Technical security controls include any measures taken to reduce risk via technological means. They stand in contrast to physical controls, which are physically tangible, and administrative controls, which focus on managing people. Common technical controls include encryption, firewalls, anti-virus software, and data backups.
These types of security control aren’t mutually exclusive. Security cameras, for example, are both a technical and a physical control. And password management frequently bridges the gap between technical and administrative controls.
Security controls can also be distinguished based on their goal:
- Preventative controls aim to prevent security incidents;
- Detective controls aim to detect incidents as they happen, or after the fact;
- Corrective controls aim to mitigate the impact once an incident has occurred;
- Deterrent controls aim to deter attackers from making an attempt;
- Compensating controls can be used in case another control won’t work.
Technical security controls can serve all of the above purposes. Below, we’ll discuss some common technical controls.
Encryption is a protective technical control that scrambles information so that unauthorized users cannot access it. Through encryption, legible “plaintext” is converted into “ciphertext” that appears to be a gibberish of seemingly random characters.
But encryption isn’t random. Instead, it uses algorithms and patterns to render the data illegible. If a user has the right key, they can then unscramble the data and access it.
Encryption is a protective control: the goal is to prevent unauthorized users from accessing data.
A firewall monitors incoming and outgoing network traffic and blocks any unwanted traffic. It’s essentially a border between one network and another – most often between a private network and the internet.
Once in place, a firewall inspects all traffic going into or out of a network. If a given packet of information breaks the firewall’s preset rules, it can then block that packet from passing.
A firewall is a detective and a preventative technical control: it both monitors for threats and prevents them from accessing the network.
Antivirus software runs in the background of a device, constantly monitoring for threats. Whenever you download or open a new file, the antivirus software quickly scans it for viruses and other malware.
Periodically, your antivirus software will also run a more comprehensive scan of your device. If it ever detects something fishy, it will typically notify the user and ask what action they’d like to take. Like a firewall, antivirus software is both a detective and preventative control.
Once upon a time, users had to install third-party antivirus software to protect their computers. But these days, firewalls and antivirus software come built into most consumer operating systems by default.
Password management straddles the line between administrative and technical controls. If a company has a clear password policy, that’s an administrative control. If the company uses technology to enforce it – say, by requiring passwords to be a certain length – it’s also a technical control.
Password requirements are preventative controls by nature. By requiring a password meet a certain level of complexity, the policy prevents simple brute force attacks from cracking the password in a matter of minutes. Multi-factor authentication is also preventative, making it considerably harder for attackers to break into someone’s account.
If a password system locks users out after a certain number of attempts, it also counts as a deterrent control. And if the system alerts a user via email or text that multiple failed attempts just occurred, it’s also a detective control, alerting the person or organization that an attack may have been attempted.
Backups are a great example of a corrective security control. If a server rack goes up in smoke, you could lose key systems or data. But if you have a backup copy of the data, you can restore much or all of the information lost.
There’s more than one way to backup data. Some organizations might do a full backup on a daily basis. Others might rely on incremental backups, which only backup files that have changed since the most recent backup.
Note that although backups are certainly a technical control, they may also count as an administrative control if the organization has a clear backup policy in place.
Access Control Models
An access control model structures who can access what in a given system or organization. Many organizations follow the principle of least privilege when it comes to sensitive data: each user only has enough access to perform their job duties.
The most common access model is discretionary access control. Under this system, each object has an owner who can then determine what access other users have. You can read more about the different access control models in our ultimate guide.
Access control models are both administrative and technical by nature. They can even extend to physical controls as well: if a guard at a gatehouse checks IDs against a list before raising the gate so people can pass, that’s an example of access controls in action.
Access control models are largely preventative in nature. Their aim is to prevent unauthorized people from gaining access to information and resources they should not have access to.
Physical Security Systems
Physical security systems often coincide with technical controls. Security cameras and motion sensors count as both. These systems can both detect and deter against attacks. A camera is by its nature designed to spot intruders, and the presence of cameras can also discourage people from even making an attempt to break in.
Security isn’t just about keeping out trespassers. A fire alarm and sprinkler system mitigates risk just as much as a security system does, qualifying it as a physical and technical corrective security control.
The above are just a few examples of common technical controls. The National Institute of Standards and Technology lists dozens of security controls in SP 800-53, and even their list is by no means conclusive. Any measure that attempts to mitigate risk through the use of technology qualifies as a technical security control.