Preventive controls attempt to prevent an incident from occurring.
Detective controls attempt to detect incidents after they have occurred.
Corrective controls attempt to reverse the impact of an incident.
Deterrent controls attempt to discourage individuals from causing an incident.
Compensating controls are alternative controls used when a primary control is not feasible.
A preventive control is designed to be implemented prior to a threat event and reduce and/or avoid the likelihood and potential impact of a successful threat event; a detective control is designed to detect errors and locate attacks against information systems that have already occurred.
The routine analysis of the detective control output provides input to further enhance the preventative control. The goal of continuous analysis is to prevent errors and irregularities from occurring in the first place.
After interviewing with engineers and program managers in Deloitte, we found that detective controls are widely applied to protect the data and system. However, preventative controls in the companies are in scarcity and could be better developed. In addition, procedures of implementing preventative controls are relatively laborious in the current stage.
With support from Deloitte, our team decided to help advance the process of preventative controls implementation in Amazon Web Services. To be more specific, we will focus on automating Amazon EKS preventative controls in CI/CD using CDK and OPA. There would be brief introductions in how why developing such pipeline, but more specific codes would be on github.