Understanding and applying security controls to secure IT assets.

'Security control' is one of the most talked about term in IT architecture space lately. In this post, I will delve into what are controls, why we need them and how to apply various type of security controls, so lets get started!

Essence of security is to protect the company's asset. An IT organization tries to put in place policies and procedures to prevent losses. There are further three type of loses- Loss of confidentiality, integrity, and availability. Before we dive deep into controls, here is a brief introduction to the concept of confidentiality, integrity and availability.

1. Confidentiality means data is only accessible to the people who need to access it. e.g. loss of confidentiality will be a classified government information leaked to media.

2. Integrity means that data is not modified by any unauthorized personnel. And if there is any unauthorized access- it is recorded. An example could be a user deleting a file which he/she shouldn't have access to.

3. Availability means data is available when it is needed by the users who use it. e.g. An organization is attacked by a DoS and some of its services become unavailable.

Now lets see how we can apply the security controls to prevent the loss of data because of CIA.

Applying access control

An access control is a hardware, software, or administrative control to ensure that unauthorized access to the data is prevented. This is generally achieved in these four steps.

1. Identifying subject’s (user) identity accessing the resource.

2. Confirming that access is authorised.

3. Granting the control (or restricting the control) based upon the subject’s identity.

4. Ongoing monitoring of access.

While a broad range of control exists that are used to ensure the access control. There are three primary and four secondary class of access control systems. 

Primary control type.

1. Preventative access control: A preventative access control are the policies, procedures and solutions which prevents the unauthorised access to the system. This could be the ACL control, installing perimeter boundary, encryption system, installing firewalls etc.

2. Detective controls: These typical analyses to identify any issues or breaches that may have occurred. E.g. looking into the security logs of the CCTV, doing a fiddler trace analysis to see if there is already a breach in the system.

3. Corrective access control: Any action that is used to restore the system and make it return to its normal state. A corrective access control could be restarting the system to flush out the code that is used to hack the system.

Secondary access control

1. Deterrent access control: Like preventive access control; it acts by discouraging the violation of access control policy. The different is the deterrent access control relies more on the users doing the right thing. This could be by running a security awareness program.

2. Recovery access control: this is like corrective access control. The difference is that while corrective access control aims to restore the services- the recovery access control aims to restore the compliance. E.g. restoring the failed node of failover cluster.

3. Directive access control: It attempts to force subject to perform in a specific way. E.g. a emergency exit, hiring a candidate with NV1 clearance if work needs to be done for Australian Government.

4. Compensating access control: Provides an alternative control when the primary access control is not possible, e.g. when a new user didn’t have a smart card- one can use a RSA token in the meantime.

5. Logical/Technical control: The control which are implemented by means of technology to restrict the access of data. This could be encryption, method of authentication e.g. password, biometrics etc.

6. Physical control: Example of physical controls are guards, CCTV, physical boundaries etc.

So what kind of control one should put in place while architing an IT solution to secure it?

As a rule of thumb- You should deploy different classes of redundant controls to protect your asset. e.g. if there is a need to secure an application/data which is important to business- it make sense to deploy firewall and disk encryption software. The data should be housed in a server which is physically secured in a data centre. Further user trainings should be formalised to ensure that users are aware how to access the data correctly. One would also deploy audit logging to record historical transactions.

Applying different kind of controls ensure that an attacker must bypass multiple access controls in order to gain unauthorised access (In example above even if somehow an attacker managed to steal the hard disk from a server, the encrypted hard disk will prevent unauthorised access to the data.) This concept of applying different class of security controls to protect the data is called "Defence-in-Depth".

As a parting note- the security should be 'just enough'. You don't want to spend $1000 to protect a hundred dollar asset. So applying risk assessment techniques to identify your critical assets must be the first step before selecting security controls.

Thanks for reading!