Today’s businesses face more security threats to their computer systems and networks than at any other point in history. Coping with this problem is something that every company must take seriously; as such, it is critical that well-trained staff and clear, outlined strategies are put in place to minimize the likelihood of losses or damages due to security breaches in the information technology infrastructure. Today, many savvy companies are employing the Information Assurance (IA) strategy known as Defense In Depth in order to provide the safest and most secure computer and information environment possible.

The Defense In Depth concept was originally designed by the National Security Agency (NSA) as a means of strategically and methodically handling information and electronic security. At its core, Defense In Depth revolves around the notion of taking a layered approach to the problem; the reasoning behind this concept is that the perceived threat – or enemy – can be delayed or thwarted by installing multiple layers of security which must be overcome. This strategy effectively slows down the progress of such a threat, preventing it from infiltrating the most sensitive and confidential parts of an organization’s informational infrastructure.

When looked at from an Information Assurance standpoint, Defense In Depth calls for varying degrees of security measures to be adhered to; the ultimate goal of such a strategy is what is known as Protect – Detect – React paradigm. By using a multilayered approach to Information Assurance, a computer increases its likelihood of protecting its confidential and highly sensitive information. Breaches in such security measures – which do occur – can be more easily and efficiently detected in earlier stages. The organization then has ample time to effectively react to the threat, stopping it before it causes irreparable damages or losses.

An important principle involved in the Defense In Depth strategy revolves around the concept that Information Assurance must include a balanced focus on three important elements: People, Technology and Operations. This means that any given security layer must involve at least one – and oftentimes many – of these components. Also, layers must strike a balance between these three aspects, assuring that no one part gets overlooked.

In this article, we will look at practical ways of creating a multilayered and balanced approach to Information Assurance, and how an organization can most effectively implement a Defense In Depth strategy that will work in its best interests. Each section will clearly outline common layers of such security systems, and how they apply to the Protect – Detect – React paradigm, and to the Defense In Depth concept as a whole. Readers should come away with some clarity as to the methodology behind implementing such a system, how it can best be adhered to, and who in the organization is responsible for each layer of its defense.

Layer One – Authenticating And Authorizing All Network Users

Authenticating and authorizing all network users on a computer system is a natural first layer to employ when setting up a Defense In Depth strategy. This layer follows into the Protect portion of the paradigm introduced previously; requiring each network user to be authenticated and authorized before being allowed access is a practical measure in keeping unwanted parties out. Also, it straddles the People, Technology and Operations components of the concept as well.

It is critical, however, that an organization bear in mind one of the key concepts behind the Defense In Depth strategy when implementing this layer: the security measure may be breached. If it is, though, a well designed and executed Defense In Depth strategy will have many additional layers of defense in place to thwart further access to highly sensitive information. Despite this caveat, however, it is imperative that each layer be as secure and well designed as possible.

Regarding user authentication and authorization, then, an organization should strive to not only create a secure environment at each user’s desktop, but also restrict the physical access of unauthorized persons in areas of the building where computers are present. Visitors to an organization should have to prove their identity, and be granted permission by an authorized member of the organization. This is a natural, “best practice” means of preventing blatant misuse of company computers and information to an absolute minimum. Some companies even require specialized ID badges for all personnel as an added way of enhancing authorization and authentication within the information technology sector.

Layer Two – VLANs

As a course grained strategy for enhancing an organization’s Defense In Depth strategy and overall Information Assurance program, VLANs are a very common and valuable means of providing an added layer of security to a company’s information technology system. VLANs allow IT personnel to, essentially, control traffic patterns within an organization’s network. Activity on the network can be more closely scrutinized, bringing both the Protect and Detect aspects of the Protect – Detect – React paradigm into play in this instance.

Taking the concept of a layered defense strategy one step further, one could also use a multipronged approach to the utilization of VLANs in computer technology security. For example, in addition to a well designed and monitored VLAN, an organization could then create an added layer of security by using security enabled applications at each user’s workstation. In the event that the security of a VLAN becomes compromised, then, an additional hoop must be jumped through – so to speak – before any significant damage can be done.

In terms of the People, Technology and Operations trifecta that is so critical in the implementation of a successful Information Assurance program, VLANs fulfill their role via the Technology component of this principle. This is important to recognize, as it is vital for an organization to see how each layer contributes to the three important aspects of this principle.

Layer Three – Fine Grained Security Via Firewalls At The Port Level

Firewalls are an essential part of the security of any modern organization. They help a company protect its information from intruders and other potential adversaries. In Information Assurance, identifying an organization’s adversaries and their motivations is incredibly important; this is doubly true when it comes to a Defense In Depth tactic.

Should an adversary or other intruder thwart other forms of security that have been put in place by an organization, a firewall put in place at the port level can create yet another barrier for them to have to try and overcome. This method successfully utilizes the technology that is called for by the Defense In Depth strategy in creating a more even balance among the many different layers put in place by an organization.

The motivations of an intruder may fall into many different categories. Some have the malicious aim of intercepting sensitive and highly confidential information from an organization; others are more passive “pranksters”, hoping to crack security measures as a sort of cheap thrill. Regardless of motive, a well implemented firewall should serve to prevent many such instances from occurring in the first place.

Layer Four – Network Encryption To Assure Privacy

In terms of using technology when designing the various layers of a Defense In Depth strategy, network encryption is a very valuable tool. It can help assure private communication between users on an organization’s computer network – and ward off the passive monitoring of intruders or adversaries, regardless of motivation.

When thinking of a potential attack or the hacking of an organization’s computer network, it is easy to see why network encryption is such an obvious and critical component. Essentially, even if an intruder makes his way past other layers of security, many malicious goals can be warded off through the use of network encryption. This concept is at the core of the entire Defense In Depth strategy, and it is much easier to see the logic behind this Information Assurance protocol when imagining such a breach layer by layer.

Indeed, while understanding the basic principles of Defense In Depth – such as Protect – Detect – React and the importance of People, Technology and Operations - is imperative for any organization, being able to visualize the basis of such reasoning is also critical. A good way to conceptualize this Information Assurance program is by imagining a series of concentric circles. The innermost circle represents an organization’s most highly sensitive data; each surrounding layer represents a different security measure. As such, network encryption would probably be very close to the core on such a model.

Layer Five – Detecting And Remediating Threats To A Network’s Integrity

This layer puts the People portion of the People, Technology and Operations principle to use, as well as the Detect and React aspects of the Protect – Detect – React paradigm. If previous layers have been put in place properly, an organization’s IT personnel should have the tools necessary to adequately monitor and detect threats and attacks on its computer networks.

Should a threat or an attack be detected by people within the organization, a specific course of action should already be in place and be ready for implementation. This means, essentially, that IT personnel should be prepared for many different scenarios and should have conducted “drills” regarding security breaches in order to prepare for such eventualities.

As long as an organization's IT personnel are duly capable of remediating a threat to a network’s integrity, this layer of the Defense In Depth strategy should serve as a means of using human interaction to further deter and ward off invasion by many types of adversaries. Bringing this human element into the Information Assurance equation proves why such a balance is necessary: human intervention can perform remediation tasks that automated technology often cannot.

The key here is that such intervention by IT personnel or other persons within an organization should be reserved only in the event that many other layers of security have been infiltrated and surpassed. In other words, such intervention should almost be looked at as a last resort type of measure. Nonetheless, it is vital that IT personnel always be prepared for such an eventuality in order to adequately protect the integrity of an organization’s network.

Layer Six – End Point Security In Policy Based Enforcement

Individual computer users within an organization can help round out the overall Defense In Depth concept. It is important that end users are well trained regarding what is and is not permissible in terms of how their individual computers are used. Putting strict consequences in place for employees who fail to adhere to such policies is a practical way of ensuring that security protocols are followed.

An organization’s policies regarding computer security and common practices should be clearly drawn out and outlined and be made available to every employee. Periodic seminars or presentations regarding the importance of such policies are excellent ways of keeping these ideas fresh in the minds of an organization’s personnel. A strict, no tolerance policy for the deliberate disregard to these rules must be put in place and enforced at all levels within an organization.

Conclusion

With the sixth layer outlined above, the overall circle of methods behind the Defense In Depth Information Assurance protocol is effectively brought back to the beginning. In essence, this strategy begins with technology based security measures and ends with human intervention and each person’s adherence to set security measures. This clearly highlights the reasoning behind the People, Technology and Operations idea at the heart of this form of Information Assurance.

In Defense In Depth, Protect – Detect – React starts and ends with the personnel and people within an organization. Additional layers utilize technology and operational standards to minimize the likelihood of security breaches. This multilayer approach is a deft strategy for protecting the information technology integrity of an organization, and is a huge reason for the popularity of the Defense In Depth method. Regardless of size or scope, virtually any organization can successfully apply these standards in order to reduce their risk of attack.