027
ENTERPRISE SECURITY BLUEPRINT
CONTROL LAYER
02
Different protections are needed on different enforcement points. The selection of protection types
depends on the segment assets, user authorizations and the threat environment. System performance
and operational constraints also need to be taken into account.
The Control Layer’s role is to select the appropriate security control logic that will be executed
on each segment boundary enforcement point in order to enforce the Access Control and data
protection policies and to counter identified threats.
The first step in selecting security controls is to perform a risk analysis for each segment or group
of segments. Risk is defined as the level of impact and potential occurrence of security incidents
on an organization’s operations or assets. Such security events include security policy violations,
manifestation of threats and inappropriate data flows. Understanding risk provides a prioritized
framework for security controls.
Different risk categories are considered for each interaction that crosses a segment boundary. A level
of risk can be codified based on occurrence, chance of success and potential damage. For example,
an outbound HTTP request can be analyzed in relation to a sample risk categorization scheme:
An authorized user performs an interaction
that violates security policy
An external entity attempts to gain
unauthorized access to assets or services
An attacker reads or modifies data in transit
or data at rest by accessing network or
storage infrastructure
Sensitive data is transmitted to unauthorized
users or written to removable media
An attacker performs a protocol violation
causing a system failure
Malicious code delivered over the network
or via removable I/O devices adversely
impacts business assets
An interaction consumes excessive amounts
of processing, storage or network capacity,
denying service for authorized interactions
Is the in-segment user authorized to access
the external service?
Could the external service be spoofed by an
attacker?
Is the network path for the interaction
vulnerable to interception?
Could significant amounts of data be
uploaded to unauthorized locations?
What is the chance that a protocol violation
will trigger a client exploit and malware
download in the segment?
Could the request be indicative of malware
behavior (e.g., connection to C&C server or
drop zone)?
Could the rate, duration or bandwidth of
requests conceivably impact the level of
service for authorized interactions?
Risk
Risk description
Analysis for an outbound HTTP request
Insider
External
attack
Data
access
Data
leakage
Exploit
Malware
Denial of
service
Risk-based Approach for Protective Controls Selection
