-
Control Diversity
- When designing a secure network, diverse controls create a stronger security program.
-
Control Diversity may take two forms:
-
Control Type Diversity:
- Using controls from different categories to achieve the same control objective.
-
(Reminder) Security Controls may be categorized as:
- Administrative (Operational)
- Physical
- Technical (Logical)
- Combining controls from two or more of these categories is more likely to successfully protect an organizations against a security threat.
-
Example:
-
Prevent data exfiltration by insiders (employees) of the organization
- Technical Controls:
- Data Loss Prevention (DLP) Systems
- Watch for and drop sensitive information sent outside the organization's network.
- Monitoring Controls
- Prevent Removable Storage Devices
- Content Filters
- Prevent Access to P2P and File Sharing Sites
- Administrative Controls:
- Background Checks of New Hires
- Non-Disclosure Agreements (NDA)
- Physical Controls:
- Security Guards with authority to perform random bag inspections
- Security cameras
-
Vendor Diversity:
- Using products from different vendors to achieve the same control objective.
-
Example:
-
Our organization's firewall architecture is designed such that:
- One firewall is placed at the Internet (Customer) edge of our organization's network.
- A second firewall internal to our network protects the data center from the rest of the organization's network.
- Both firewalls protect the data center from the Internet.
-
Single Vendor vs Multiple Vendors
- Advantage of Single Vendor:
- The IT Team only needs to manage one type of firewall. If a complex problem arises, your IT team understands and can contribute to solving that problem.
- Advantage of Multiple Vendors:
- A security flaw in a single firewall will not allow an attacker to gain access to a network segment protected by two firewalls from different vendors.