When an attacker targets your organization’s data or assets, a single line of defense is unlikely to provide adequate protection. In fact, no single security tool or protocol can provide complete protection from attackers, which is why defense in depth is recommended as a top security architecture strategy. Read on to learn how you can implement it effectively.
What is Defense in Depth?
In military terms, defense in depth is a strategy in which—rather than relying on a single defensive line to stop attackers—the goal is to slow attackers down and create an opportunity to plan and execute a counterattack. The National Institute of Standards and Technology (NIST) defines defense in depth as, “the application of multiple countermeasures in a layered or stepwise manner to achieve security objectives.”
When using the defense in depth methodology to secure systems, data, and assets, multiple security measures are layered to establish more robust security than could be achieved with a single measure. So, even If an attacker breaches one measure, there are still barriers in place.
Understanding the benefits of this strategy, what the architecture looks like, and what controls are involved will help you plan and implement the right strategy for your organization.
The Benefits of Defense in Depth
The NSA’s Information Assurance Technical Framework (IATF) recognizes defense in depth as a practical security strategy for the highly networked nature of most modern organizations.
Since it is a methodology rather than a defined set of tools, it is implemented to use the most current technology and techniques and adjusted to respond to new demands as they arise.
The defense in depth strategy also aims to implement a well-balanced security architecture, taking all of the following into consideration:
- Effective protection
- Operational needs
Defense in depth creates a situation where the whole is greater than the sum of its parts.
What Does Defense in Depth Architecture Look Like?
The key to defense in depth architecture is layering security measures. Each layer of security builds upon the previous one, creating a more robust security infrastructure. There are three primary categories of measures to consider to ensure your bases are covered:
- Administrative Controls
- Technical Controls
- Physical Controls
Critically, all three function both irrespective of one another and in cohesive harmony.
Administrative controls are essentially the policies, procedures, regulations, and other requirements that are defined in the security policy of the organization.
Besides policies and procedures, these can include:
- Background checks and, hiring practices
- Personnel controls, training, and supervision
- Security awareness education
- Reports, reviews, and testing
- Data classification practices
Administrative controls mostly focus on business practices and personnel management. They are the foundation of the defense in depth methodology, shaping every other layer of security.
Also known as logical controls, technical controls apply to the hardware and software that comprise IT systems and related resources. Some prototypical examples include:
- Access controls
- Authentication and authorization
- Intrusion detection systems
- Firewalls and routers
- IT security protocols
Technical controls serve as the next layer of security, protecting systems, data, and other IT assets directly while reinforcing and materializing administrative controls’ aims.
Physical controls are used to protect the physical assets and facilities of the organization, restricting access to them and to the broader areas and proximities in which they’re located.
These measures include:
- Locks and seals
- Lights and motion detectors
- Guards and guard dogs
- Monitoring systems and alarms
- Physical identification or access cards
Physical controls serve as the outermost layer of the defense in depth architecture. Robust physical security measures will bolster technical and administrative controls.
Controls to Use in a Defense in Depth Strategy
Implementing multiple administrative, technical and physical controls will mitigate several security threats. Preventing attacks before they happen is ideal, but it’s also essential to be prepared for breaches, know how to detect them, and how to respond to them effectively.
Use preventative, detective, and responsive controls to execute your defense in depth strategy.
The best attack is one that doesn’t happen, so effective preventative controls are a crucial first line of defense. These measures can be deployed at the administrative, technical, and physical layers to stop unauthorized access and activities from happening:
- Administrative Prevention – Implement security policies that define expected and acceptable practices and encourage responsible behaviors. Provide security awareness training to educate personnel, maintain a clear separation of duties and follow the need-to-know and least privilege principles to improve internal security.
- Technical Prevention – Use tools that prevent unauthorized access to IT systems and resources. For example, consider access control and authentication, encryption, firewalls, and intrusion prevention systems will mitigate attacks against systems.
- Physical Prevention – Use security measures like fences and locks to prevent unauthorized physical access. Alarms and guards also deter intrusion and provide additional protection in the case that physical barriers are breached.
Ideally, all of these controls should be implemented simultaneously, for maximum overlap.
In the unfortunate case that a preventative measure fails, detection is crucial. Implement multiple detective controls to identify all unauthorized activity and potential attacks:
- Administrative Detection – Documentation, supervision, and reviews are effective administrative detective measures. Perform audits, user activity reviews, and investigations to detect unauthorized activities internally.
- Technical Detection – Implement tools to detect attempted and successful breaches. Set up honeypots as a decoy and use an intrusion detection system to monitor and alert to threats.
- Physical Detection – Use security cameras, motion detectors, and other surveillance tools to monitor facilities and physical assets. Configure these tools carefully to prevent blind spots.
To stop an attack in its tracks, you need to identify it—ideally as soon as possible.
If an unauthorized activity does occur, it’s crucial to respond immediately. Implement corrective and recovery controls to return assets to their original state. Corrective controls might include rebooting systems, using antimalware tools, and implementing data restoration plans.
Recovery controls extend corrective controls, addressing more serious damage resulting from security violations. Examples of these controls include server clustering, system imaging, and multisite solutions.
Control efficacy can be bolstered by implementing compensative and directive measures. Compensative controls offer alternatives of additional options to existing controls, making them more effective or providing a fallback in case a measure fails. Directive controls include policies, instructions, and notifications to encourage and enforce compliance with security requirements.
There are infinite combinations of controls that can be deployed as part of a defense in depth strategy, but determining the right combination requires planning and assessment.
Implement an Effective Security Architecture Strategy
The most effective defense in depth security architecture strategy will be tailored to the unique needs of your organization. Planning, executing, and maintaining that strategy requires:
- Assessment – Thoroughly assess existing security measures for efficacy to identify any deficits. Use these insights to plan and implement any necessary security controls.
- Monitoring – Continuously monitor and measure the effectiveness of the implemented architecture. Document efficacy, the occurrence of events, and any newly identified risks.
- Adjustment – Reevaluate the strategy regularly. Refer to documentation and reports to identify areas of improvement and update the strategy and security controls as needed.
When assessing and reassessing your organization’s defense in depth architecture, don’t forget that security needs aren’t the only factor that matters. A well-planned security program will also consider budget and what controls suit the day-to-day operations of the organization.
Maximize Security with Defense in Depth Architecture
The systems that today’s organizations rely on are too complex and interconnected to be secured by a single line of defense. A robust defense in depth architecture uses multiple layers of controls to provide effective security that is tailored to the needs and budget of your organization. Remember these takeaways to customize your strategy:
- Implement controls at the administrative, technical and physical levels
- Prevention is ideal, but detection, correction, and recovery are also critical
- A successful strategy requires ongoing assessment, evaluation, and improvement
Contact RSI Security today to discuss your security architecture strategy.