Often in security we get so caught up in firewall rules, anti-virus alerts, or answering audit and compliance surveys that we sometimes put the cart before the horse. We focus on implementing the little details without developing or updating our overall strategy. Security is, in essence, the art of defining and applying appropriate administrative, technical, and physical controls to provide authorized access and to prevent unauthorized access to resources. We can streamline our security (and at times reduce our expenses) by reviewing our access control strategy on a regular basis.
Access Control Components
Access control is really a matrix of access control groups (administrative, technical, and physical) and access control types (preventive, detective, corrective, recovery, deterrent, and compensating).
- Preventive – blocks access, preventing successful execution.
- Detective – sees access violations in progress and either alerts (active) or logs (passive) the violation.
- Corrective – fixes an access issue, such as anti-virus quarantining malicious code.
- Recovery – if a corrective measure fails, recovery restores secure operations. For instance, reimaging a device on which an anti-virus quarantine failed.
- Deterrent – a control which poses a threat that discourages access attempts. For instance, my ability to perform Chrome forensics is a deterrent for my children, which prevents them from surfing to inappropriate sites.
- Compensating – a control which makes up for ineffectiveness in another control. An administrative control prohibiting the use of smart phones on corporate wireless network could be a compensating control for the lack of a technical control that prevents smartphones from joining the corporate wireless network.
Access Control Strategy – Rapid Assessment
As we step back and reconsider access control, it’s important to spend some time ensuring we have good coverage horizontally and vertically throughout the matrix. Some things to look for:
- Are we overly reliant on administrative controls, with few, solid technical controls in place? Most of us in IT security are technologists. Have we taken the time to consider our physical security? Do our doors open to a wide-open area with little traffic control? Are our door lock mechanisms outdated or easily defeated? Have we put video surveillance in place to protect sensitive areas (like where our developers leave their laptops overnight)?
- Do our technical controls actually contribute to overall access control or are we simply chasing the brightest star amongst the nebula of new sales pitches, promised, and threats?
Access Control Reviews
Many security and privacy frameworks require us to review our risks on a regular basis, and ensure we have appropriate countermeasures. As security leaders, we should take a similar approach to access control reviews—assessing our controls based on group and type, to make sure our matrix is balanced and effective. As we roll risks together into mediation projects, we should also be considering our access control matrix gaps and including those in mediation efforts as well.