Let's turn our attention to the implementation of access controls. As we begin our conversations, you'll see the module topics. On the screen in front of you, we have a few to go through, as you can see. We'll take a look at Mandatory Access Control, it's commonly referred to as MAC. Non-Discretionary Access Control. Discretionary Access Control, DAC. Role-Based Access Control, what's called, RBAC, traditionally. Content-Dependent Access Control, Context-Based Access Control, both in theory, would be CDAC or some form of that. But notice we don't have acronyms for certain ones, CBAC, CDAC, et cetera, because certain ones may be a little confusing. The common accepted acronyms are the ones that are going to be off to the side in the parentheses. Temporal Isolation, what's called, (Time-Based) Access Control. Attribute-Based Access Control. Separation of Duties, as a concept, what does that mean. And Security Architecture and Models. We'll talk about things like Bell–LaPadula, Biba, Clark-Wilson. We'll talk about different access control models and what their focus is and how they work, and we'll have a thorough conversation there as well. Let's jump in and begin by talking about Mandatory Access Control. The concept of the Mandatory Access Control thought process or MAC is fairly straightforward. We think about trying to eliminate the problem as we talked about on the slide here, relying on each system owner to properly set and control access, requirements for access, capabilities around their resources, which is a very big issue that we have to contend with. Because when individual owners are setting their own resource access permissions and are doing so in an ongoing way, couple of users, couple of owners, no big deal, it's probably straight forward. But when you have everybody creating objects and effectively becoming creator owners, and you have their ability as individual users to create access control mechanisms that will block or allow access to their individual content along with the system, trying to broker all that, it can become very confusing very quickly. And so in a Mandatory Access Control model, what we effectively do is say, you know, not going to happen that way. Instead, we're gonna have a central authority effectively, and that central authority is going to maintain access control and stipulate the rules for all of the objects, all the data in the system that we want to grant access to. And that's going to be done in one location from one theoretically set of control mechanisms, some sort of console, whatever it is, and we're going to program all that information and access control entries there, and there's a central oversight in the system. As a result of that, the system is used to apply and set the access control policies, as we talk about in the second bullet point. But the system owner applies the need to know element. In other words, the system owner programs in who's going to be on that list and under what conditions. They will be granted access from a central system, and then that system is used to enforce the access control that the mandatory access control stipulations or specifications require. So the system owner will specify who gets to know, and then the system implements that. It's a little bit of a different approach. And so mandatory access control is used traditionally in secure systems, more often than not, government and military systems where you see something like this, you may see it in certain private sector areas. Perhaps, if you're dealing with complex intellectual property that has to be kept secure, only very specifically shared with certain groups or elements within the business because of the worry about exposing that before it's ready to go to market, there may be a mandatory access control element involved there. Some of my clients in the biopharmaceutical area, drug development, things like that, where you spend potentially billions of dollars on research to bring a drug to market will use mandatory access control systems to protect the research and the intellectual property associated with that development cycle. But out beyond that, usually in the defense industries as well, you often will see mandatory access control systems used, again to protect things like designs and plans for systems that are highly confidential, very, very important to keep secret, not expose not only to competitors but to foreign entities that are looking to potentially steal that design and compromise it. So, mandatory access control certainly will be found in those areas. But in general, in most private systems, you may not see mandatory access control. As an SSCP, as we begin our conversations in this area talking about different access control mechanisms, understand that a lot of the ones on the list that we are going to talk about, things like Temporal-Based Access Control, Context-Based Access Control, Content Dependent Based Access Control, you may or may not see these systems, you may or may not interact with them. You're going to be very familiar with DAC, the Discretionary Access Control system, but out beyond that, you're probably not going to have seen too many of them and that's okay, there's nothing wrong with that. You don't have to interact with the system, you don't have to see it firsthand, you don't have to use it every day in order to be able to define it, answer questions about it and understand it. But you do have to make sure you are familiar with the definition and how the system would work, theoretically if asked. That is going to be a very important success metric, very important success point for you in these conversations. So keep in mind, while hands on practical real world experience is always beneficial, never wan to discourage you from thinking that way, it's always good. You just may not be able to go out and play with some of these systems, they just may not exist and be available to you. So as a result, you may have to envision what they will be. Have that capability going on, walk through them as we discuss them. If you're unclear, pause, let's go back, let's review, let's make sure you're comfortable with that before you continue. This is the time to lay down that foundational knowledge as I've been explaining to you all along the way, so as we continue our conversations in other areas, you're comfortable with these thought processes as they come back up again.
