There has been a lot of definitions for this buzzword – Defence in depth. Several articles have weighed in on what the concept truly means. In simple terms, it is implementing a series of layered security controls to protect our “Crown Jewels”. Some articles have tried to define defence-in-depth in terms of purely technical controls, as stacking of different kinds of preventive technical controls to ensure assets are protected. Examples of such are within the network environment. For a multi-tier network, comprising the network boundary/edge, the Demilitarized Zone (DMZ) and the internal systems, organisations traditionally use firewalls to mediate the traffic between untrusted and trusted zones. The concept of defence in depth has been seen as implementing multiple layers of different firewall products like Cisco, Palo Alto, FortiGate, Checkpoint, Sophos, etc. within these zones to offer multiple layers of protection for both inbound and outbound traffic.
The idea of having different firewall product within the different zones (the internet edge, the DMZ and the internal network) is to provide multiple levels of protection to the core of the system. Some school of thought, in support of this architecture, have argued that it will be difficult for all the firewall products, in the line of defence be faced with the same or similar type of vulnerability, at the same time. Also, the failure to perform a firmware update on one firewall product will not automatically result in exposure along the entire path to the core network.
Likewise, in physical security, a similar argument applies. The security guard provides one level of defence, then some other types of physical security control like the Bollards, Turnstiles, and Mantraps, providing another level of protection. The third level comprises either of a combination of locks, keys or Closed-Circuit Television (CCTV) systems, etc. A similar argument also applies that vulnerability in one will not likely result in the exposure of others. If an intruder was able to compromise the turnstiles and the Bollards, it is less likely that the intruder will be able to compromise the next line of defence by exploiting the same vulnerability – Good reasoning!
Nevertheless, does that represent what defence in depth means? Somehow, but much more than that. Defence in depth is an approach of layering series of defensive mechanisms to protect information asset. It is an approach of layering a combination of physical, administrative, and technical controls to achieve more robust protection for any information of value to the organisation.
It is not adequate to use only one control type in asset protection. Physical or technical controls alone are not sufficient in protecting information asset. A combination of the three types of controls, layered up has proved more formidable in providing protection to any information asset than just layering different kinds of technical control.
The administrative control comprises of the policies and procedures put in place to ensure that organisational standards and requirements guide employees. These are preventive controls that are geared towards influencing behavioural changes in employees. However, controls comprising only policies and procedures are not enough to prevent determined unauthorised personnel from gaining access to the information system
The physical controls are security measures that prevent physical access to an organisational information asset. Examples include security guards, Bollards, Turnstiles, CCTVs etc.
The technical controls are security measures to protect supporting assets within the organisation’s IT processing environment, which includes the hardware, software, and networks. Also, controls of technical nature alone may not prevent a determined and sophisticated intruder from gaining access to the network
In conclusion, Defence In-Depth is employing a combination of administrative, technical and physical controls in a layered architecture to protect what matters to the organisation.
Written by:
Ben Nnatuanya
Senior Consultant