Defense in depth (computing)
Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle.
Background
[edit]The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.[1] It is a layering tactic, conceived[2] by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.[3][4]
An insight into defense in depth can be gained by thinking of it as forming the layers of an onion, with data at the core of the onion, people the next outer layer of the onion, and network security, host-based security, and application security forming the outermost layers of the onion.[5] Both perspectives are equally valid, and each provides valuable insight into the implementation of a good defense in depth strategy.[6]
Controls
[edit]Defense in depth can be divided into three areas: Physical, Technical, and Administrative.[7]
Physical
[edit]Physical controls[3] are anything that physically limits or prevents access to IT systems. Examples of physical defensive security are: fences, guards, dogs, and CCTV systems.
Technical
[edit]Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, file integrity software, and authentication. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.
Administrative
[edit]Administrative controls are the organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regard to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.
Methods
[edit]Using more than one of the following layers constitutes an example of defense in depth.
System and application
[edit]- Antivirus software
- Authentication and password security
- Encryption
- Hashing passwords
- Logging and auditing
- Multi-factor authentication
- Vulnerability scanners
- Timed access control
- Internet Security Awareness Training
- Sandboxing
- Intrusion detection systems (IDS)
Network
[edit]- Firewalls (hardware or software)
- Demilitarized zones (DMZ)
- Virtual private network (VPN)
Physical
[edit]- Biometrics
- Data-centric security
- Physical security (e.g. deadbolt locks)
See also
[edit]References
[edit]- ^ Schneier on Security: Security in the Cloud
- ^ "Some principles of secure design. Designing Secure Systems module Autumn PDF Free Download". docplayer.net. Retrieved 2020-12-12.
- ^ a b Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.
- ^ OWASP CheatSheet: Defense in depth
- ^ "Security Onion Control Scripts". Applied Network Security Monitoring. Elsevier. 2014. pp. 451–456. doi:10.1016/b978-0-12-417208-1.09986-4. ISBN 978-0-12-417208-1. Retrieved 2021-05-29.
- ^ Saia, Sergio; Fragasso, Mariagiovanna; Vita, Pasquale De; Beleggia, Romina. "Metabolomics Provides Valuable Insight for the Study of Durum Wheat: A Review". Journal of Agricultural and Food Chemistry. doi:10.1021/acs.jafc.8b07097.s001. Retrieved 2021-05-29.
- ^ Stewart, James Michael; Chapple, Mike; Gibson, Darril (2015). CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. John Wiley & Sons. ISBN 978-1-119-04271-6.