Intro­duc­tion to Defense in Depth

Today’s busi­nesses face more secu­rity threats to their com­puter sys­tems and net­works than at any other point in his­tory. Cop­ing with this prob­lem is some­thing that every com­pany must take seri­ously; as such, it is crit­i­cal that well-trained staff and clear, out­lined strate­gies are put in place to min­i­mize the like­li­hood of losses or dam­ages due to secu­rity breaches in the infor­ma­tion tech­nol­ogy infra­struc­ture. Today, many savvy com­pa­nies are employ­ing the Infor­ma­tion Assur­ance (IA) strat­egy known as Defense In Depth in order to pro­vide the safest and most secure com­puter and infor­ma­tion envi­ron­ment possible.

The Defense In Depth con­cept was orig­i­nally designed by the National Secu­rity Agency (NSA) as a means of strate­gi­cally and method­i­cally han­dling infor­ma­tion and elec­tronic secu­rity. At its core, Defense In Depth revolves around the notion of tak­ing a lay­ered approach to the prob­lem; the rea­son­ing behind this con­cept is that the per­ceived threat – or enemy – can be delayed or thwarted by installing mul­ti­ple lay­ers of secu­rity which must be overcome.

This strat­egy effec­tively slows down the progress of such a threat, pre­vent­ing it from infil­trat­ing the most sen­si­tive and con­fi­den­tial parts of an organization’s infor­ma­tional infra­struc­ture. When looked at from an Infor­ma­tion Assur­ance stand­point, Defense In Depth calls for vary­ing degrees of secu­rity mea­sures to be adhered to; the ulti­mate goal of such a strat­egy is what is known as Pro­tect – Detect – React paradigm.

By using a mul­ti­lay­ered approach to Infor­ma­tion Assur­ance, a com­puter increases its like­li­hood of pro­tect­ing its con­fi­den­tial and highly sen­si­tive infor­ma­tion. Breaches in such secu­rity mea­sures – which do occur – can be more eas­ily and effi­ciently detected in ear­lier stages. The orga­ni­za­tion then has ample time to effec­tively react to the threat, stop­ping it before it causes irrepara­ble dam­ages or losses.

An impor­tant prin­ci­ple involved in the Defense In Depth strat­egy revolves around the con­cept that Infor­ma­tion Assur­ance must include a bal­anced focus on three impor­tant ele­ments: Peo­ple, Tech­nol­ogy and Oper­a­tions. This means that any given secu­rity layer must involve at least one – and often­times many – of these com­po­nents. Also, lay­ers must strike a bal­ance between these three aspects, assur­ing that no one part gets overlooked.

In this arti­cle, we will look at prac­ti­cal ways of cre­at­ing a mul­ti­lay­ered and bal­anced approach to Infor­ma­tion Assur­ance, and how an orga­ni­za­tion can most effec­tively imple­ment a Defense In Depth strat­egy that will work in its best inter­ests. Each sec­tion will clearly out­line com­mon lay­ers of such secu­rity sys­tems, and how they apply to the Pro­tect – Detect – React par­a­digm, and to the Defense In Depth con­cept as a whole. Read­ers should come away with some clar­ity as to the method­ol­ogy behind imple­ment­ing such a sys­tem, how it can best be adhered to, and who in the orga­ni­za­tion is respon­si­ble for each layer of its defense.

Defense in Depth Layer One – Authen­ti­cat­ing And Autho­riz­ing All Net­work Users

Authen­ti­cat­ing and autho­riz­ing all net­work users on a com­puter sys­tem is a nat­ural first layer to employ when set­ting up a Defense In Depth strat­egy. This layer fol­lows into the Pro­tect por­tion of the par­a­digm intro­duced pre­vi­ously; requir­ing each net­work user to be authen­ti­cated and autho­rized before being allowed access is a prac­ti­cal mea­sure in keep­ing unwanted par­ties out. Also, it strad­dles the Peo­ple, Tech­nol­ogy and Oper­a­tions com­po­nents of the con­cept as well.

It is crit­i­cal, how­ever, that an orga­ni­za­tion bear in mind one of the key con­cepts behind the Defense In Depth strat­egy when imple­ment­ing this layer: the secu­rity mea­sure may be breached. If it is, though, a well designed and exe­cuted Defense In Depth strat­egy will have many addi­tional lay­ers of defense in place to thwart fur­ther access to highly sen­si­tive infor­ma­tion. Despite this caveat, how­ever, it is imper­a­tive that each layer be as secure and well designed as possible.

Regard­ing user authen­ti­ca­tion and autho­riza­tion, then, an orga­ni­za­tion should strive to not only cre­ate a secure envi­ron­ment at each user’s desk­top, but also restrict the phys­i­cal access of unau­tho­rized per­sons in areas of the build­ing where com­put­ers are present. Vis­i­tors to an orga­ni­za­tion should have to prove their iden­tity, and be granted per­mis­sion by an autho­rized mem­ber of the orga­ni­za­tion. This is a nat­ural, “best prac­tice” means of pre­vent­ing bla­tant mis­use of com­pany com­put­ers and infor­ma­tion to an absolute min­i­mum. Some com­pa­nies even require spe­cial­ized ID badges for all per­son­nel as an added way of enhanc­ing autho­riza­tion and authen­ti­ca­tion within the infor­ma­tion tech­nol­ogy sector.

Defense in Depth Layer Two – VLANs

As a course grained strat­egy for enhanc­ing an organization’s Defense In Depth strat­egy and over­all Infor­ma­tion Assur­ance pro­gram, VLANs are a very com­mon and valu­able means of pro­vid­ing an added layer of secu­rity to a company’s infor­ma­tion tech­nol­ogy sys­tem. VLANs allow IT per­son­nel to, essen­tially, con­trol traf­fic pat­terns within an organization’s net­work. Activ­ity on the net­work can be more closely scru­ti­nized, bring­ing both the Pro­tect and Detect aspects of the Pro­tect – Detect – React par­a­digm into play in this instance.

Tak­ing the con­cept of a lay­ered defense strat­egy one step fur­ther, one could also use a mul­ti­pronged approach to the uti­liza­tion of VLANs in com­puter tech­nol­ogy secu­rity. For exam­ple, in addi­tion to a well designed and mon­i­tored VLAN, an orga­ni­za­tion could then cre­ate an added layer of secu­rity by using secu­rity enabled appli­ca­tions at each user’s work­sta­tion. In the event that the secu­rity of a VLAN becomes com­pro­mised, then, an addi­tional hoop must be jumped through – so to speak – before any sig­nif­i­cant dam­age can be done.

In terms of the Peo­ple, Tech­nol­ogy and Oper­a­tions tri­fecta that is so crit­i­cal in the imple­men­ta­tion of a suc­cess­ful Infor­ma­tion Assur­ance pro­gram, VLANs ful­fill their role via the Tech­nol­ogy com­po­nent of this prin­ci­ple. This is impor­tant to rec­og­nize, as it is vital for an orga­ni­za­tion to see how each layer con­tributes to the three impor­tant aspects of this principle.

Defense in Depth Layer Three – Fine Grained Secu­rity Via Fire­walls At The Port Level

Fire­walls are an essen­tial part of the secu­rity of any mod­ern orga­ni­za­tion. They help a com­pany pro­tect its infor­ma­tion from intrud­ers and other poten­tial adver­saries. In Infor­ma­tion Assur­ance, iden­ti­fy­ing an organization’s adver­saries and their moti­va­tions is incred­i­bly impor­tant; this is dou­bly true when it comes to a Defense In Depth tac­tic. Should an adver­sary or other intruder thwart other forms of secu­rity that have been put in place by an orga­ni­za­tion, a fire­wall put in place at the port level can cre­ate yet another bar­rier for them to have to try and overcome.

This method suc­cess­fully uti­lizes the tech­nol­ogy that is called for by the Defense In Depth strat­egy in cre­at­ing a more even bal­ance among the many dif­fer­ent lay­ers put in place by an orga­ni­za­tion. The moti­va­tions of an intruder may fall into many dif­fer­ent cat­e­gories. Some have the mali­cious aim of inter­cept­ing sen­si­tive and highly con­fi­den­tial infor­ma­tion from an orga­ni­za­tion; oth­ers are more pas­sive “pranksters”, hop­ing to crack secu­rity mea­sures as a sort of cheap thrill. Regard­less of motive, a well imple­mented fire­wall should serve to pre­vent many such instances from occur­ring in the first place.

Defense in Depth Layer Four – Net­work Encryp­tion To Assure Privacy

In terms of using tech­nol­ogy when design­ing the var­i­ous lay­ers of a Defense In Depth strat­egy, net­work encryp­tion is a very valu­able tool. It can help assure pri­vate com­mu­ni­ca­tion between users on an organization’s com­puter net­work – and ward off the pas­sive mon­i­tor­ing of intrud­ers or adver­saries, regard­less of moti­va­tion. When think­ing of a poten­tial attack or the hack­ing of an organization’s com­puter net­work, it is easy to see why net­work encryp­tion is such an obvi­ous and crit­i­cal com­po­nent. Essen­tially, even if an intruder makes his way past other lay­ers of secu­rity, many mali­cious goals can be warded off through the use of net­work encryption.

This con­cept is at the core of the entire Defense In Depth strat­egy, and it is much eas­ier to see the logic behind this Infor­ma­tion Assur­ance pro­to­col when imag­in­ing such a breach layer by layer. Indeed, while under­stand­ing the basic prin­ci­ples of Defense In Depth – such as Pro­tect – Detect – React and the impor­tance of Peo­ple, Tech­nol­ogy and Oper­a­tions — is imper­a­tive for any orga­ni­za­tion, being able to visu­al­ize the basis of such rea­son­ing is also critical.

A good way to con­cep­tu­al­ize this Infor­ma­tion Assur­ance pro­gram is by imag­in­ing a series of con­cen­tric cir­cles. The inner­most cir­cle rep­re­sents an organization’s most highly sen­si­tive data; each sur­round­ing layer rep­re­sents a dif­fer­ent secu­rity mea­sure. As such, net­work encryp­tion would prob­a­bly be very close to the core on such a model.

Defense in Depth Layer Five – Detect­ing And Reme­di­at­ing Threats To A Network’s Integrity

This layer puts the Peo­ple por­tion of the Peo­ple, Tech­nol­ogy and Oper­a­tions prin­ci­ple to use, as well as the Detect and React aspects of the Pro­tect – Detect – React par­a­digm. If pre­vi­ous lay­ers have been put in place prop­erly, an organization’s IT per­son­nel should have the tools nec­es­sary to ade­quately mon­i­tor and detect threats and attacks on its com­puter net­works. Should a threat or an attack be detected by peo­ple within the orga­ni­za­tion, a spe­cific course of action should already be in place and be ready for implementation.

This means, essen­tially, that IT per­son­nel should be pre­pared for many dif­fer­ent sce­nar­ios and should have con­ducted “drills” regard­ing secu­rity breaches in order to pre­pare for such even­tu­al­i­ties. As long as an organization’s IT per­son­nel are duly capa­ble of reme­di­at­ing a threat to a network’s integrity, this layer of the Defense In Depth strat­egy should serve as a means of using human inter­ac­tion to fur­ther deter and ward off inva­sion by many types of adversaries.

Bring­ing this human ele­ment into the Infor­ma­tion Assur­ance equa­tion proves why such a bal­ance is nec­es­sary: human inter­ven­tion can per­form reme­di­a­tion tasks that auto­mated tech­nol­ogy often can­not. The key here is that such inter­ven­tion by IT per­son­nel or other per­sons within an orga­ni­za­tion should be reserved only in the event that many other lay­ers of secu­rity have been infil­trated and sur­passed. In other words, such inter­ven­tion should almost be looked at as a last resort type of mea­sure. Nonethe­less, it is vital that IT per­son­nel always be pre­pared for such an even­tu­al­ity in order to ade­quately pro­tect the integrity of an organization’s network.

Defense in Depth Layer Six – End Point Secu­rity In Pol­icy Based Enforcement

Indi­vid­ual com­puter users within an orga­ni­za­tion can help round out the over­all Defense In Depth con­cept. It is impor­tant that end users are well trained regard­ing what is and is not per­mis­si­ble in terms of how their indi­vid­ual com­put­ers are used. Putting strict con­se­quences in place for employ­ees who fail to adhere to such poli­cies is a prac­ti­cal way of ensur­ing that secu­rity pro­to­cols are fol­lowed. An organization’s poli­cies regard­ing com­puter secu­rity and com­mon prac­tices should be clearly drawn out and out­lined and be made avail­able to every employee.

Peri­odic sem­i­nars or pre­sen­ta­tions regard­ing the impor­tance of such poli­cies are excel­lent ways of keep­ing these ideas fresh in the minds of an organization’s per­son­nel. A strict, no tol­er­ance pol­icy for the delib­er­ate dis­re­gard to these rules must be put in place and enforced at all lev­els within an organization.

Con­clu­sion to Defense in Depth

With the sixth layer out­lined above, the over­all cir­cle of meth­ods behind the Defense In Depth Infor­ma­tion Assur­ance pro­to­col is effec­tively brought back to the begin­ning. In essence, this strat­egy begins with tech­nol­ogy based secu­rity mea­sures and ends with human inter­ven­tion and each person’s adher­ence to set secu­rity mea­sures. This clearly high­lights the rea­son­ing behind the Peo­ple, Tech­nol­ogy and Oper­a­tions idea at the heart of this form of Infor­ma­tion Assurance.

In Defense In Depth, Pro­tect – Detect – React starts and ends with the per­son­nel and peo­ple within an orga­ni­za­tion. Addi­tional lay­ers uti­lize tech­nol­ogy and oper­a­tional stan­dards to min­i­mize the like­li­hood of secu­rity breaches. This mul­ti­layer approach is a deft strat­egy for pro­tect­ing the infor­ma­tion tech­nol­ogy integrity of an orga­ni­za­tion, and is a huge rea­son for the pop­u­lar­ity of the Defense In Depth method. Regard­less of size or scope, vir­tu­ally any orga­ni­za­tion can suc­cess­fully apply these Defense in Depth stan­dards in order to reduce their risk of attack.