HOME

TheInfoList



Click Here for Items Related To - Defense In Depth (computing)
OR:
Defense In Depth (computing) on:   [Wikipedia]   [Google]   [Amazon]

Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of ''personnel'', ''procedural'', ''technical'' and ''physical'' security for the duration of the system's life cycle.


Background

The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.Schneier on Security: Security in the Cloud
/ref> It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.
/ref>OWASP Wiki: Defense in depth
/ref> The term defense in depth in computing is inspired by a military
strategy Strategy (from Greek στρατηγία ''stratēgia'', "art of troop leader; office of general, command, generalship") is a general plan to achieve one or more long-term or overall goals under conditions of uncertainty. In the sense of the "art ...
of the same name, but is quite different in concept. The military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time, envelop, and ultimately counter-attack an opponent, whereas the information security strategy simply involves multiple layers of controls, but not intentionally ceding ground (''cf.'' honeypot.)


Controls

Defense in depth can be divided into three areas: Physical, Technical, and Administrative.


Physical

Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, and CCTV systems and the like.


Technical

Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, File integrity software, and authentication. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.


Administrative

Administrative controls are organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regard to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.


Methods

Using more than one of the following layers constitutes an example of defense in depth.


System and application

* Antivirus software * Authentication and password security * Encryption * Hashing passwords *
Logging Logging is the process of cutting, processing, and moving trees to a location for transport. It may include skidding, on-site processing, and loading of trees or logs onto trucks or skeleton cars. Logging is the beginning of a supply chain ...
and auditing * Multi-factor authentication * Vulnerability scanners * Timed access control *
Internet Security Awareness Training Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT). Even small a ...
*
Sandbox A sandbox is a sandpit, a wide, shallow playground construction to hold sand, often made of wood or plastic. Sandbox or Sand box may also refer to: Arts, entertainment, and media * Sandbox (band), a Canadian rock music group * Sandbox ( ...
ing * Intrusion detection systems (IDS)


Network

* Firewalls (hardware or software) * Demilitarized zones (DMZ) *
Virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
(VPN)


Physical

* Biometrics * Data-centric security * Physical security (e.g. deadbolt locks)


Example

In the following scenario a web browser is developed using defense in depth - * the browser developers receive security training * the codebase is checked automatically using security analysis tools * the browser is regularly audited by an internal security team * ... is occasionally audited by an external security team * ... is executed inside a sandbox


See also

* Defence-in-depth (Roman military) *
Defense strategy (computing) In computing, defense strategy is a concept and practice used by computer designers, users, and IT personnel to reduce computer security risks. Common strategies Boundary protection Boundary protection employs security measures and devices to p ...


References

{{Reflist Computer network security Computer security procedures Data security fr:Défense en profondeur