Information Security: Defense-in-Depth Style
Ladies and gentlemen, we’ve reached the fifth and final post of this information security in hybrid IT series. I hope you’ve found as much value in these posts as I have in your thoughtful comments. Thanks for following along.
Let’s take a quick look back at the previous posts.
Throughout the series, we’ve covered topics vital to an organization’s overall security posture, including zero trust, people, patching, and logs. These are a pivotal part of the people, process, and technology model vital to an organization’s Defense in Depth security strategy.
What Is Defense in Depth?
Originally a military term, Defense in Depth, also known as layered security, operates from the premise that if one layer of your defense is compromised, another layer is still in place to thwart would-be attackers. These preventative controls typically fall into one of the following categories.
- Technical controls use hardware or software to protect assets. Micro-segmentation, multi-factor authentication, and data loss protection are examples of technical controls.
- Administrative controls relate to security policies and procedures. Examples of this could include policies requiring least-privilege and user education.
- Physical applies to controls you can physically touch. Security badges, security guards, fences, and doors are all examples of physical controls.
Why Defense in Depth?
If you’ve ever looked into setting up an investment strategy, you’ve heard the phrase “Diversify, diversify, diversify.” In other words, you can’t predict if a fund will flop completely, so it’s best to spread funds across a broad category of short-term and long-term investments to minimize the risk of losing all your money on one fund.
Similarly, because you can’t know what vulnerabilities an attacker will try to exploit to gain access to your data or network, it’s best to implement a layered and diverse range of security controls to help minimize the risk.
Here’s a simple example of layered security controls. If an attacker bypassed physical security to gain access to your facility, 802.1x, or a similar port-based security technical control, stops them from simply plugging in a laptop and gaining access to the network.
Because of the shared responsibilities for security in a hybrid cloud environment, the cloud adds complexity to the process of designing and implementing a Defense in Depth strategy. While you can’t control how a cloud provider handles the physical security of the facility or facilities hosting your applications, you still have a responsibility to exercise due diligence in the vendor selection process. In addition, SLAs can be designed to act as a deterrent for vendor neglect and malfeasance. However, ultimately, the liability for data loss or compromise rests with the system owner.
When an organization’s culture treats security as more than a compliance requirement, they have an opportunity to build more robust and diverse security controls to protect their assets. Too often, though, organizations fail to recognize security as more than the Information Security team’s problem. It’s everyone’s problem, and thoroughly implementing a Defense in Depth strategy takes an entire organization.