Defense in Depth Explained

As we continue to move forward in the age of Work-From-Home (WFH) and data continues to grow and reside in locations outside of on-premises data centers, we must take a closer look and re-evaluate how we protect and secure data. Traditional network security is no longer viable to protecting you data. Today’s cyber threats are more sophisticated and employ tactics like socially engineered phishing attacks. Malicious code like ransomware is not going away either. Ransomware is expected to attack a business every 11 seconds according to research conducted by Cybersecurity Ventures. In addition to this, organizations may have to contend with the proliferation of data across a myriad of locations and systems that create silos of information known as  mass data fragmentation. This has increased the attack footprint for malicious actors looking for weak entry points.  So what can enterprise IT and security teams do to help bolster an organization’s security posture. One such approach is to employ a Defense in Depth (DiD) strategy. Let’s define what Defense in Depth is.

What is Defense in Depth

Defense in Depth (DiD) is a security strategy that leverages multiple security measures to protect an organization’s assets. An effective defense in depth strategy spreads defense mechanisms across seven layers so that even if one layer fails, there are six other layers offering a strong but different defense. Defense in depth is often referred to as the Castle approach because it mirrors the layered defenses of a medieval castle as shown below. Before an invader can get to the crown jewels, they are faced with the moat, ramparts, drawbridge, and high towers with archers before they can breach the castle. The same is true of defense is depth. Let’s jump in and review the 7 layers!


Figure 1. The castle approach Credit: Cederic Vandenberghe

Defense in Depth Layers

An organization’s data is considered to be the most important asset, well, right after people that is. Data can consist of an organization’s Intellectual Property (IP), a patients medical records, or a customer’s personal information. Much of this data is also under strict regulatory control with compliances like PCI-DSS and HIPAA as an example. Figure 2 below displays the seven layers of Defense in Depth. Think of the individual security layers being deployed in concentric circles around the organization’s crown jewels, its data.  We’ll define each layer and the some mechanism that can be deployed within those layers. Let’s dive in!

Figure 2: 7 layers of Defense in Depth

Policies, Procedures, and Awareness – Every business depends on its workforce. People are an organizations greatest asset, but people can also be prone to error and lapse in judgement. Today, employees have access to a staggering amount of data and much of it can be highly regulated. This layer is all about creating a culture that promotes adherence to policies and continued cybersecurity awareness. So what does this entail? You can employ the following:

  • Annual training and policy review – Ongoing training starting when an employee onboards sets the tone for expectations and reinforces your data security culture. This should also be applied to contractors and partners. This will help with long-term awareness and protect organizations from forgetful staff and unnecessary internal risks. This can also serve as a reminder to staff of current cyber threats.
  • Strong password security and Single sign-on (SSO) – Password strength and security is critically important. Employee’s and contractor’s passwords should be long and complex, never written down or shared, and applied to any device that is used for connecting to the corporate network and data. This helps to protect against malicious actors that are looking for weak entry points to the network and can also help protect companies from applications with weak password requirements.
  • Multi-factor Authentication (MFA) – MFA requires a user looking to gain access to provide more than once piece of evidence before being granted access to data and resources. Just entering a password isn’t good enough. When MFA is enabled, a user must also enter a code sent to another device, such as a user’s mobile phone, thus providing two piece of evidence to prove they are who they claim to be. This can protect from lost or stolen devices falling into the wrong hands and preventing bad actors trying to gain access to an organization’s network via weak passwords.

Physical Security – As you may imagine, physical security deals with things that you can touch, feel, and see. Physical assets like data center facilities, servers, environmental controls…etc. also need to be protected. After all, servers can run the majority of your workloads. Physical security of your data might feel like an antiquated security protocol, but it is a very critical element to protecting your data. Environmental and human threats are very real. If bad actors, water or fire can get to your physical assets, it can put your organization at risk. Here are some elements of a good physical security:

  • Security Guards – Guards are you first line of defense at the data center and enforce identification and approval to get physical access to data centers and physical assets. Guards can help prevent forced intrusion and unauthorized employees, contractors and vendors.
  • Power redundancy – Having systems experience a hard power-off, can lead to system corruption. Having redundant power supply to equipment gives IT staff time to conduct a proper shut down of systems to avoid system corruption and interrupt access to data. This also includes items like power generators in the case of a power outage.
  • Fire suppression – This part here is about protecting against events like a fire. Your physical data centers run workloads and hold sensitive data. Protecting against a fire breakout will ensure that remains available so that a business can remain operational.
  • Access control lists and biometrics – Users requesting physical entry and access to resources should be on a master control list. This control list will determine who is authorized for access and can be assigned badges for swipe-in or granted biometric privileges for access.
  • Geographic disbursement – This is also know as offsite backups or data replication to alternate locations. This can also come in the form of data isolation that will keep an offsite copy of your data that this not connected back to the corporate environment. This will help protect you from inaccessible data due to a site outage or malicious code like ransomware that has infected your on-premisses data centers.

Perimeter Defense – If physical security protects your data from physical access to your facilities and devices, then perimeter defense does the same for network access. Perimeter defense is typically considered your first line of defense. Malicious actors are out there, searching networks and probing for weak spots, open ports and unpatched vulnerabilities that could be an easy target to their attacks. We must employ several mechanisms at this layer.

  • Penetration and vulnerability testing – Penetration testing and regular vulnerability scans conducted by your security team allows them to identify external and internal vulnerabilities. Yearly, Third-party penetration tests can also be more comprehensive in determining where weak entry points may exist. This can help protect agains malicious actors, unpatched vulnerabilities, and lax security settings.
  • Early Denial of Service (DoS) attack prevention – Leveraging an early denial of service attack prevention service can help protect the organization against attacks that render machines or networks unavailable. It can also help prevent excessive requests that can overload a system and keep legitimate requests from being fulfilled.
  • Next-Generation Firewalls (NGFW) – Next-gen firewalls combine traditional firewall functionality with other network functions such as Deep Packet Inspection (DPI) and Intrusion prevention systems (IPS). The benefits of using a next-gen firewall is that they can help to block malware. They are better equipped to handle advanced persistent threats (APT) which is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time.
  • Security Information and Event Management (SIEM) – A SIEM tool can provide real-time analysis of security alerts and can help protect organizations from security events and early attacks. It really is about early detection, early investigation and early recovery.

Internal Network Security – Beyond the perimeter defense is the internal network security layer. In our castle analogy, this would be the tall castle wall. Threat actors employ sophisticated  tactics to try and breach the internal network and because your internal network connects to so many critical assets, this layer can be subject to more attacks than other layers. There are multiple strategies and solutions that you can use here.

  • Encryption in-transit – This is a critical component to a tightly secured environment. Sensitive data traversing both inside and outside the network should be encrypted so that no prying eyes can read the data. This will help ensure that only authorized users have access to read the data. This can also help solutions that require additional security levels like PCI compliance.
  • High Availability (HA) – This provides redundant configurations that can protect you from natural disasters and unexpected power outages.
  • Internal firewalls and network segments – This is also known as micro-segmentation. This strategy divides networks into smaller zones and uses policies to determine how data and applications can be accessed and controlled. It also helps to prevent lateral movement of users within the network, by allowing access to only resources they need. In essence, this helps to greatly reduce the attack surface should a bad actor gain access via compromised credentials.
  • Role-based access controls (RBAC) – Now we’re getting into some elements of zero trust. Role-based access control helps satisfy the principle of least privilege. Which means that a user is only provided enough access to be able to perform their specific duties. This also helps to minimize the attack footprint of a bad actor should they gain access to a user’s credentials.

Host Security – Hosts need love too. After all, many critical workloads run on servers. With so many advanced technologies available for protecting your perimeter and your internal network, it may be tempting to skip over protecting your hosts, but don’t skip on hardening your host operating systems. Here are some methods you can employ.

  • Endpoint detection and remediation – Tools like endpoint anti-virus and malware detection can help detect and fight against malicious code. The newer class of these tools can even help against newer and unknown threats.
  • Hardened host deployments – Your hosts should be hardened. A regular check for new vulnerabilities can help you to ensure your hosts have the most up to date security patches. This can help eliminate application and settings that can create security risks and prevent vulnerable applications from compromising the environment.
  • Patch management – last but not least on this list, is timely patching of all your hosts. All critical and high-level patches should be addressed as quickly as possible, typically, 90 days or less is best. However, patches should be put through a test environment before deploying into a production environment.

Application Security – Applications exist to give users convenient access to data. This data can come in the form of highly regulated data, like healthcare information that is subject to regulatory compliance like HIPAA. Therefore, it is important to employ applications that use strong security mechanisms.

  • Key management and encryption – Encryption at-rest and in-transit are fundamentals of data security. This will help protect against unauthorized users from being able to read the data in the case of data exfiltration. However, both are pointless if the encryption keys aren’t properly stored and secured. You can use a Hardware Security Module (HSM). HSMs are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data.
  • Access Controls – One core factor in application security is ensuring only authorized users can access applications and data. This is accomplished a variety of methods including group policies, the principle of least privilege, strong password policies, and integration with MFA and SSO. This serves to protect against malicious actors looking for weak entry points and helps prevent and strengthen applications that have weak password requirements.
  • Application logging – This is key to be able keep track of access, viewing, and changes. It allows for the monitoring of applications and provides a comprehensive audit trail that aids greatly in computer forensics.
  • Unique application credentials – Application credentials should be separate from host or network credentials to provide additional barriers. One should never use the same password for multiple systems. This can help prevent network and host admins from being able to access sensitive application data.

Data Security – Last but not least, is the data security layer. It’s all about the data. Data should be the most protected asset as it can contain critical information about your organization, customers, and patients. Create trusted and controlled zones with strong security access controls for your sensitive production data. The following are methods to help bolster this layer.

  • Encryption at-rest – If data isn’t being actively used, it should be encrypted. This can help protect you from inappropriately accessed data so that it isn’t readable by prying eyes. Also, if this data falls into a less secure untrusted zone, the data can remain protected in encrypted.
  • Data redundancy – Production and backup data can be replicated to more than one place to help protect it and to speed up disaster recovery to satisfy business continuity requirements. This can also provide you with another copy of your data on-premises data should become compromised due to malicious code like ransomware.
  • Data separation – The data layer should be separated by network segments and firewalls from the rest of the infrastructure, and the only access allowed through should be the components that need direct access. Accessing layers should never be externally facing and should provide two or more layers before access. This can protect you against unauthorized internal and external access.
  • Least privilege access – The Zero trust principal of least privilege access is once again employed at this layer as well. As with the internal network layer, granting admins access only to what they need provides enhanced risk mitigation. Access to data should be reserved for the highest privilege tiers. This will help protect against unauthorized parties from accessing sensitive data. Like micro-segmentation, least privilege access also helps to reduce the attack surface of a cyber threat.


Defense in Depth Can Help Improve Cyber Resiliency

As mentioned earlier, today’s cyber threats are very sophisticated. Traditional network security is not a viable option to protecting  today’s data that resides in multiple locations and is accessed by various means. It is this very reason, it makes sense to adopt a defense in depth strategy that offers various layers and defense mechanism within each layer. This strategy will to mitigate today’s risk and bolster an organizations cyber resiliency.