Day after day, we are hearing news about a hack or data breach or network compromise across the Globe. The nature of business, location of offence, source and mode of attack, size of organizations, intensity, extent of impact etc may differ but what is common among all – the loss of face!!
Interestingly, all of these organizations are of high repute, mostly in technology domain or extensively relying on technology and obviously having a role similar to CISO. According to the publicly available information, they have sizable budgets to secure the organizations and implemented some or other strategies to secure their information resources!
No doubt, securing information sources require a comprehensive governance model which, among other things include risk management of valuable (information) assets. Risk management involves developing a policy to meet the business requirements, defining roles and responsibilities, design, implementation and monitoring of control framework and finally but most importantly imparting awareness and or training to the users.
While designing the risk management framework, one of the best practices is to follow a “Defense in depth”
approach that has been proven to be effective in securing IT resources in organizations big or small.
Defense in depth is originally a military strategy where it seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating an attacker with a single, strong defensive line, defense in depth relies on the tendency of an attack to lose momentum over a period of time or as it covers a larger area.
This approach is now widely used to describe multi-layered or redundant protections for non-military situations, both tactical and strategic. The idea behind the defense in depth approach is to defend a system against any particular attack using several, varying methods.
It is a layering tactic, prevent the attacker in reaching his target and considered to be a a comprehensive approach to information security.
Remember, Defense in depth is not an additional level of security to be implemented and rather it is an understanding of management that NO single approach to information security, even though that is top of the class, can provide a reasonable level of comfort to them. They need to consider multiple approaches like Anti virus software, Authentication and password security, Biometrics, Demilitarized zones (DMZ), Firewalls, Hashing passwords, Intrusion detection systems,Logging and auditing,Physical security,Sandboxing, awareness training, education of end users and so on while implementing their risk management strategy. While each one can only assure limited extent of CIA (Confidentiality, Integrity & Availability), together, they provide strong defense.