compliance controls: clearing up the confusion

Compliance Controls: Clearing Up the Confusion

Kyle Morris

Head of GRC

Linkedin

In compliance and cloud security, controls play a critical role. These controls ensure the organization follows specific standards and frameworks required for maintaining security. But what exactly are compliance controls, and why are they so crucial?

TL;DR
  • Compliance controls are essential for ensuring that organizations meet security and regulatory standards.
  • Implementing control standards helps manage risks and meet critical security compliance and data privacy frameworks like SOC 2 and ISO 27001.
  • Different controls like preventive, detective, and corrective work together to mitigate security threats, saving companies from steep penalties and data breaches.

What are compliance controls?

To put it simply, controls are measures organizations implement to reduce risks and meet compliance requirements. Different controls serve different purposes depending on the framework you follow.

For instance, let’s consider SOC 2 – one of the most widely recognized frameworks in the U.S. Within SOC 2, there are five Trust Service Principles (TSP), with Security being mandatory. Furthermore, let’s consider COSO Principle 1.2 in SOC 2, which stresses that the board of directors must maintain independence from management and oversee the development and performance of internal controls. To comply with this, a control must be established that ensures regular board meetings to assess risks and decisions.

The importance of control compliance

In this context, control compliance refers to ensuring that the implemented controls meet the required standards to maintain a compliant system. When you apply these controls, such as a board meeting schedule, you are following the compliance control standards set by security and data privacy frameworks like SOC 2. These actions ensure your company remains compliant, reducing risks of penalties or data breaches, demonstrating that the purpose of any control is to mitigate risk.

Managing compliance risks in your organization

In any organization, compliance risks can stem from a variety of areas, some of which may not be immediately obvious. For example, we may ask, “What is the risk if there is no board meeting?” While it may not be as easy to identify when compared to the risk of having inadequate system security or unauthorized access, risks surrounding independence, executive decision-making, and system performance can have a major impact on the organization over time. These risks can manifest in the form of poor oversight, lack of accountability, and weak decision-making processes.

This is where implementing compliance controls becomes crucial. Controls like preventive, detective, and corrective work together to identify, mitigate, and correct potential risks in an organization’s systems and processes. Let’s break these down further:

How compliance controls address risks at every stage

Control TypePurposeExample
Preventive ControlPrevents an event from occurring.Firewalls, Identity Access Management
Detective ControlDetects security events after they occur.Intrusion Detection Systems (IDS)
Corrective ControlMitigates or fixes issues after detection.Patch management, restoring from backups

By categorizing controls into preventive, detective, and corrective, your organization can effectively address risks at each stage of a potential incident:

  • Preventive controls aim to stop issues before they occur, such as firewalls that block unauthorized access to your network.
  • Detective controls help identify when an issue occurs, like intrusion detection systems (IDS) that monitor network traffic for suspicious activity.
  • Corrective controls help resolve issues after they have been detected, such as patch management that fixes vulnerabilities in your systems.

Example: The board meeting control

To clarify this further, let’s look at a simple example of the Board Meeting control. Having an implemented and performed board meeting would address this principle requirement. Just like the preventive, detective, and corrective controls mentioned earlier, this board meeting control serves as a necessary measure to ensure compliance with broader security and governance principles.

soc 2 compliance control example

As you can see, a type of ‘waterfall’ method can be applied to ‘unpacking’ control requirements for different audits, and while it may seem confusing in words, the reality is that there are principles that require controls to address security concerns.

In this article, we will attempt to unpack and simplify some concepts within cloud environments and organizational IT security controls as a whole. Let’s dive in!

IAM vs IdP

What is IAM and IdP?

Let’s begin with IAM. IAM stands for Identity and Access Management. IAM describes the overall category of identity management solutions that are ultimately used to manage access to IT resources, as well as user identities. Included within an IAM is the IdP (which we will get to shortly), IDaaS (identity as a service), Privileged Identity/ Access Management (PIM/PAM), and Multi/Two-factor Authentication.

There are different ways in which IAM systems are used. They can be utilized on a subscription basis, through a third-party vendor (an increasingly popular option), or hosted on-prem on the organizational system. There is of course the potential and ability to combine these two as well.

In a simplistic explanation, an IAM includes:

  • The mechanisms to make any changes to individuals and roles within a system, including adding, removing, and modifying access
  • The processes of how individuals are identified in the system
  • Role assignment and identification
  • Access levels, including individual access or group-based access
  • Sensitive data protection.

As you can see, the IAM encompasses a variety of security and access considerations.

Onto the IdP then. As mentioned above already, this is the identity provider (also referred to as directory services). An IdP is a subcategory of the IAM and focuses on managing core user identities. Well it may seem like an IdP is small and insignificant in comparison to an IAM, it lays the foundation of an IT organization’s overall identity management infrastructure and this is SUPER important.

In the modern-day world of vendor cloud providers, it is very common practice that organizations utilize such services for access and identity security. AWS, GCP, and MS Azure all have product offerings that address IAM and IdP requirements and security concerns.

However, there is no mandatory requirement or restriction with such services and it is commonly observed that customers have a combination of products. For example, an organization may have AWS as its primary vendor cloud provider. They could then make use of the IAM offers within this, but perhaps they use Google services as well and have Google Workspace as their IdP, or even Okta. An organization should choose a product that suits them best.

learning about technical security and compliance controls

Why does an organization need IAM and IdP, and what security risks do they address?

As already mentioned, IAM manages access and:

  • Ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs
  • Enforces best credential management practices
  • Limits the impact and materialization of insider threat (resource limitation)
  • Enforces multi-factor security.
  • Results in increased productivity, as they automate the identity lifecycle (new hires, transitions, terminations).

IdP manages user identity specifically, which:

  • Is one part of an IAM (a critical part)
  • Is essentially a DB that stores user identities
  • Comprises user name, PWs, biometrics, etc.
  • Allows IT to connect users to the resources they need

Traditional Firewall vs WAF vs IPS

Next, we will consider and clarify the differences between these three concepts.

All three of these are what we in the compliance and audit world refer to as, preventative controls. As the name suggests, this prevents an event from occurring. More specifically, it prevents unauthorized inbound or outbound network traffic, based on configured and predetermined rules.

Think of these as border control. When traffic wants to pass through, it is first inspected. If it meets the passing criteria, and all the ‘documentation’ checks out, it is allowed through. If not, access is denied and you can go no further. This is the concept of a firewall. An organization will configure and define IP addresses and ports that are permitted within the network. It is a security mechanism.

Now, we added WAF to the list. Let’s first elaborate on this. A WAF is a Web Application Firewall

Why do we need a WAF? 

Well, technology has significantly evolved since firewalls were first introduced and so the security mechanisms need to as well. A traditional firewall protects IP Addresses and ports. A WAF in comparison provides protection at a web application layer (one layer above IP addresses).

Who is a WAF applicable to?

Very simple answer here. If you are running web servers, or have a web-based platform, product, or solution, that may be susceptible to an attack in this manner, a WAF is a great security consideration for you. 

What is an IPS?

Finally, IPS.

IPS = Intrusion Prevention System. This is a network security tool that can be either a hardware (physical device), or a software tool. The purpose of it is to continually monitor a network for any malicious activity, and as the name suggests – prevent it. This prevention can include reporting (notifying), blocking, or dropping the activity – whichever is deemed most appropriate in the situation.

The four main types of Intrusion Prevention Systems (IPS)

  • Wireless intrusion prevention system (WIPS): This monitors a wireless network for suspicious traffic. Wireless network protocols are analyzed.
  • Host-based intrusion prevention system (HIPS): This is an inbuilt software package that operates a single host. It is scanned or monitored by inspecting events that take place within that host, and noting when suspicious events occur.
  • Network behavior analysis (NBA): It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service attacks, specific forms of malware, and policy violations. 
  • Network-based intrusion prevention system (NIPS): This functions by monitoring the entire network for suspicious traffic. This is performed by protocol activity analysis.

That is a lot of info. Let’s simplify these key concepts with a diagram:

ToolFunctionUse Case
FirewallControls access based on IP addresses or port numbers.Basic network security.
WAFControls access based on the contents of communication on the application layer.E-commerce sites, online platforms.
IPSMonitors and prevents malicious activities across the OS and network.Advanced network defense.

GET COMPLIANT 90% FASTER

IPS vs IDS

Didn’t we just talk about this? Well, not quite. We did cover IPS, but not IDS. 

What’s the difference between IPS and IDS?

  • IPS = Intrusion PREVENTION System
  • IDS = Intrusion DETECTION System

But wait. What does it help to simply detect a vulnerability, if it isn’t going to be stopped?

The purpose of the IDS is slightly more complex than this. Unfortunately, in this day and age, no network is impenetrable. There are new methods of attack surfacing frequently, and attack methods are becoming increasingly sophisticated – especially with the rise in emerging tech like AI. An IDS is critical as it enables an organization (and IT/security personnel specifically) to be notified when an attack may be occurring. This allows the security team to ‘get the jump’ on the attack, and deploy the implemented and defined prevention techniques. 

Additionally, an IDS gives great insight into network traffic and the associated analytics, which can be hugely helpful in configuring security protocols to prevent attacks or threats. It analyzes the amount and types of attacks. This information can be used to change your security systems or implement new and more effective controls. It can also be analyzed to identify bugs or network device configuration problems

IDS sensors can also detect network devices and hosts, and so they can inspect the data within the network packets and identify the services or operating systems, which increases the efficiency of the system as a whole.

Of course, an IDS serves the purpose of ‘detecting’ (providing increased visibility), and an IPS serves to ‘prevent’ (providing greater control) a security threat, system vulnerability, or network attack. 

Should I choose IPS or IDS for better network security?

Both. More security is always better than less. When used in conjunction, the best security is achieved. One such configuration example could be using an IDS as a network analysis tool and an IPS as the active network security tool

Let’s take a look at a simplified diagram to make it easier to understand:

IPS vs IDS for better network security diagram

By understanding and implementing control compliance, businesses can create a secure, risk-averse environment that aligns with global standards. From compliance control mechanisms like IAM and IdP to advanced security tools, these controls ensure systems stay compliant and protected from various threats.

At Scytale, our GRC experts guide you through compliance requirements for key frameworks like SOC 2, ISO 27001, HIPAA, and GDPR. Our compliance automation platform simplifies achieving and maintaining compliance, reducing manual effort and mitigating non-compliance risks, so you can focus on what matters: securing your business for the long term.

FAQs

What are compliance controls?

Compliance controls are actions and processes that an organization puts in place to meet the requirements of key security compliance and data privacy frameworks. They help ensure your systems follow specific rules and regulations, ensuring you achieve and maintain compliance.

How do preventive, detective, and corrective controls work together to ensure compliance?

Preventive controls stop problems before they happen (like firewalls). Detective controls identify when an issue occurs (such as intrusion detection systems), and corrective controls help fix the problem (like patch management or data restoration), ensuring you maintain compliance at all times.

What are common challenges in implementing compliance controls and how to overcome them?

Common challenges include lack of resources, understanding the complex requirements, and ensuring consistency. Overcome these by automating compliance tasks, investing in security awareness training, and using tools that help manage multiple frameworks at once.

Kyle Morris

Kyle Morris

Kyle Morris is a highly experienced Governance, Risk, and Compliance (GRC) professional with over 12 years of expertise in information security, IT auditing, and regulatory compliance. As the Head of GRC, he is a Certified Information Systems Auditor (CISA) and an ISO 27001 Certified Lead Implementer, with a Bachelor of Science degree in Computer Science.  Kyle began his career as... Read more

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs