Computing Defense In Depth

It uses multiple layers of security controls (defenses) placed throughout an information technology (IT) system. The multiple layers are not of the same security tool. It uses several different kinds of security with each protecting against a different security attack.

Defense in depth is originally a military strategy. It seeks to delay rather than prevent the advance of an attacker by yielding space to buy time. The National Security Agency (NSA) changed the concept to be a comprehensive approach to information and electronic security.

The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system. Multiple layers of defense can prevent espionage. They also prevent direct attacks against critical systems. In terms of computer network defense, defense in depth measures should not only prevent security breaches but also buy an organization time to detect and respond to an attack.

Defense in depth has long been explained by using the onion as an example of the various layers of security. The outer layer contains the firewall. Middle layers contain various controls. The data is in the center protected by the other defenses.

A newer concept is the kill chain. Borrowed from the military it is a method of detecting and breaking an opponent's kill chain. Lockheed Martin adapted this concept to information security, using it as a method for modeling intrusions on a computer network.

Using more than one of the following layers constitutes defense in depth.

• Antivirus software
• Authentication and password security
• Biometrics
• Encryption
• Firewall (networking)
• Hashing passwords
• Intrusion detection systems (IDS)
• Logging and auditing
• Multi-factor authentication
• Vulnerability scanners
• Physical security (e.g. deadbolt locks)
• Internet Security Awareness Training
• Virtual private network (VPN)
• Sandboxing
• Intrusion Protection System (IPS)