Defense in depth (computing)

Last updated

Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle.

Contents

Background

The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods. [1] It is a layering tactic, conceived [2] by the National Security Agency (NSA) as a comprehensive approach to information and electronic security. [3] [4] The term defense in depth in computing is inspired by a military strategy of the same name, but is quite different in concept. The military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time, envelop, and ultimately counter-attack an opponent, whereas the information security strategy simply involves multiple layers of controls, but not intentionally ceding ground (cf. honeypot.)

The onion model of defense in depth Defense In Depth - Onion Model.svg
The onion model of defense in depth

Information security must protect information throughout its lifespan, from the initial creation of the information on through to the final disposal of the information. [5] The information must be protected while in motion and while at rest. During its lifetime, information may pass through many different information processing systems and through many different parts of information processing systems. [6] There are many different ways the information and information systems can be threatened. To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms. [7] The building up, layering on, and overlapping of security measures is called "defense in depth." [8] In contrast to a metal chain, which is famously only as strong as its weakest link, the defense in depth strategy aims at a structure where, should one defensive measure fail, other measures will continue to provide protection. [9]

Recall the earlier discussion about administrative controls, logical controls, and physical controls. The three types of controls can be used to form the basis upon which to build a defense in depth strategy. [10] With this approach, defense in depth can be conceptualized as three distinct layers or planes laid one on top of the other. [11] Additional insight into defense in depth can be gained by thinking of it as forming the layers of an onion, with data at the core of the onion, people the next outer layer of the onion, and network security, host-based security, and application security forming the outermost layers of the onion. [12] Both perspectives are equally valid, and each provides valuable insight into the implementation of a good defense in depth strategy. [13]

Controls

Defense in depth can be divided into three areas: Physical, Technical, and Administrative. [14]

Physical

Physical controls [3] are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, and CCTV systems and the like.

Technical

Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, File integrity software, and authentication. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.

Administrative

Administrative controls are organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regard to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.

Methods

Using more than one of the following layers constitutes an example of defense in depth.

System and application

Network

Physical

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Despite its goal, encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

<span class="mw-page-title-main">Secure cryptoprocessor</span> Device used for encryption

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

In computers, logical access controls are tools and protocols used for identification, authentication, authorization, and accountability in computer information systems. Logical access is often needed for remote access of hardware and is often contrasted with the term "physical access", which refers to interactions with hardware in the physical environment, where equipment is stored and used.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

The following outline is provided as an overview of and topical guide to computer security:

Data-centric security is an approach to security that emphasizes the dependability of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream. It involves the separation of data and digital rights management that assign encrypted files to pre-defined access control lists, ensuring access rights to critical and confidential data are aligned with documented business needs and job requirements that are attached to user identities.

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, maintenance, and evaluation of secure systems, ensuring the integrity, confidentiality, and availability of information.

References

  1. Schneier on Security: Security in the Cloud
  2. "Some principles of secure design. Designing Secure Systems module Autumn PDF Free Download". docplayer.net. Retrieved 2020-12-12.
  3. 1 2 Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.
  4. OWASP CheatSheet: Defense in depth
  5. "Residents Must Protect Their Private Information". JAMA. 279 (17): 1410B. 1998-05-06. doi: 10.1001/jama.279.17.1410 . ISSN   0098-7484.
  6. "Group Wisdom Support Systems: Aggregating the Insights of Many Through Information Technology". Issues in Information Systems. 2008. doi: 10.48009/2_iis_2008_343-350 . ISSN   1529-7314.
  7. "INTERDEPENDENCIES OF INFORMATION SYSTEMS", Lessons Learned: Critical Information Infrastructure Protection, IT Governance Publishing, pp. 34–37, 2018, doi:10.2307/j.ctt1xhr7hq.13, ISBN   978-1-84928-958-0 , retrieved 2021-05-29
  8. "Managing Network Security", Network Perimeter Security, Auerbach Publications, pp. 17–66, 2003-10-27, doi:10.1201/9780203508046-3, ISBN   978-0-429-21157-7 , retrieved 2021-05-29
  9. Kakareka, A. (2013). "Chapter 31: What is Vulnerability Assessment?". In Vacca, J.R. (ed.). Computer and Information Security Handbook (2nd ed.). Elsevier. pp. 541–552. ISBN   9780123946126.
  10. "Administrative Controls", Occupational Ergonomics, CRC Press, pp. 443–666, 2003-03-26, doi:10.1201/9780203507933-6, ISBN   978-0-429-21155-3 , retrieved 2021-05-29
  11. Duke, P. A.; Howard, I. P. (2012-08-17). "Processing vertical size disparities in distinct depth planes". Journal of Vision. 12 (8): 10. doi:10.1167/12.8.10. ISSN   1534-7362. PMID   22904355.
  12. "Security Onion Control Scripts". Applied Network Security Monitoring. Elsevier. 2014. pp. 451–456. doi:10.1016/b978-0-12-417208-1.09986-4. ISBN   978-0-12-417208-1 . Retrieved 2021-05-29.
  13. Saia, Sergio; Fragasso, Mariagiovanna; Vita, Pasquale De; Beleggia, Romina. "Metabolomics Provides Valuable Insight for the Study of Durum Wheat: A Review". Journal of Agricultural and Food Chemistry. doi:10.1021/acs.jafc.8b07097.s001 . Retrieved 2021-05-29.
  14. Stewart, James Michael; Chapple, Mike; Gibson, Darril (2015). CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. John Wiley & Sons. ISBN   978-1-119-04271-6.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.