When you develop a data security architecture and strategy for your organization, your main objective is to protect the organization’s data.
To do that, you first need to identify all threats and vulnerabilities associated with that data and inform the business about the security risks you identified. Next, you need to introduce appropriate countermeasures to manage those risks based on the risk appetite of the organization. To do that successfully, you need data security controls and you need to have a firm grasp on what the primary objective of data security control is. Today, I want to help by answering these questions in this post.
First, we’ll cover the definition of data security controls, what their main goal is, and why understanding security control objectives are important. Then, we’ll review the seven main security control types and their primary objectives. Following that, we’ll dive into security control categories that allow us to further define these controls. Let’s start by first defining data security controls.
What Are Data Security Controls?
Data security controls are your main tools to protect your organization’s data against threats. This is a common term that includes all the technical, personnel, and process-related security measures to protect data. Protection means you need to maintain confidentiality, integrity, and availability—sometimes referred to as the CIA Triad of information security—during the whole lifecycle of your organization’s data.
This is the main goal and objective of data security controls: to protect data and to manage the associated data security risks. To use security controls effectively, you need to understand what their primary objectives are. But why do the primary objectives matter?
There are hundreds of security controls at your disposal, each of which has a different objective that defines what it’s meant to achieve. And every organization is unique and has different business objectives, processes, and procedures. First, you need to understand those business priorities and goals. Next, you need a firm grasp on the data security risks in the context of the business. Only then will you be able to choose the right security controls to manage those risks.
Why Understanding Data Security Control Objectives Are Important
If you don’t understand the primary objectives of data security controls, you’ll spend (or waste) time and money implementing a security control that doesn’t protect your data. And that’s why understanding the primary objectives are important. A security control classification model simplifies this challenge because it gives you a structured approach.
Each security control can be classified based on the security control type and security category. Sometimes a security control can belong to more than one security control type and category. I’ll give you a few examples to demonstrate this dual nature. First, let’s see what the security control types are.
Types of Security Controls
There are seven main types of data security controls: directive, deterrent, detective, preventive, compensating, corrective, and recovery. Each type offers a different benefit to your data security strategy. Below, we discuss each of these types in detail.
Directive Controls Define How to Play by the Rules
Directive controls define acceptable rules and behaviors within your organization. When you implement directive controls, you mainly focus on the human factors of information security. For example, employee awareness training, user guidelines, policies, and procedures belong to this category. The main objective of a directive control is to inform, provide guidance, and define expected behaviors everyone must adhere to in an organization.
Deterrent Controls Keep the Bad Guys Out
The main objective of a deterrent security control is to discourage and deter people from breaking the rules. It works kind of like a “beware of dog” sign. As an example, have you ever wondered why stores leave the lights on after they’ve closed? It’s because lights discourage burglars.
Detective Controls Are Your Eyes and Ears
To put it simply, detective controls detect successful attacks. Their main objective is to alert your team when all your other security controls fail to protect data.
However, good detective controls do more than just sending alerts. These controls also maintain evidence of actions and audit logs, which could come in handy in post-incident investigations.
Preventive Controls Stop Attacks in Their Tracks
As the name implies, these security controls prevent security incidents and data breaches as their main objective. Just make sure you don’t catch the “false sense of security” disease with preventive controls because they’re not silver bullets.
Even though they are effective and should form a key part of your data security strategy, don’t rely on them entirely. For example, a classic anti-malware program is considered a preventive control. These programs prevent malicious software from wreaking havoc in the organization’s network.
However, these days antivirus products don’t provide adequate protection against those malicious programs. Even though they work just fine and detect millions of viruses, trojans, and other nasty things, they can’t catch them all. In addition, bypassing these anti-malware products has become a trivial task.
This doesn’t mean you shouldn’t use anti-malware products, but please don’t rely on them entirely. Instead, I recommend you take an approach that assumes that preventive controls fail. And when they do, be ready for it.
This means you should always consider deploying a combination of preventive and detective controls. This goes hand-in-hand with the “defense-in-depth” strategy that means the more security controls you apply, the more secure your data protection will be.
Sticking with the antivirus example, you could deploy an application whitelist preventive control that prevents malicious programs from running in the first place. Again, this isn’t bulletproof, but it’s still a lot better than relying on anti-malware protection only.
Alternately, if you can’t deploy an application whitelisting solution, how about at least monitoring all the applications executed on the server and investigating anything that looks out of the ordinary? This strategy isn’t perfect but, using the right combination of security controls, is a battle half won.
Compensating Controls Substitute Other Security Controls
Compensating controls substitute or complement other security controls. You usually need compensating controls when your existing security controls aren’t effective enough to protect your data.
Sometimes you have to deploy compensating controls due to a legitimate technical or business constraint. For example, let’s say your organization has a legacy system that isn’t covered by vendor support. This system was originally deployed to prevent certain kinds of malware attacks against the organization’s data. This system may have been state-of-the-art technology 15 years ago, but today it’s rather old-fashioned. Therefore it doesn’t receive security patches from the vendor, and it doesn’t support new security features and security configurations either. You can’t replace or upgrade this preventive control even though it cannot effectively protect the data anymore.
What could you do instead?
You could deploy a few compensating controls to protect the data, but this means your organization has to spend more money in the long term. Why, you might ask? Because compensating controls need additional documentation and maintenance compared to other security controls.
Remember, a compensating control is something you deploy to supplement an existing control. A compensating control’s main objective is to close a security gap in the absence of other controls and manage the overall data security risk altogether. And all these requirements mean more work for you to justify and prove that the compensating control works and reduces the security risk the same way as other controls do.
My advice is to use these kinds of controls sparingly and only implement them on a temporary basis. Sometimes they’re useful to support a new business initiative, to help with short-term changes or kickstart greenfield projects. Either way, make sure you keep an eye on these controls and replace them with a permanent solution as soon as you can.
Fix Security Issues With Corrective Controls
Corrective controls restore system functionality during an incident as their main objective. These controls usually go hand in hand with detective controls, and they complement each other quite well. My advice is to automate your corrective controls as much as you can to advance your data security architecture. A good example of a corrective control could be an automated AWS Lambda function that remediates an insecure S3 Bucket ACL configuration.
Recovery Controls to the Rescue
Recovery controls recover systems and data back to their conditions before the attack. For example, your data backups and restores are all recovery controls.
Security Control Categories
Now that we’ve gone through the security control types and their objectives, let’s go through the security control categories. These categories help us to classify each security control further.
The Administrative Control Category
Sometimes we also refer to the administrative controls as management controls. These controls are processes and procedures that define the organization’s administrative functions, roles, policies, and responsibilities.
The Technical Control Category
Technical controls, also known as logical controls, include all the hardware and software solutions you use to protect data.
The Physical Control Category
These controls focus on the physical protection of the organization’s data and other assets. Physical controls are sometimes called operational controls and cover a wide range of options. These options include security fences, locks, gates, cameras, fire control devices, and so on.
Where Security Control Category Meets Type
When you combine the security type and category, you can pretty much describe any security control under the sun.
For example, a deterrent technical security control is a login banner that warns users to follow policies and define what kind of activity could be illegal. A recovery administrative control could be a disaster recovery documentation plan. You get the idea.
To navigate through the maze of security controls and understand which ones to apply, I strongly recommend using a cybersecurity standard like ISO27001/27002, NIST SP 800-53, and FIPS 200.
Data Security Controls: What’s Next?
By this point, we’ve covered what data security controls are and defined the seven security control types and their objectives. Now you also understand that security controls can be further defined by a security control category.
As a key takeaway, I’d like you to choose a good cybersecurity standard and start using it. A good standard doesn’t just go through the security controls—it gives guidance about which controls are critical to have and which ones are complementary. Choose those controls carefully and deploy them wisely.
This post was written by Janos Zold. Janos fell in love with IT while playing the beat ’em up video game Golden Axe as a child. Since then, he’s held various technical roles (engineer, consultant, architect, manager) in Hungary, Ireland and in the UK. He has a passion for information security and cloud (AWS and Azure), and he runs a consultancy that helps financial and telecommunication organizations with information security challenges. He’s an open source (and dog) enthusiast and an OWASP technical contributor who likes researching and sharing knowledge with others.