Compliance Controls: Clearing Up the Confusion

Written by Kyle Morris, Senior Compliance Success Manager, Scytale

Within compliance, cloud security, and controls in general, there are a lot of requirements. Different controls address different security concerns and aspects, and there are specific criteria within compliance frameworks that require specific control elements to be implemented and tested, to ensure compliance.

This sounds rather confusing already, so let’s simplify it with an example.

Let’s look at SOC 2. Within SOC 2, there are five TSCs. Let’s consider the common criteria, Security. Furthermore, let’s consider COSO Principle 1.2, which states “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.” To prove that you adhere to, and address this principle, you need to implement controls. 

The purpose of any control is to mitigate risk. In the above example, think “What is the risk if there is not a board meeting?”. While it may not be as easy to identify when compared to the risk of having no system or access security controls, there are risk areas surrounding independence, executive decision-making, and system performance. When you look at it that way, the lack of this control could have a significant impact on the organization, and over time.

Let’s look at a simple example of the Board Meeting control. Having an implemented and performed board meeting would address this principle requirement.

As you can see, a type of ‘waterfall’ method can be applied to ‘unpacking’ control requirements for different audits, and while it may look confusing in words, the reality is that there are principles that require controls to address security concerns.

In this article, we are going to attempt to unpack and simplify some concepts within cloud environments, and organizational IT security controls as a whole. 

IAM vs IdP

What is IAM and IdP?

Let’s begin with IAM. IAM stands for Identity and Access Management. IAM describes the overall category of identity management solutions that are ultimately used to manage access to IT resources, as well as user identities. Included within an IAM is the IdP (which we will get to shortly), IDaaS (identity as a service), Privileged Identity/ Access Management (PIM/PAM), and Multi/Two-factor Authentication. There are different ways in which IAM systems are used. They can be utilized on a subscription basis, through a third-party vendor (an increasingly popular option), or hosted on-prem on the organizational system. There is of course the potential and ability to combine these two as well.

In a simplistic explanation, an IAM includes:

  • The mechanisms to make any changes to individuals and roles within a system, including adding, removing, and modifying access
  • The processes of how individuals are identified in the system
  • Role assignment and identification
  • Access levels, including individual access or group-based access
  • Sensitive data protection.

As you can see, the IAM encompasses a variety of security and access considerations.

Onto the IdP then. As mentioned above already, this is the identity provider (also referred to as directory services). An IdP is a subcategory of the IAM and focuses on managing core user identities. Well it may seem like an IdP is small and insignificant in comparison to an IAM, it lays the foundation of an IT organization’s overall identity management infrastructure and this is SUPER important.

In the modern-day world of vendor cloud providers, it is very common practice that organizations utilize such services for access and identity security. AWS, GCP, and MS Azure all have product offerings that address IAM and IdP requirements and security concerns.

However, there is no mandatory requirement or restriction with such services and it is commonly observed that customers have a combination of products. For example, an organization may have AWS as its primary vendor cloud provider. They could then make use of the IAM offers within this, but perhaps they use Google services as well and have Google Workspace as their IdP, or even Okta. An organization should choose a product that suits them best.

Why does an organization need IAM and IdP and what security risks do they address?

As already mentioned, IAM manages access and:

  • Ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs
  • Enforces best credential management practices
  • Limits the impact and materialization of insider threat (resource limitation)
  • Enforces multi-factor security.
  • Results in increased productivity, as they automate the identity lifecycle (new hires, transitions, terminations).

IdP manages user identity specifically, which:

  • Is one part of an IAM (a critical part)
  • Is essentially a DB that stores user identities
  • Comprises user name, PWs, biometrics, etc.
  • Allows IT to connect users to the resources they need

Traditional Firewall vs WAF vs IPS

Next, we will consider and clarify the differences between these three concepts. All three of these are what we in the compliance and audit world refer to as, preventative controls. As the name suggests, this prevents an event from occurring. More specifically, it prevents unauthorized inbound or outbound network traffic, based on configured and predetermined rules.

Think of these as border control. When traffic wants to pass through, it is first inspected. If it meets the passing criteria, and all the ‘documentation’ checks out, it is allowed through. If not, access is denied and you can go no further. This is the concept of a firewall. An organization will configure and define IP addresses and ports that are permitted within the network. It is a security mechanism.

Now, we added WAF to the list. Let’s first elaborate on this. A WAF is a Web Application Firewall. 

Why do we need a WAF? 

Well, technology has significantly evolved since firewalls were first introduced and so the security mechanisms need to as well. A traditional firewall protects IP Addresses and ports. A WAF in comparison provides protection at a web application layer (one layer above IP addresses).

So who is a WAF applicable to?

Very simple answer here. If you are running web servers, or have a web-based platform, product, or solution, that may be susceptible to an attack in this manner, a WAF is a great security consideration for you. 

Finally, IPS. 

Ok, what is an IPS?

IPS = Intrusion Prevention System. This is a network security tool that can be either a hardware (physical device), or a software tool. The purpose of it is to continually monitor a network for any malicious activity, and as the name suggests – prevent it. This prevention can include reporting (notifying), blocking, or dropping the activity – whichever is deemed most appropriate in the situation.

There are four main types of IPS

Wireless intrusion prevention system (WIPS): 

This monitors a wireless network for suspicious traffic. Wireless network protocols are analyzed.

Host-based intrusion prevention system (HIPS): 

This is an inbuilt software package that operates a single host. It is scanned or monitored by inspecting events that take place within that host, and noting when suspicious events occur.

Network behavior analysis (NBA): 

It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service attacks, specific forms of malware, and policy violations. 

Network-based intrusion prevention system (NIPS): 

This functions by monitoring the entire network for suspicious traffic. This is performed by protocol activity analysis.

That is a lot of info. Let’s simplify these three concepts with a diagram and brief explanation.

FirewallDecides whether to permit or block the network traffic based on IP addresses or port numbers.
WAFDecides whether to permit or block the network traffic based on the contents of communication on the application layer.
IPSMonitors traffic that travel across the OS and network to prevent unauthorized communications and changes.
Learning about technical security controls.

IPS vs IDS

Didn’t we just talk about this? Well, not quite. We did cover IPS, but not IDS. 

What’s the difference between IPS and IDS?

IPS = Intrusion PREVENTION System

IDS = Intrusion DETECTION System

But wait. What does it help to simply detect a vulnerability, if it isn’t going to be stopped?

The purpose of the IDS is slightly more complex than this. Unfortunately, in this day and age, no network is impenetrable. There are new methods of attack surfacing frequently, and attack methods are becoming increasingly sophisticated. An IDS is critical as it enables an organization (and IT/security personnel specifically) to be notified when an attack may be occurring. This allows the security team to ‘get the jump’ on the attack, and deploy the implemented and defined prevention techniques. 

Additionally, an IDS gives great insight into network traffic and the associated analytics, which can be hugely helpful in configuring security protocols to prevent attacks or threats. It analyzes the amount and types of attacks. This information can be used to change your security systems or implement new and more effective controls. It can also be analyzed to identify bugs or network device configuration problems

IDS sensors can also detect network devices and hosts, and so they can inspect the data within the network packets and identify the services or operating systems, which increases the efficiency of the system as a whole.

Of course, an IDS serves the purpose of ‘detecting’ (gives increased visibility), and an IPS to ‘prevent’ (gives greater control) a security threat, system vulnerability, or network attack. 

Should I choose IPS or IDS?

Both. More security is better than less. When used in conjunction, the best security is defined. One such configuration example could be to use an IDS as a network analyzing tool, and the IPS as the active network security tool. 

Let’s take a look at a simplified diagrams to make it easier to understand:


Book a Demo