Defense in depth (computing)
Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited.[1]
Background
[edit | edit source]The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.[2] It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.[3][4]
Defense in depth is sometimes thought of as forming the layers of an onion, with data at the core of the onion, people the next outer layer of the onion, and network security, host-based security, and application security forming the outermost layers of the onion.[5]
Tiers
[edit | edit source]Defense in depth can be divided into three overarching areas: Physical, Technical, and Administrative.[6]
Physical
[edit | edit source]Physical controls are anything that physically limits or prevents access to IT systems. Examples of physical defensive security are: fences, guards, dogs, and CCTV systems.[3]
Technical
[edit | edit source]Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls include disk encryption, file integrity software, authentication,[7] network security controls, antiviruses, and behavioural analysis software.[8]
In the event that one layer of defence fails, defense in depth aims to ensure network security via a second-line of defence.[3] For example, if an attacker penetrates a computer system at a given OSI layer (e.g. Layer 3), a redundancy should exist at another layer (Layer 7) to ensure layered defense.[3]
Data security
[edit | edit source]- Data-centric security
- Authentication, authorization, and accounting
- Confidentiality, integrity, and availability
- Authentication and password security
- Encryption
- Hashing passwords
Application security
[edit | edit source]Host security
[edit | edit source]Network security
[edit | edit source]- Logging
- Intrusion detection systems[7]
- Firewalls[7]
- Demilitarized zones
- Network segmentation[9]
- Virtual private network
Administrative and operational
[edit | edit source]Administrative controls are the organization's policies and procedures and govern the organisation's human resources, technology, and operations.[3]
People
[edit | edit source]Technology
[edit | edit source]Operations
[edit | edit source]See also
[edit | edit source]References
[edit | edit source]- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ a b c d e f g h i National Security Agency, Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.
- ^ OWASP CheatSheet: Defense in depth
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ a b c d e f Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ a b c d e Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).