Defense in Depth

References

• Defense in Depth Wikipedia Article

Related

• Redundancy
• • In engineering and systems, redundancy is the intentional duplication of critical components or functions of a system with the goal of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve actual system performance.
• Security Control
• • Security Controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

Notes

Defense in depth is a concept used in information security in which multiple layer of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundant in the event a security control fails or a vulnerability is

The idea behind defense in depth approach is to defend a system against any particular attack using several independent methods. It is a layering tactic conceived by the NSA. Information security must protect information throughout its lifespan, form the initial creation of the information on through to the final disposal of the information. To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms. The building up, layering on, and overlapping of security measures is called defense in depth. The defense in depth strategy aims at a structure where, should one defensive measure fail, other measures will continue to provide protection.

Controls in depth can be divided into three areas: Physical, Technical, and Administrative.

• Physical
• • Physical controls are anything that physically limits or prevents access to IT systems.
• Technical
• • Technical controls are hardware or software whose purpose is to protect systems and resources.
• Administrative
• • Administrative controls are organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regard to security and that regulations are met.

Methods

System and application

• Antivirus software
• Authentication and password security
• Encryption
• Hashing passwords
• Logging and auditing
• Multi-factor authentication
• Vulnerability scanners
• Timed access control
• Internet Security Awareness Training
• Sandboxing
• Intrusion detection systems (IDS)

Network

• Firewalls (hardware or software)
• Demilitarized zones (DMZ)
• Virtual private network (VPN)

Physical

• Biometrics
• Data-centric security
• Physical security (e.g. deadbolt locks)