Security controls and defence in depth
How controls are categorised, why layers beat any single defence, and the principles that decide where controls go.
~3 min read
What a control is
A control (or countermeasure) is anything that reduces risk. A firewall is a control. So is a policy document, a CCTV camera, a staff training session, and a backup. Exams love asking you to classify controls two ways at once: by how they work and by what they do.
Classifying by type
Technical (logical) controls are implemented in technology: firewalls, encryption, antivirus, access control lists, MFA.
Administrative (managerial) controls are implemented through people and process: security policies, background checks, training, incident response procedures, separation of duties.
Physical controls are implemented in the physical world: locks, fences, security guards, CCTV, mantraps, cable locks on laptops.
A complete defence usually needs all three. Encrypting a server (technical) achieves little if the cleaner can walk out with it (physical) and nobody ever reviews who has keys (administrative).
Classifying by function
| Function | What it does | Examples |
|---|---|---|
| Preventive | Stops the incident happening | Firewall rule, locked door, least privilege |
| Detective | Spots it happening or after the fact | IDS, CCTV, log review, file integrity monitoring |
| Corrective | Fixes the damage | Restoring from backup, patching, re-imaging |
| Deterrent | Discourages the attempt | Warning banners, visible cameras, prosecution policy |
| Compensating | Stands in when the ideal control isn't possible | Extra monitoring on a legacy system that can't be patched |
| Directive | Tells people what to do | Acceptable use policy, signage |
The same item can serve several functions. CCTV deters, detects, and supports correction (evidence). When asked to classify, state the function in the context given.
Defence in depth
No control is perfect: firewalls get misconfigured, users get phished, patches lag. Defence in depth means layering controls so that one failure doesn't equal compromise. A classic layered path an attacker must survive:
- Perimeter: firewall, email filtering
- Network: segmentation, IDS/IPS
- Host: patching, endpoint protection, hardening
- Application: input validation, authentication
- Data: encryption, backups
- People & process: training, least privilege, monitoring
The point is not "more stuff" but independent failure modes. Two controls that fail for the same reason (two products relying on the same signature feed) add less than two genuinely different ones, such as signatures plus behaviour-based detection plus segmentation.
Principles that decide control placement
Least privilege means every user, process and system gets the minimum access needed to do its job, and no more. It limits the blast radius of any compromise; an intern's stolen account should not be able to read the payroll database.
Separation of duties requires that sensitive actions need more than one person. The person who raises a payment shouldn't approve it; the developer who writes code shouldn't be the only reviewer deploying it. Defeats both fraud and single-person mistakes.
Need to know means that even with clearance, you only access information your task requires. Related to least privilege but about data specifically.
Fail securely means that when a control breaks, it should break into the safe state. A firewall that crashes should block traffic, not pass everything (fail closed). The exception is life safety: door locks in a building fire must fail open. Expect questions probing exactly this trade-off.
Zero trust is the modern replacement for "hard shell, soft centre" perimeter thinking. Assume the network is hostile, including the inside. Every request is authenticated, authorised and encrypted regardless of where it comes from, and trust is never inherited from network location. Summed up as "never trust, always verify."
Quick recall
- Controls = technical / administrative / physical, crossed with preventive / detective / corrective / deterrent / compensating / directive.
- Defence in depth: layers with independent failure modes, so one miss isn't game over.
- Least privilege limits blast radius; separation of duties stops one person doing all of a sensitive action alone.
- Fail closed for security, fail open for life safety.
- Zero trust: never trust by network location; verify every request.