Welcome back, Dear Reader,
in this post I’d like to share some reflections on the (potentially inefficient) way some security controls can be observed to be deployed in complex organisations and what this may mean for the future of those controls.
In general the space of security controls can be categorized according to different schemes, such as:
- By fundamental principle (preventive, detective, reactive, corrective, deterrent, compensating etc. security controls. see for example this overview or this one or some illustration here).
- By “state of matter” (e.g. components, implementation, operations. again, for some supplemental information look at this one).
- By type of admission: whitelisting vs. blacklisting (some general discussion here, the respective Schneier-Ranum Face-Off to be found here, and this is only Bruce’s half, but with a number of comments).
- Related to the overall architecture of implementation: centralized vs. distributed.
For today’s topic I’ll just focus on the latter two and will introduce those shortly.Continue reading