“Better to be despised for too anxious apprehensions, than ruined by too confident security.”— Edmund Burke
In order to maintain some cohesion throughout this blog experience, I have decided to focus on Defense in Depth (DID) as an information security solution. I will begin by providing an overview of the DID structure, then subsequent postings will discuss each of the components in greater detail.
There are several DID models out there, but most of them include the following general categories, listed from outermost to innermost layer:
1. Policies/Procedures/Awareness/Education
2. Physical
3. Perimeter
4. Internal Network
5. Host
6. Application
7. Data
The following image, retrieved from http://technet.microsoft.com/en-us/library/cc512681.aspx, is a representation of these layers.
Each of these layers represents an opportunity to incorporate security into the information technology framework to make sure all the bases are covered, so to speak. Taking a layered approach to security by including defense measures at each layer can greatly reduce the risk and effects of vulnerability, attacks, and intrusions, thereby saving a lot of time, money, and frustration.
DID is historically based on a military strategy to bolster defenses so that one breach will only lead to more defense measures; such a strategy may exhaust the resources of the offense in the meantime, allowing key defensive resources to remain protected. There are, however, advantages and disadvantages to this strategy.
DID’s main advantage is, of course, added security. DID creates multiple layers of protection so that if one defensive measure fails, there are more behind it to continue protecting the assets. This is especially important because a combination of many different kinds of security tools is required to provide protection from modern threats; there is no single solution for the information security problems being faced today.
DID’s main disadvantage is complexity. Implementing security at every layer takes a lot of planning and valuable resources. It is important to consider if and how security measures can work together as well as the maintenance, administration, and monitoring that is required for each. DID must achieve a balance between protection capability and cost, performance, and operational considerations.
Overall, DID is really an application of best practices; this approach to information security makes a lot of sense. More equals better in most cases, right? But the important question to answer is “More of what?” That is what we will seek to find throughout this blog series.
Join me next time to learn about how policies and procedures provide the hard outer shell to the DID structure.
Thanks for reading!
Jen
No comments:
Post a Comment