What Automated Security Controls Can Be Implemented Through Policy?
Automating as many security controls as possible is the best way to ensure adoption, enforcement, and effectiveness. By far, this is the preferred approach when possible. Automated controls work the same way every time. That means controls are consistently applied and often executed faster than humans can achieve. Human judgment is expensive and inconsistent. You must train individuals to know what to do. Even then, consistency depends on alert individuals who don’t get tired or distracted. Consequently, automated controls are cost efficient for large volumes of work that need to be performed consistently.
Another advantage is reporting and monitoring. Automated controls can easily be configured to log and track activity. The same level of data collection performed by a person would be time consuming and subject to errors. The time component is important. Automated controls tend to be in real time, allowing processes to have self-service capability and reporting instantly.
For example, access to a low-risk application may be preapproved. As a result, an individual might be able to go to a self-service site that reviews the request and automatically grants access. With a manual process, a request would have to be submitted to someone to determine whether it is approved.
It’s not uncommon for manual access requests to take days or weeks, depending on staffing availability, backlog, implementation complexity, and the number of approvals required. Automation can significantly reduce that time in the following areas:
- Appropriate request—Automated controls can validate that the request is complete and does not violate any policy requirements such as segregation of duties.
- Approval workflow—Automated controls can route a request to those who must approve it as quickly as possible; electronic approval is a common practice for many security requests.
- Implementation—Automatic controls can implement a change once it’s approved.
An automated control is configured into a device to enforce a security policy. Here’s a short list of several common automated controls:
- Authentication methods
- Authorization methods
- Data encryption
- Logging events
- Data segmentation
- Network segmentation
The number of automated controls is limited only by the technology’s capability. Continued improvement in technology allows for more automation. The biggest challenge isn’t the automation but the deployment.
Consider an example where a policy says that a user must change his or her password every 30 days. A central authentication server exists within the environment. The challenge is how to configure every device to use the authentication server. The IT environment can have thousands of devices. Each may have to be configured. Once configured, these devices have to be monitored to ensure the configuration is not changed. As new devices are added, the same configuration has to be applied to every device from servers to smartphones. The configuration of an automated control may be simple. Applying it consistently becomes the major challenge. The problem gets more complicated as the number of automated controls increases. The diversity of the technology in the environment can make supporting the automated controls more complex. Consequently, automation is the practical solution to implement this security policy.
Many commercial products come with enterprise management software to solve this automation challenge. Central policy management software is designed specifically for this purpose. These types of applications create policy rules on a central server. These rules are then sent to the various devices via an agent or agent-less architecture.
Automated policy management tools take security policies and implement them as configuration updates. Once the device is configured, the automated control enforces the policy. The enforcement can be a preventive or detective control. Either way, the control is automated. The control either prevents an event that is outside policy or detects that an event occurred. Our example of a policy that requires a password to be changed every 30 days is typically a preventive control. The central authentication server forces users to change their password at the end of 30 days.
Policy management tools also correlate large amounts of data. They can discover devices on the network. They can track which device has the policies applied. These tools can also monitor for policy violations. The tool can identify devices that do not have the policy applied. These tools identify the existing configuration to compare with the desired policy state. Deviation from policies can be corrected automatically. This is a powerful tool. Auditors and regulators often request extracts from the policy management tools. This extract can help them assess the level of policy compliance.
TIP
Many administrator tools can support policy management. You can use administrator tools as a first step in policy management.
What Manual Security Controls Assist with Enforcement?
Not all controls can or should be automated. Manual controls are appropriate for low volume work. They're also appropriate for work that requires human judgment. Examples of manual controls are:
- Background checks
- Log reviews
- Access rights reviews
- Attestations
In each of these cases, volumes are low, and human judgment is important to the process. It is important that manual processes be clear. This means that both the step is clear and the criteria for the judgment are clear.
Take a look at background checks as a manual control. The process should be clear as to how to collect the information for the background check. The criteria should also be defined. For many jobs, minor traffic violations are acceptable. For other jobs, such as commercial drivers, any traffic violation may be considered unacceptable. A clearly defined security policy ensures everyone is treated equally on background checks. This can avoid legal problems.
TIP
All too many companies either do not perform background checks or do so inadequately. The number of people who exaggerate or outright lie about credentials on their resume/application is surprising. Beyond that, this author is personally aware of two instances of an employee at a company with access to sensitive, even financial data, wherein the employee had a felony criminal record. In both cases, the employer had inadequate background checks.
A human can review logs for unusual activity that is difficult to automate. For example, when a programmer is granted elevated rights to fix a production problem, logs are often reviewed to determine if the programmer performed an activity that exceeded the scope of the fix. For instance, the log review may change if the programmer changed account data in a database. These types of changes to fix an application may be unusual and require management follow-up.
Access rights include a review by the business to ensure adequate separation of duties. This type of review is manual and requires knowledge of how the business operates. Based on this knowledge, a reasonable balance is struck between operational efficiency and reducing risks.
An attestation is a formal management verification. Management is attesting that a condition exists. Some regulations require management to attest that security policies and controls are in place; for example, SOX requires this type of attestation from senior management.
When someone makes an attestation, they are personally liable for the accuracy of the statement. This is a way the law holds management accountable to ensure appropriate controls are put in place. Making a false statement is often a crime; however, making a statement you believe is true that later turns out to false may be defendable. How defendable depends on the information on which you based the statement. It’s not if you knew but whether you should have known. In other words, simply asking someone if the controls are in place is not sufficient.