Your company sells toys online worldwide. Supporting information systems implements DAC, RBAC, ABAC, and RuBAC to mediate access control. The sales manager, as a data owner, is considering authorizing Alice access to the customer profiles. Which of the following is the least concern?
B. Least privilege
C. Conflict of interest
D. Security clearance
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Security clearance.
Mandatory Access Control (MAC) features comparing a subject’s security clearance with an object’s security label to authorize access. MAC can be implemented based on the Bell-Lappadula model or the Brewer-Nash model (The Chinese Wall) for confidentiality, or the Biba model for integrity.
Discretionary Access Control (DAC) is the access control mechanism that authorization is granted based on the data owner’s discretion. The authorization arrangement can be stored in conceptual constructs, e.g., the access control matrix, ACL, and capacity table. The data owner should authorize on the need-to-know basis, follow the principle of least privileges, and consider the conflict of interest (COI), and separation of duties.
RBAC, ABAC, and RuBAC don’t rely on security clearance either.