In this chapter, we’ll take a broad look at security controls related to data security, discuss what they are and their significance to maintaining security in an organization. The following topics will be covered:
What are Security Controls?
Broadly speaking, security controls are any safeguards or countermeasures that are used to prevent, reduce, counteract or detect security risks. This concept can be applied in any field. For example, car alarms, barbed wires and CCTV are security controls that protect physical entities in the physical world. In cybersecurity, this can entail firewalls, endpoint protection and data protection solutions.
In many cases, a single security control will achieve more than one action (i.e. it can both reduce risks as well as detect and alert you to potential breaches).
Types of Security Controls
Security controls are typically classified according to their main value against security risks, which can be divided into the following three categories:
- Preventive security controls: These security controls prevent security risks. A physical example might be an obstacle, such as a fence, barbed wire or minefield, which is deployed to prevent the risk of an adversary accessing a certain area.In information security, access controls can be an excellent means by which to prevent access to unauthorized users. They can be a protected web application section requiring a login to access the application, an application which requires an API token to perform actions or a solution like Satori which provides granular and dynamic access controls to data stores.
- Detective security controls: These security controls are aimed at detecting certain security risks. A physical example might be CCTV or a radar, detecting movements relevant to the protected asset.In information security, an example can be an Intrusion Detection System (IDS), which alerts organizations to possible intrusions. In many cases, preventive measures may be deployed as well. Satori’s tracking of data flows in data stores is an excellent example of detective security controls, as it allows users to detect unwanted behaviors and prevent them.
- Corrective security controls: These security controls limit the extent of damage created by certain risks and enable quick recovery. Backup systems are typical examples of this approach, as they allow an organization to quickly recover from ransomware attacks. Quick and effective incident response to react to threats are another good example, as they work to contain incidents and promote resiliency.
- Confidentiality: Security controls protect sensitive information and secrets from being accessed.
An example in data protection would be the non-trivial task of preventing certain employees from accessing certain types of sensitive information in databases. We wrote about these challenges here and here.
- Integrity: Security controls ensure that data is consistent, trustworthy and accurate. This allows them to prevent attempts to interfere with the integrity of data, such as Man In the Middle (MITM ) attacks that tamper with data in transit by placing encryption security controls over network communications. Version controls are an excellent example of a security control that helps ensure accountability for all changes to data.
- Availability: Security controls ensure that assets or data are available to those who need it. Therefore, effective security controls should prevent attacks that attempt to obstruct access, such as Denial of Service attacks (DoS).
Combining Security Controls
In many cases, it is best to deploy security controls in a layered approach as they are insufficient when deployed individually. Consider the effectiveness of a fence built around a perimeter as a preventative measure against unauthorized access. Although effective against many types of penetration, it cannot prevent an adversary from digging under it or destroying it to access the asset you mean to protect. A combination of several controls, set up according to strategic specifications, is required to actually secure the perimeter. This may require adding a CCTV to detect risks and deploying a security team to counteract breaches.
Information security works along similar lines. In most cases, placing a single security control cannot address all of the risks enterprises face, especially when the protected assets in question are also dynamic in nature (given that data is usually subject to constant change). This means that organizations must (1) prevent unauthorized access to data, (2) monitor authorized access against anomalies (i.e: fraud) and (3) counteract breaches (meaning install processes for incident response).
Common Security Controls in Cybersecurity
The cybersecurity industry is full of different kinds of cybersecurity controls and is producing new ones regularly. The most common found among enterprises are the following:
- Firewalls: Whether a network or application layer, these security controls inspect traffic to or from assets and block attacks or suspicious activity.
- Endpoint security: This involves software deployed on endpoints (laptops, workstations, servers and mobile devices), to either prevent attacks or detect suspicious activities.
- Data Protection security controls: These security controls prevent attacks against databases (Such as a DB Firewall), audit database activities (usually for compliance), enable data access controls and detect suspicious behavior.
What are the Primary Objectives of Data Security Controls?
The primary objectives of data security controls are to prevent, detect and provide corrective measures for the risks and threats faced by organizational data. This includes:
- Preventing unauthorized access to data: This threat can originate both inside and outside of an organization. An internal threat may involve an employee trying to access restricted information. An external threat may originate from a malicious adversary attempting to steal data.
- Protecting privacy: This addresses the privacy of consumers, employees and others with personal information kept by the company. Measures that protect privacy can involve restricting access from certain geographic locations to certain information.
- Detecting suspicious activity: This involves analyzing data access for outliers and anomalous behavior.
- Auditing: This requires maintaining a digest of information logging data access. It is mainly used for compliance but can also be analyzed via analytical tools for suspicious phenomena, or used as a corrective measure (as a part of incident response).
Assessing Security Controls for Data Protection
A good approach to assessing the effectiveness of security controls for data measures is to map out the entirety of an organization’s data stores, focusing on those holding the most sensitive data, and modeling the most pressing threats to be reduced or eliminated. The frameworks listed below can provide further insight into carrying this out.
The following parameters should be considered when selecting the right security controls for your organizational data protection:
- Ease of deployment: Solutions with complicated or resource-intensive implementation and maintenance are often more trouble than they are worth. The benefits they deliver rarely outweigh the costs and they are rarely utilized to their full potential. The ideal solution should be seamless and help streamline operations, not bloat security stacks and bog down security teams.
- Coverage: Security controls must support the type of data stores they have been assigned to protect, or at least have a clear plan for configuration in place. Moreover, given the dynamic usage of data, it is helpful to avoid solutions that tie to specific technology stacks (i.e. a database provider) or infrastructure provider (i.e. a public cloud).
- Effectiveness: Security controls should effectively reduce the risks they are meant to address. This can be assessed internally or by using an external evaluation.
TCO: The total cost of ownership is an important consideration that takes into account the usage, infrastructure costs, training and professional services required to keep the solution effective.
Implementing Security Controls for Data Protection?
The implementation of security controls is often challenging. It can be helpful to implement the following advice:
- Every involved party should be actively involved and on-board: Employees involved in data protection must appreciate and understand the importance of the new security controls, whether they be DevOps, security or data engineering personnel.
- Implementation should be cautiously carried out: The first step should merely involve connecting part of an organization to the new security control and ensuring that the use-case is covered, before proceeding through a well-balanced implementation plan. It is important to stay alert for unaccounted data consumers that should not be disrupted.
Follow through on the implementation plan: It is important to assign ownership over specific roles within the implementation process of new solutions as well as the project as a whole.