Which of the following least contributes to access control on a need-to-know basis? (Source: Wentz QOTD)
A. An object with non-hierarchical labels
B. A subject’s capability table
C. A subject’s security clearance
D. A compartmented object
Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. A subject’s security clearance.
A subject’s security clearance is used in the mandatory access control (MAC) to enforce access to objects dominated by the subject’s sensibility level, but it is not the primary instrument to enforce need-to-know.
An object can be classified based on hierarchical and non-hierarchical labels. Well-known hierarchical labels are Top Secret, Secret, and Confidential. Non-hierarchical labels can be created on demands to categorize or compartmentalize objects and enforce need-to-know. “Apollo” depicted in the above diagram is a non-hierarchical label used to create a compartment or category and enforce need-to-know.
Need-to-know can be implemented in discretionary access control (DAC) by an access matrix composed of access control list (ACL) and capability table conceptually as depicted in the slide, TCB Access Control.