Layered security
Encyclopedia
Layered security, also known as layered defense, describes the practice of combining multiple mitigating security controls to protect resources and data.
The term bears some similarity to Defense in Depth (computing), a term adopted from a military strategy that involves multiple layers of defense that resist rapid penetration by an attacker but yield rather than exhaust themselves by too-rigid tactics. As the incursion progresses, resources are consumed and progress is slowed until it is halted and turned back. The information assurance
use of the term "defense in depth" assumes more than merely technical security tools deployment; it also implies policy and operations planning, user training, physical access security measures, and direct information assurance personnel involvement in dealing with attempts to gain unauthorized access to information resources. Within a defense in depth security strategy, layered security is regarded by some as merely a delaying tactic used to buy time to bring security resources to bear to deal with a malicious security cracker's activities.
The term bears some similarity to Defense in Depth (computing), a term adopted from a military strategy that involves multiple layers of defense that resist rapid penetration by an attacker but yield rather than exhaust themselves by too-rigid tactics. As the incursion progresses, resources are consumed and progress is slowed until it is halted and turned back. The information assurance
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
use of the term "defense in depth" assumes more than merely technical security tools deployment; it also implies policy and operations planning, user training, physical access security measures, and direct information assurance personnel involvement in dealing with attempts to gain unauthorized access to information resources. Within a defense in depth security strategy, layered security is regarded by some as merely a delaying tactic used to buy time to bring security resources to bear to deal with a malicious security cracker's activities.
Commercial
For every category of threat, there should be an effective control deployed to mitigate the threat. Security vendors will sometimes cite differing solutions, but most can be grouped under consumer or enterprise categories:Consumer Layered Security Strategy
- Extended validation (EV) SSL certificates
- Multifactor authentication (also sometimes known as versatile or two-factor authenticationTwo-factor authenticationTwo-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
) - Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO) - Fraud detection and risk-based authenticationRisk-based authenticationRisk-based authentication is a non-static authentication system which takes into account the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge...
- Transaction signing and encryption
- Secure Web and e-mail
- Open fraud intelligence network
Enterprise Layered Security Strategy
- Workstation application whitelisting
- Workstation system restore solution
- Workstation and network authentication
- File, disk and removable media encryption
- Remote access authentication
- Network folder encryption
- Secure boundary and end-to-end messaging
- Content control and policy-based encryption