Defense in Depth: Multilayer Security Against All Threats

Today’s cyber threats are growing rapidly in scale and sophistication. There are headlines almost daily about security breaches or zero-day threats. Now more than ever, it is critical for companies to have a solid cybersecurity plan. More employees are working from home, and organizations increasingly rely on cloud-based services.

Defense in Depth is a strategy that leverages multiple security measures to protect an organization’s assets. If one line of defense is compromised, additional layers exist as a backup, ensuring threats are stopped before progressing. Defense in Depth addresses the security vulnerabilities inherent in hardware, software, and people.

As stated above, there are multiple layers or “gates” that comprise a Defense in Depth strategy:

Policies & Procedures Physical Access Perimeter (public footprint) Internal Network Platform Application Data

Policies & Procedures: It all starts with solid policies and the implementation of those policies. This includes items such as data classification, strong password policies, code reviews, usage policies, and ITSM processes.

Physical: This refers to physical access controls, fences, walls, guards, badges, etc. In today’s world of cloud-based services, this layer is managed by your CSP.

Perimeter (public footprint): This is your front door to the public internet. Using Firewalls (Layer 4), NATs, DDoS prevention, and Application Firewalls (Layer 7) helps protect your services exposed to the public domain from malicious ingress traffic. Another service worth mentioning is domain filtering, which prevents egress to unauthorized domains.

Internal Network: Ensuring TLS encryption across your internal network to protect all data in transit is an essential foundation for secure networking. Having a segregated network with firewalls between your VLAN/VPC/VNETs adds another layer of protection. For example, if a server in a development environment is compromised, having a segregated network can prevent further compromise across the network. Implementing an IDS (Intrusion Detection System) or IPS (Intrusion Prevention System) is beneficial for monitoring your network. The main difference between IDS and IPS is the “prevention” piece. With IDS, the “prevention” is manually enforced after a notification is sent. With IPS, it is automatically enforced.

Platform: Implement vulnerability management (patching) for your servers. With today’s tools, it’s straightforward to automate the patching to keep your infrastructure up to date. For user desktops, ensure anti-virus and malware protections are installed on all user systems. Additionally, keeping all storage encrypted and having a strong key management process helps prevent local data from being compromised.

Application: All applications should only allow authorized user access. Utilizing a federated identity provider (IdP) for authentication and verification is good practice. Implementing a Static Code Analysis tool to verify the code being deployed doesn’t contain inherent security flaws is also good practice for custom code.

Data: It all comes down to data! Limit the access to all your databases. From a cloud perspective, you can limit connections to the database by utilizing security groups. For DBAs that require access, you can limit their access through a jump box, which would be protected with a password + MFA. For the data, ensure a backup policy meets RTO & RPO metrics. As stated before, encrypt the storage and enforce TLS connections. Depending on the data classification, you may need to encrypt at the table or cell levels.

Having automated scans and security checks is the best practice. It will help protect you from unforeseen threats, but there is no substitute for a mindset and culture of safety and security. Talk to your teams about what they are doing to maintain security. Have a weekly review meeting dedicated to security. Whatever work you do and with whomever you do it with, make vigilance a part of your conversations so that it becomes part of your culture and work ethic.

Of course, each one of these layers of security can have an entire paper written about them. What I have listed here is just the basics to help provide a foundation to build a strong security posture.