Understanding Defense in Depth

Some IT folks I speak with seem to think the phrase "Defence in Depth" in the IT context refers to how a computer network is segmented or zoned. For example, having demilitarized zones (DMZ) and secured zone, implemented via firewalls and routers constitute defence in depth.

Unfortunately, this is not entirely correct. The concept has a much larger scope than just network. Generally speaking, it refers to how one can use multiple methods at varying layers for a more comprehensive defence strategy. The layers (and corresponding methods) can be classified as follows:

• Security Policies
• Physical Security (e.g. dead bolt locks, biometrics)
• Perimeter Security (e.g. Firewalls, Routers, VPN, RAS)
• Network Security (e.g. IDS, IPS, Packet filters, IPSec)
• Server Security (e.g. Antivirus software, access control at host levels)
• Application Security (e.g. access control at app level)
• Data Security (e.g. data encryption)

The good news is that in most circumstances, these folks are already using the strategy without knowing it. i.e. In a typical data center setup, you will have some form of security at each of the first five levels;

• Some form of security policy governing access and use of your networks/servers/applications
• Locked gates/doors in front of your data center building/room
• Routers and Firewalls in front of your application servers
• Intrusion detection/prevention systems monitoring the network traffic for abnormalities
• Access control at the operating server level of the hardware boxes

For more information on this topic, you may want to check out Microsoft's Defense in depth security model in these series of webcasts.