CISSP Exam - Question 386

ANSWER: C Attribute-based access control (ABAC) attribute-based access control (ABAC), attribute based access control - A mechanism of assigning access and privileges to resources through a scheme of attributes or characteristics. The attributes can be related to the user, the object, the system, the application, the network, the service, time of day, or even other subjective environmental concerns. See also discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC, RoBAC, or role-BAC), and rule-based access control (RuBAC, Rule-BAC). OFFICIAL ISC2 STUDY GUIDE GLOSSARY pg 15

Also same info at: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-162.pdf Guide to Attribute Based Access Control (ABAC) Definition and Considerations

I go with Option A. what are the security relevant properties if I may ask? Are they not they not the Security classifications in MAC? Top Secret, Secret etc...

It's A, Mandatory access control is a method of limiting access to resources based on the sensitivity of the information that the resource contains and the authorization of the user to access information with that level of sensitivity.

Historically, access control models have included mandatory access control (MAC), discretionary access control (DAC), and more recently role-based access control (RBAC). These access control models are user-centric and do not take into account additional parameters such as resource information, the relationship between the user (the requesting entity) and the resource, and dynamic information, e.g. time of the day or user IP. ABAC tries to address this by defining access control based on attributes which describe the requesting entity (the user), the targeted object or resource, the desired action (view, edit, delete), and environmental or contextual information. This is why access control is said to be attribute-based. https://en.wikipedia.org/wiki/Attribute-based_access_control

The access control mechanism that characterizes subjects and objects using a set of encoded security-relevant properties is known as the Mandatory Access Control (MAC) mechanism. In this mechanism, every subject and object is assigned a security label, which consists of a set of encoded security properties. These security properties are used to determine whether a subject is allowed to access an object or not. The security labels are typically defined by a system administrator and are based on a security policy. The security policy specifies the rules and guidelines for access control in the system. MAC is commonly used in environments that require a high level of security, such as military and government organizations. It is also used in systems that process sensitive or confidential information.

Mandatory Access Control   A key characteristic of the Mandatory Access Control (MAC) model is the use of labels applied to both subjects and objects. For example, if a user has a label of top secret, the user can be granted access to a top-secret document. In this example, both the subject and the object have matching labels. When documented in a table, the MAC model sometimes resembles a lattice (such as one used for a climbing rosebush), so it is referred to as a lattice-based model. Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 682). Wiley. Kindle Edition.

I would go for C, ABAC. The encoded properties are the defined objects (i.e. 18+, drivers license etc).

It’s C

C. Attribute-based access control (ABAC) Attribute-based access control (ABAC) is an access control mechanism that characterizes subjects (users, processes) and objects (resources) using a set of encoded security-relevant attributes or properties. ABAC allows for fine-grained access control decisions based on various attributes such as user roles, resource classifications, time of access, and other contextual information. This flexibility in defining access policies makes ABAC suitable for complex and dynamic access control scenarios.

C is the answer ABAC defines access control policies based on assigned attributes of subjects (users/processes) and objects (resources). These attributes, like role, clearance, project, etc. are used to determine access rather than identities alone. Mandatory AC (MAC) uses labels and clearances. Role-based AC (RBAC) uses roles. Discretionary AC (DAC) uses access control lists.

C. Attribute-based access control (ABAC) Attribute-based access control (ABAC) uses attributes associated with subjects, objects, and the environment to make access control decisions. These attributes can include user roles, time of day, location, and other context-specific information. ABAC provides a flexible and dynamic way to define access policies based on various attributes, making it suitable for complex access control scenarios.

Answer C) ABAC MAC, DAC and RBAC all pertain to only the subjects https://www.okta.com/blog/2020/09/attribute-based-access-control-abac/

Subject and object is language relevant to attribute-based authN

C. Attribute-based access control (ABAC) The question describes an access control mechanism that uses encoded security-relevant properties to characterize subjects and objects. This is the hallmark of Attribute-Based Access Control (ABAC)

ABAC evaluates access based on multiple attributes assigned to subjects (users), objects (resources), and environmental conditions. These attributes are encoded as security-relevant properties (e.g., role, department, location, time of access) to create dynamic, context-aware access policies.

ABAC works by characterizing subjects (users, processes etc) and objects (files, systems, resources etc) using a set of encoded security-relevant properties, known as attributes.