Defense in depth
is one of the most important security principles that no one disagrees with, it simply states that IT security must be handled at different layers without neglecting any of them relying on other or others. If I tried to clarify the concept with a non IT related example I would tell you that in large number of organizations access cards are implemented, and there is still security personnel working, so why didn’t we say we deployed access cards that’s a good and efficient way to control access to different areas of the building, let’s fire the security guys!
Simply because more than one security layer are implemented we are not satisfied by one of them we do use two or often more than two to achieve the most secure solution we can. Back to Information technology, we will discuss briefly the different layers that should be secured and the most common tolls to do so:
Physical security is the most critical part because most people often don’t think of it when planning IT security, access to IT resources must be restricted to the authorized people only after all, if someone has unrestricted physical access to your system, it’s no longer your system, no matter what software and equipment you have deployed, with the appropriate skills, tools and time it will no longer be you system. The most common ways deployed here are security personnel, access cards, biometric access, and keeping logs of who did access the server room for example and when.
Secure your network perimeter:
The network perimeter is the point at which the traffic can leave from or enter to the network, it is exactly like the door of your apartment, or may be also like the windows if you think someone can access your apartment through its windows, in order to enter or leave your apartment you must use the door, may be the windows but there is absolutely no other ways, network perimeter are usually secured using Firewalls that control what traffic is allowed to leave the network and what traffic is allowed to enter the network. Also network based may be deployed at networks perimeter.
Secure the traffic while been transmitted:
The goal of securing the traffic while been transmitted is to protect the data if someone captured it while being transferred from the source to the destination, this is usually done by encrypting the data, you can encrypt the data by IPSEC for example or by using protocols that support encryption like HTTPS instead of HTTP, SMTPS instead of SMTP.
Secure the machine hosting the data:
The machine on which the data resides should also be taken in consideration while considering the security solution, many steps should be taken care of in order to provide the highest level of security for the machine, the machine operating system must be patched with the latest security patches released from the vendor after of course verifying and testing them first, anti-virus software must be in place, updated and monitored, also host based IPS may help, only required services and protocol should be enabled on the machine, for example if a machine serves as a WEB server only, there is absolutely no need to enable the FTP service on it.
Secure the data while being stored:
The previously mentioned point of securing the data while being transmitted does not help at all after the data reach the destination system or before it leaves the source system, for example IPSEC protect the data after it leaves the source machine and until it reaches the destination, it does not provide any security while the data id on the hard drive of the source or destination machine. To protect the data in this phase, stored on a machine, access control lists may be implemented, but still the more effective way is the encryption, most operating systems have built in tools to encrypt data on disk but there are also third party solutions to do so, although the encryption as mentioned is more effective but it is harder to implement as it requires a PKI (Public Key Infrastructure) in place to function properly and effectively.
After discussing the different layers, I will give examples of what should not be done, you should absolutely not say, I deployed a firewall, so it’s not very important to have anti-virus on the machines, I am already secure, if someone has access to an internal machine, your Firewall will not do nothing at all to prevent any harm he may be doing. You should not think I have an anti-virus, so it’s not very important to patch the operating system and the running software, security paths resolve issues discovered in an operating system or other software that make it vulnerable to a certain malware or attack, the anti-virus may detect the issue and try to deal with it, but the appropriate patch makes the system no longer vulnerable in the first place.
EVERY LAYER OF THE SECURITY SOLUTION MUST BE HANDLED AS IF IT WAS THE ONLY LAYER.