
What Does This Mean for My SMB?
Setting up Mandatory Access Controls is something that every single business should adopt. CyberHoot recommends the following MAC prescriptions for MSPs and SMBs:
- Remove Administrative Rights to workstations. This prevents accidental malware installation in many cases if a user accidentally launches a malicious program or download.
- Review your Data Access permissions and segregate critical Human Resource, Financial, and Intellectual Property data to separate drives, folders, and reduce or remove access permissions to only those with a business justified need for access.
Additionally, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt a password manager for better personal/work password hygiene
- Require two-factor authentication on any SaaS solution or critical accounts
- Require 14+ character Passwords in your Governance Policies
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Backup data using the 3-2-1 method
- Incorporate the Principle of Least Privilege
- Perform a risk assessment every two to three years