Defense in depth (computing)
Defense in Depth (also known as layered security and layered defense) is an information assurance (IA) concept. It uses multiple layers of security controls (defenses) placed throughout an information technology (IT) system. The multiple layers are not of the same security tool. It uses several different kinds of security with each protecting against a different security attack.
Background[change | change source]
Defense in depth is originally a military strategy. It seeks to delay rather than prevent the advance of an attacker by yielding space to buy time. The National Security Agency (NSA) changed the concept to be a comprehensive approach to information and electronic security.
The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system. Multiple layers of defense can prevent espionage. They also prevent direct attacks against critical systems. In terms of computer network defense, defense in depth measures should not only prevent security breaches but also buy an organization time to detect and respond to an attack.
Onion model[change | change source]
Defense in depth has long been explained by using the onion as an example of the various layers of security. The outer layer contains the firewall. Middle layers contain various controls. The data is in the center protected by the other defenses.
A newer concept is the kill chain. Borrowed from the military it is a method of detecting and breaking an opponent's kill chain. Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.
Related pages[change | change source]
Using more than one of the following layers constitutes defense in depth.
- Antivirus software
- Authentication and password security
- Firewall (networking)
- Hashing passwords
- Intrusion detection systems (IDS)
- Logging and auditing
- Multi-factor authentication
- Vulnerability scanners
- Physical security (e.g. deadbolt locks)
- Internet Security Awareness Training
- Virtual private network (VPN)
- Intrusion Protection System (IPS)
References[change | change source]
- "Understanding layered security and defense in depth". TechRepublic. Retrieved 13 November 2015.
- Michiko Phifer, A Handbook of Military Strategy and Tactics (New Delhi: Vij Books India Private Limited, 2012), p. 102
- "Defense in Depth: A practical strategy for achieving Information Assurance in today's highly networked environments" (PDF). Archived from the original (PDF) on 2010-05-13. Retrieved 2015-11-13.
- Randy Tanaka. "Back to Basics – Defense in Depth". Western Independent Bankers. Archived from the original on 7 March 2016. Retrieved 13 November 2015.
- Steve Ocepek (13 August 2014). "Unraveling the Onion: A New Take on Defense-in-Depth". SecureState LLC. Archived from the original on 12 October 2016. Retrieved 13 November 2015.
- "The Industrial Control System Cyber Kill Chain". SANS Institute. Retrieved 13 November 2015.
- "How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack". Dark Reading. Retrieved 13 November 2015.