Defense in Depth (computing)
Encyclopedia
Defense in depth is an information assurance
(IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology
(IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
(NSA) as a comprehensive approach to information and electronic security.
Defense in depth is originally a military strategy
that seeks to delay, rather than prevent, the advance of an attacker by yielding space in order to buy time. The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system where multiple layers of defense prevent espionage and direct attacks against critical systems. In terms of computer network defense, defense in depth measures should not only prevent security breaches, but also buy an organization time to detect and respond to an attack, thereby reducing and mitigating the consequences of a breach.
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
(IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
(IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
Background
The idea behind the defense in depth approach is to defend a system against any particular attack using several, varying methods. It is a layering tactic, conceived by the National Security AgencyNational Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
(NSA) as a comprehensive approach to information and electronic security.
Defense in depth is originally a military strategy
Strategy
Strategy, a word of military origin, refers to a plan of action designed to achieve a particular goal. In military usage strategy is distinct from tactics, which are concerned with the conduct of an engagement, while strategy is concerned with how different engagements are linked...
that seeks to delay, rather than prevent, the advance of an attacker by yielding space in order to buy time. The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system where multiple layers of defense prevent espionage and direct attacks against critical systems. In terms of computer network defense, defense in depth measures should not only prevent security breaches, but also buy an organization time to detect and respond to an attack, thereby reducing and mitigating the consequences of a breach.
Examples
Using more than one of the following layers constitutes defense in depth.- Physical securityPhysical securityPhysical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
(e.g. deadboltDeadboltA dead bolt or dead lock , is a locking mechanism distinct from a spring bolt lock because a deadbolt cannot be moved to the open position except by rotating the lock cylinder. The more common spring bolt lock uses a spring to hold the bolt in place, allowing retraction by applying force to the...
locks) - AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
and passwordPasswordA password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
security - HashingHash functionA hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys. For example, a single integer can serve as an index to an array...
passwords - Anti virus software
- FirewallFirewallFirewall may refer to:* Firewall , a barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse...
s (hardware or software) - DMZ (demilitarized zones)
- IDS (intrusion detection systems)
- Packet filters
- VPNVirtual private networkA virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
(virtual private networks) - LoggingLoggingLogging is the cutting, skidding, on-site processing, and loading of trees or logs onto trucks.In forestry, the term logging is sometimes used in a narrow sense concerning the logistics of moving wood from the stump to somewhere outside the forest, usually a sawmill or a lumber yard...
and auditing - BiometricsBiometricsBiometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
- Timed access control
- Software/hardware not available to the public (but see also security through obscuritySecurity through obscuritySecurity through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
)