Defense in depth (computing)
Defense in depth is an information assurance (IA) strategy in which multiple layers of defense are placed throughout an information technology (IT) system. It addresses security vulnerabilities in personnel, technology and operations for the duration of the system's life cycle.
Background
The idea behind the defense in depth approach is to defend a system against any particular attack using several, varying methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.[1]
Defense in depth is originally a military strategy that seeks to delay, rather than prevent, the advance of an attacker by yielding space in order to buy time. The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system where multiple layers of defense prevent espionage and direct attacks against critical systems. In terms of computer network defense, defense in depth measures should not only prevent security breaches, but buys an organization time to detect and respond to an attack, thereby reducing and mitigating the consequences of a breach.
Examples
Using more than one of the following layers constitutes defense in depth.
- Physical security (e.g. deadbolt locks)
- Authentication and password security
- Anti virus software
- Firewalls (hardware or software)
- DMZ (demilitarized zones)
- IDS (intrusion detection systems)
- Packet filters
- Routers and switches
- Proxy servers
- VPN (virtual private networks)
- Logging and auditing
- Biometrics
- Timed access control
- Software/hardware not available to the public (but see also security through obscurity)
References
See also
 | This article related to telecommunications is a stub. You can help Wikipedia by expanding it. |
 | This computer science article is a stub. You can help Wikipedia by expanding it. |
 | This computer networking article is a stub. You can help Wikipedia by expanding it. |