Ever since I started working in IT and took an interest in the Information Security aspect, I have heard the term 'defence in depth' being bandied around, qualified to varying degrees. In short, defence in depth is an approach where you have different security controls at different places in your overall system. It is also referred to as the castle approach, harking back to days of yore. In those days, having tall and thick walls was not always enough. You wanted to ensure there was only one entrance in your castle (ignoring the fact you might have several back doors for quick escapes!), a moat to protect your perimeter and a draw bridge to only allow authorised persons to come across. Once in, they would often need to relinquish their weapons and the upper class people would often live in the middle of the grounds for further protection.
In the world of IT, the same approach is realised through the following, non-exhaustive list:
- Firewalls. This is the drawbridge. Only allow traffic from the right sources, going to the right destinations. Everything else gets left outside the gate
- IPS/IDS. You almost certainly want the Internet to get to your public web server, but if somebody out there is trying to attack a weakness in your application, a basic L3/L4 firewall won't cut the mustard. You need something that can look in to the application traffic and determine if something untoward is happening. It can either drop the traffic, slow it down, send you an alert or even launch a counter attack depending on your setup
- Patching. Vulnerabilities in your operating system, middle-ware and applications can often be mitigated against by a security device such as an IPS, but what if the attacker is already in your network, behind this layer of protection? It is extremely important that you keep all your systems patched and have a rock solid patching policy that is adhered to. This not only refers to servers, but network devices, storage and any other device that your IT relies on
- Physical. Where is your data physically kept? On a machine under your desk? In a comms room somewhere at your head office? Or maybe in a tier 3 data centre? You could have the best of breed security devices at every level in your network but if you leave important print outs on your desk or like taking home some key files for the board on an unencrypted USB key, you are negating all the protection that they offer
- Policies. It's all very well talking the talk, but if you don't have all of these steps and processes documented somewhere, people won't even remember that there is a way they are supposed to be doing something or you'll end up with 10 engineers doing something in 10 different ways in a vague attempt to comply. Get buy in from senior management and create a culture of security that people will not try to circumvent. Which leads to my next point...
- Training. InfoSec training can traditionally be very dry and usually comes from a "let's plough through this stuff for another year" angle. That is because the people doing the training are often from an InfoSec compliance background rather than Security Operations and its a box ticking exercise, rather than an attempt to really engage people to be thinking about InfoSec all year round
The list above is brief and incomplete, but you can see that even in that list, there is a broad range of areas that need addressing to really give good protection.
My question to you now is, how good is your approach to information security? Have you worked at companies that have ignored most of these well known approaches? Have others been a shining beacon of how to protect your treasured resources? I look forward to hearing your thoughts and experiences.