Information Security Controls are the bread and butter of audit professionals, the bane of developers, and the playground of security professionals. From a business perspective, they provide a means for enabling business resiliency by protecting and reducing the risk associated with the threat landscape. Insofar as the concept of defense in depth is embraced, it’s impact is reduced to mere banding about when we consider ever-present security breaches. If your strategy of control design is based on effectiveness, you do not have true defense in depth, you have a single thread of defense. We learned from our analysis of a reference architecture that businesses and their information systems have multiple attack vectors, therefore, controls modeled from multiple perspectives. This is what yields a truly defense-in-depth environment along with resiliency of controls and continuous compliance. Five steps can get you there.
Step 1: Foundational Controls
A primary outcome of implementing a best-in-class information security program is maintaining the state of due care and due diligence. These states are maintained when what is considered as basic controls are present in a system. A rational method of control organization can be found in NIST 800-53 v41 where controls are situationally categorized as: common, system-specific, and hybrid. Common controls provide a state of inheritance as they protect the various subsystems of an information system. Enterprise user directories providing authentication and authorization are examples of a common control in that they enable access to multiple systems across a SOA architecture. System-specific controls reside with service-specific systems, examples are database or web server controls. Hybrid is a blend of common and system-specific such as an antivirus (AV) management solution where the AV solution is specific to protecting against malware yet providing common protection to specified clients. The modes of inheritance through common and hybrid controls enables efficient control design resulting in reduced control sprawl, operational cost, and technology complexity.
Implementation of foundational controls provides the first tier of defense, with further effectiveness maximized through environmental application.
Step 2: Environment
Environmental controls are a superset of systems views of physical, logical, and virtual contained within a chassis (appliance) or across interoperable information systems, enabling scaling of foundational controls. Routers and next generation firewalls can provide boundary protection physically, logically, and virtually as a common control. Platforms (for example, Microsoft Windows) can provide inheritance of controls to virtual tiers through hardening of the physical and logical tiers. Likewise, virtual tiers can support a lattice-based model of security, enabling varied access based on interaction between associated objects and subjects.
Implementation of environmental controls provides the second tier of defense, with further effectiveness maximized through functional application.
Step 3: Functional Controls
The premise of defense is depth is “manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer will hopefully prevent full breach.”2 Foundational controls are less effective when designed non-functionally, meaning while operational, if compromised other controls will fail in a domino effect. Functional controls in contrast are designed to withstand compromise should another control fail. Controls are made functional by designing toward the expectation of compromise, failure and control reaction.
Control reaction is preventative, detective and corrective.3 Preventative controls prevent breach or exploitation, whereas detective controls provide alerts based on characteristics, patterns, and other indicators of compromise. Corrective controls provide automated remediation of threat execution or block active threat continuation. Ordering your foundational controls based on reaction enables control resiliency, ensuring offensive protection to a failed control along with further tuning through tiered situational application.
Step 4: Situational
Situational controls, Priority and Use Case, contain characteristics enabling agile threat modeling design and integration and are based on three modes of operation, as shown in the table below:
|Primary||Permits authorized actions, blocks unauthorized actions||Who (you are)||Authorized human or non-human user|
|Secondary||When primary fails, may block, correct, and alert unauthorized actions||Where (you are)||Internal to the infrastructure or external in an untrusted environment|
|Tertiary||When secondary fails, alerts and block unauthorized actions||What (you have)||Company-owned device (full form factor)
Company-owned device (small factor)