Access Control Categories

There are seven different categories of access control:

• Directive

Guidance, policy and procedures: how members or users of an organisation should behave specifically around security

• Deterrent

Motivational, largely generated by Accountability. Because oversight exists, fear of people catching you is strong enough to prevent some (if not most) users even trying.  “Tarpits” appear to fall into both this category and Preventative due to the time implications involved in certain attack vectors.

• Preventive

Actually stop users from performing a specific task.  This is what most people think of when describing access controls.  These are not optional, the only way round it is to find a flaw.

• Compensating

Where a security hole has been identified but cannot be directly resolved, these controls can be put in place to secure the hole.  For example, using a VPN to encrypt all traffic at a network level between two sites. Rather than adapting an application to encrypt just the traffic, it is sending between sites on the application level.  These are usually policy-driven, I.E. when policy says we should complete them to a certain standard. But the existing controls cant provide that compensating controls are put in place to bring it up to standard. It is important to make sure that the compensating control in itself does not introduce other problems or alter the risk adversely.  These can also be temporary measures. For example during the transition of one system to another but must be removed when their purpose has been fulfilled.

• Detective

Includes logging systems, version control, honey pots, web filtering, virus scanners: anything that flags an alert or records actions.

• Corrective

Essentially corrective actions are any actions that an individual takes as a result of a trigger.  This can both be automated and with human intervention.  Most typically we would categorise these actions as Preventative access controls when used pro-actively.  We take these actions to prevent an active attack before it gets any further.  For instance, a particular IP address is repeatedly connecting to a web server on port 80 to an extent that is not normal behaviour. The firewall recognises this and blocks this IP from accessing the server altogether to prevent a Denial of Service attack.

• Recovery

These are very similar to Corrective access controls. But we engage with them after a security incident is over and understood to return the organisation to normal.  For instance, an attack took place against an unpatched server operating system.  The recover access control is to then update the operating system so we can fix the flaw.

Other notes:

There is a fine line between many of these access control categories.  Ultimately it boils down to how sophisticated the attacker is.  For example, a door lock is preventative for the vast majority of users – but a skilled user of a lock pick would only find it a deterrent.

Learn how YGHT can help you increase your cybersecurity