Jump to content

Defense in depth (computing)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 109.67.164.96 (talk) at 16:19, 21 November 2016 (additional physical security). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Defense in Depth (also known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.

Background

The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.[1] It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.[2][3]

Defense in depth is originally a military strategy that seeks to delay rather than prevent the advance of an attacker by yielding space to buy time. The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system, where multiple layers of defense prevent espionage and direct attacks against critical systems. In terms of computer network defense, defense in depth measures should not only prevent security breaches but also buy an organization time to detect and respond to an attack and so reduce and mitigate the consequences of a breach.

Controls

Defense in depth can be divided into three areas: Physical, Technical, and Administrative.[4]

Physical Controls

Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, lions and CCTV systems

Technical Controls

Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, fingerprint readers, and Windows Active Directory. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.

Administrative Controls

Administrative controls are an organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regards to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.

Examples

Using more than one of the following layers constitutes defense in depth[citation needed].

References

  1. ^ Schneier on Security: Security in the Cloud
  2. ^ Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.
  3. ^ OWASP Wiki: Defense in depth [unreliable source?]
  4. ^ Stewart, James Michael; Chapple, Mike; Gibson, Darril (2015). CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide.

See also