HOME

TheInfoList



Click Here for Items Related To - Defense in depth (computing)
OR:
Defense in depth (computing) on:   [Wikipedia]   [Google]   [Amazon]

Defense in depth is a concept used in
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthoriz ...
in which multiple layers of security controls (defense) are placed throughout an
information technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system (I ...
(IT) system. Its intent is to provide redundancy in the event a
security control Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the c ...
fails or a vulnerability is exploited that can cover aspects of ''personnel'', ''procedural'', ''technical'' and ''physical'' security for the duration of the system's life cycle.


Background

The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.Schneier on Security: Security in the Cloud
/ref> It is a layering tactic, conceived by the
National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collectio ...
(NSA) as a comprehensive approach to information and electronic security.Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.
/ref>OWASP Wiki: Defense in depth
/ref> The term defense in depth in computing is inspired by a military
strategy Strategy (from Greek στρατηγία ''stratēgia'', "art of troop leader; office of general, command, generalship") is a general plan to achieve one or more long-term or overall goals under conditions of uncertainty. In the sense of the " ar ...
of the same name, but is quite different in concept. The military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time, envelop, and ultimately counter-attack an opponent, whereas the information security strategy simply involves multiple layers of controls, but not intentionally ceding ground (''cf.'' honeypot.)


Controls

Defense in depth can be divided into three areas: Physical, Technical, and Administrative.


Physical

Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, and CCTV systems and the like.


Technical

Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, File integrity software, and authentication. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.


Administrative

Administrative controls are organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regard to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.


Methods

Using more than one of the following layers constitutes an example of defense in depth.


System and application

*
Antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
*
Authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
and
password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
security *
Encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can dec ...
*
Hashing Hash, hashes, hash mark, or hashing may refer to: Substances * Hash (food), a coarse mixture of ingredients * Hash, a nickname for hashish, a cannabis product Hash mark *Hash mark (sports), a marking on hockey rinks and gridiron football field ...
passwords *
Logging Logging is the process of cutting, processing, and moving trees to a location for transport. It may include skidding, on-site processing, and loading of trees or logs onto trucks or skeleton cars. Logging is the beginning of a supply chain ...
and auditing *
Multi-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
*
Vulnerability scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detectio ...
s * Timed access control *
Internet Security Awareness Training Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT). Even small a ...
*
Sandbox A sandbox is a sandpit, a wide, shallow playground construction to hold sand, often made of wood or plastic. Sandbox or Sand box may also refer to: Arts, entertainment, and media * Sandbox (band), a Canadian rock music group * ''Sand ...
ing *
Intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
s (IDS)


Network

*
Firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
s (hardware or software) *
Demilitarized zones A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
(DMZ) *
Virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
(VPN)


Physical

*
Biometrics Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify ...
* Data-centric security *
Physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...
(e.g.
deadbolt A dead bolt, deadbolt or dead lock is a locking mechanism distinct from a spring bolt lock because a deadbolt can only be opened by a key or handle. The more common spring bolt lock uses a spring to hold the bolt in place, allowing retraction ...
locks)


Example

In the following scenario a web browser is developed using defense in depth - * the browser developers receive security training * the codebase is checked automatically using security analysis tools * the browser is regularly audited by an internal security team * ... is occasionally audited by an external security team * ... is executed inside a sandbox


See also

*
Defence-in-depth (Roman military) Defence-in-depth is the term used by American political analyst Edward Luttwak (born 1942) to describe his theory of the defensive strategy employed by the Late Roman army in the third and fourth centuries AD. Luttwak's ''Grand Strategy of the ...
* Defense strategy (computing)


References

{{Reflist Computer network security Computer security procedures Data security fr:Défense en profondeur