By Gerry Gebel (This article originally appeared in CSO Online.)
What key roles defense in depth and layered security will play in the digital age.
Defense in depth and layered security feel like terms from a much simpler era in information security. It was not too long ago when these concepts seemed more applicable during the dawn of the Internet age. At that time, web servers became the instrument to open up enterprises to the outside world. Firewalls, demilitarized zones (DMZs) and other network security techniques attempted to “keep the bad guys out.” Oh, how times have changed.
In a world where the cloud, mobile computing, software defined data centers, advanced persistent threats, zero-day exploits, big data systems and the internet of things (IoT) are the lingua franca of the day, are defense in depth and layered security still relevant?
What is defense in depth?
Defense in depth was originally a military strategy, which was meant to slow the enemy’s advance until a counter-attack could be mounted. Counterattacks in cybersecurity are a more recent development as information security systems were largely passive, but security defenses have been typically established at multiple layers in an attempt to thwart intruders. If the intruder broke through one barrier, there would be more and different barriers to circumvent before any damage or breach could occur.
With defense in depth, multiple layers of security are applied across the entire information technology (IT) infrastructure and extend to include personnel procedures and physical security. The idea is, the more layers of security that exist, the harder it will be to breach all the defenses to steal digital assets or cause disruption.
The core concept of defense in depth is still viable but must be continually re-adapted as computing technologies and threats evolve. It is a challenging task to remain updated on current trends and changing vulnerabilities, but this must remain a main objective for information security teams.
Many layers of security
Protecting information assets requires the combination of different information security technologies to create multiple layers of security in order to address a wide variety of security concerns. There are many important security layers but some of the most essential include:
- Firewalls control and monitor incoming and outgoing network traffic to protect the infrastructure and operating system that a service is running on. It is basically a barrier between internal and external networks.
- Web application firewalls filter the content of specific web applications to protect any applications that are running. Ultimately, they prevent attacks that originate from security flaws in web applications.
- Security information and event management (SIEM) systems aggregate access data from multiple systems to correlate data and seek anomalies that could indicate suspicious activity.
- Identity and access management (IAM) solutions for authentication, authorization and user management to make sure only the right individuals get access to the right applications and services and nothing else.
Within the IAM sphere, dynamic authorization plays a key part to enable proper access to sensitive and valuable digital assets and impose a barrier to inappropriate or malicious access. IAM provides an important element to a defense in depth strategy. (Security technologies, such as anti-malware, anti-virus, anomaly detection, and many others are a part of the defense in depth strategy but are not covered in any more detail in this article.) In addition, personnel policies and procedures must address the needs for security awareness training as every member of your organization is part of the cybersecurity strategy.
Controlling access with dynamic authorization
Dynamic authorization, also known as Attribute Based Access Control (ABAC), provides a policy-based approach to access control and can be used at multiple security layers within an enterprise. ABAC can be integrated within the different layers of security to provide relevant and dynamic authorization.
As part of a defense in depth strategy, ABAC supports what can be called an “any depth protection” approach. A key element of the ABAC process is the ability to intercept attempted access to protected resources and this can be accomplished at different levels, or layers, within the application’s architecture. These interception points can occur at the presentation layer, where portal access is determined, or deeper within the application infrastructure middleware layer. Of course, ABAC systems are frequently used to protect APIs and microservices, as well as implementing dynamic authorization at the data level.
The ease of integrating with other tools is a hallmark of dynamic authorization systems due to their modular architecture and industry standards support. This is important for at least two reasons. First, seamless integration with other IAM and security tools, such as Web Access Management or API Gateways, helps to ensure that no gaps exist in your security defenses. Second, the use of industry standards provides a level of interoperability and vendor independence for enterprises, plus limited customization is required when industry standards are supported.
Layering security is key protecting customer information in the information age, enterprises who fail will face significant backlash from customers and regulatory bodies alike. By adding an intelligent, dynamic authorization access control approach, organizations can ensure even more limited access to data to guard against future data breaches and ultimately jump ahead of the competition.