Umair Khokhar

Umair Khokhar

umair-khokhar

Umair Khokhar

Copyright © 2023 Umair Khokhar.
All Right Reserved.

Defense-in-Depth-vs-Layered-Security-in-Cyber-Security
Cybersecurity

Defense-in-Depth vs. Layered Security in Systems

November, 2023

Introduction

In the discipline of information assurance, perimeter security is enforced to ensure the C-I-A (Confidentiality-Integrity-Availability) triad. A perimeter is defined as “border or boundaries that separate an organization’s network from the outside world” (Maiwald, 2013, p. 209). A perimeter policy, which is the core component of a parameter security strategy, is defined as the security policy that protects the information assets (both physical and virtual) present in a perimeter. Perimeter controls like firewalls, proxies, anti-virus programs, encryption components etc., enforce this perimeter policy. Often we hear security professionals using terms layered security and defense-in-depth strategies interchangeably when it comes to securing a parameter. Both of these terms are different. In this paper, we will compare and contrast layered security and defense-in-depth.

Layered Security

Layered security is the security strategy where multiple controls are placed in a layered manner, where each control provides defense against a certain vector of attack (See Figure 1). A layered security strategy primarily encompasses multiple technology controls. The controls may include firewalls, faux or sandbox environment, authorization, encryption, and intrusion detection and prevention.

In layered security architecture, if a certain control fails, the threat will be hindered at the next control level. For instance, if a malicious user is able to bypass a firewall, they will be required to authenticate and authorize themselves before they proceed further. Another advantage is the implementation of a different kind of control at each level, thus hardening the perimeter security.

The primary disadvantage of layered security is the assumption that there is only single point of failure or only one “gate” to reach and compromise the perimeter. Another disadvantage is that, it only focuses on the technology controls whereas in reality majority of the incidents occur at administrative or physical level.

Layered Security
Figure 1 – Multiple controls in a layered security architecture.

Defense-in-Depth

Defense-in-depth is the most popular security strategy and it is suitable for organizations that deal with sensitive information assets. "The National Security Agency (NSA) originally designed DiD as a best practices strategy for achieving information assurance" (Weaver, Weaver & Farwood, 2014, p. 12). Defense-in-depth arises from the philosophy that there is no single point of failure and single origin of threats, therefore a multi-dimensional layered defense strategy should be enforced that also includes controls beyond the technology realm such as administrative and physical controls (See Figure 2). Reducing velocity of the attack, incident handling and response, log maintenance and auditing, and act attribution (which is defined as the process of identifying the attack actor) are the key goals of defense-in-depth.

The primary advantage of a defense-in-depth strategy is it inherent multidimensional approach, where not only technology controls are established but also physical and administrative controls play a vital role in ensuring the perimeter security. Another advantage is the objective to slow down the attack progression, so that additional resources can be brought in to deter the attack.

The primary disadvantage is the high cost of implementation and management, since it requires establishing multi-dimensional controls. Another disadvantage is problem in segregation of responsibilities, it is often witnessed that in a defense-in-depth framework different stakeholders assume that a certain security procedure is taken care of at another level.

In the recent years, cyber security professionals have proposed and used two different schemes of defense-in-depth; passive and active. In passive scheme, an attack is taken care of after it has occurred, whereas in active scheme the attack is prevented before it occurs by launching an offensive against the actor of attack (Schaub, 2018). We saw an example of active defense doctrine in French presidential election held in 2018 (Cormier, 2018).

Layered Security
Figure 2 – Defense-in-depth strategy. Retrieved from https://thorteaches.com/cissp-defense-in-depth/

Conclusion

We compared and contrasted layered and defense-in-depth security strategies. If cost is not a constraint and an organization has confidential and sensitive information assets, defense-in-depth security approach should be adopted. Even when cost is a constraint, the organization should judiciously make use of available budget to implement a multi-dimensional security framework, which is similar to defense-in-depth.

References

Maiwald, E. (2013). Network security (3rd ed.). New York, NY: McGraw Hill.

Weaver, R., Weaver, D., & Farwood, D. (2014). Guide to network defense and countermeasures (3rd ed.). Boston, MA: Cengage Learning.

Schaub, G. (2018). Understanding cyber security. Lanham, MD: Rowman & Littlefield

Cormier, Y. (2018). Cybersecurity as Attack-Defense: What the French Election Taught Us About Fighting Back. Retrieved from https://thestrategybridge.org/the%02bridge/2018/9/12/cybersecurity-as-attack-defense-what-the-french-election-taught-us%02about-fighting-back