Wednesday, November 26, 2014

Information Security Basics Part 2: Defense in Depth

Defense in Depth is originally a military term in which multiple layer of defense is used to make the enemy more difficult to attack the target.  The best example is the castle.
There are multiple things used for defense - a draw bridge, water (may be with crocodile), a heavy iron gate.

What are we defending against?
The castle shown about is used to defense against enemy attack.  What about in the Information Security world?  Who is the enemy?

You may say the enemy is the hacker. While this is true, the exact term used should be threats.  Threat by itself is a subjective word.  Threat can be remote, threat can be big or it can be small.

In the Information Security world, 3 terms are used together:
  • Risk
  • Threat
  • Vulnerability

In fact there is a formula for these 3 terms:

          Risk = Threat X Vulnerability

For example, when you kept your front door unlock it is a vulnerability but you live in a safe neighborhood your threat is low and thus your risk will not be high. On the other hand if you keep your front door unlock and you live in a high crime area then your risk is very high.

Note: Security is all about mitigation of risk.  We can never be 100% secure.  The objective of information security is to mitigate all know risk factor to the minimal.

Defense in Depth
Defense in Depth is a security best practice.I have heard the late CEO of Apple Inc Steve Jobs had a security guard to stay within a few feet of his laptop all the time when he is speaking at conferences.  I am sure his laptop is both password protected and encrypted, adding another layer of defense will not hurt.

There are 4 kinds of Defense in Depth:
  • Uniform Protection
  • Protected Enclaves
  • Information Centric
  • Vector-Oriented
Uniform Protection
The easiest and most common form is uniform protection where all the resources or data are treated as equally important.  With this approach, it is more vulnerable for malicious insider because everything is being treated as equal, an development engineer can gain access to the data in the HR department.

Protected Enclaves
With this approach, resources/data are segmented.  It enforces the principle of least privilege so that user can only access what they need to access.  So in this case a development engineer cannot gain access to the data in the HR department.  The Pentagon has a classify network and a non classify network.  One time I was there for on site support and since I did not have security clearance, I have to step out of the room when we debug the classify network and tell the guy that has security clearance to type in the debug command and he will have to ready the output for me.  That was quite an experience debugging the classify network.

Information Centric
Data or asset are tagged with different values.  We can envision an onion which has different layers.  The most important asset will be in the center where more protection is deployed.  Each layer has it own security implemented with this defense in depth concept.
image source: http://www.sentrillion.com/images/img_defense-in-depth.jpg

Vector-Oriented 
This approach identify attack vector where the threat can be present.  Similar to the Information centric approach but the emphasis is on the attach vector such as thumb drives, smartphone that can take pictures.

Role-base Access Control
While this is not usually looked at as a defense in depth model but in principle this is form having multiple ways of gaining access.  With the data/resource segmented, after a user is logged into the system with the proper credential, the user is assigned a role and this role can be in a form of a access token is to determine what resource the user is able to access giving an additional level of access control.  Microsoft's Kerberos and OpenStack uses this Role-base Access Control.

Related Post:
Information Security Basics Part 1: Security Models
Information Security Basics Part 3: Cryptography
Information Security Basics Part 4: Public Key Infrastructure (PKI) 

18 comments:

  1. Thanks for the valuable information. Are you looking for a one-stop solution to your Information/Cybersecurity needs? IARM, one of the few companies to focus exclusively on End-End Information/Cybersecurity solutions and services providers to organizations across all verticals.
    Top Cyber Security Company in Chennai
    Penetration Testing Provider in Chennai

    ReplyDelete
  2. Nice blog Post ! This post contains very informative and knowledgeable. oracle training in chennai

    ReplyDelete
  3. If Oracle is your dream job, then we, Infycle, are with you to make your dream into reality. Infycle Technologies offers the best Oracle Training in Chennai, which offers various programs in Oracle such as Oracle PLSQL, Oracle DBA, etc., in the 200% hands-on practical training with specialized trainers in the field. Also, the mock interviews will be arranged for the candidates to face the interviews without any fear, and 100% placement assurance will be given here. To have the words above real, call 7502633633 to Infycle Technologies and grab a free demo to know more.Best Oracle Training Institute in Chennai

    ReplyDelete
  4. Finish the Get Big Data Certification in Chennai from Infycle Technologies, the best software training institute in Chennai which is providing professional software courses such as Data Science, Artificial Intelligence, Java, Hadoop, Selenium, Android, and iOS Development, etc with 100% hands-on practical training. Dial 7502633633 to get more info and a free demo and to grab the certification for having a peak rise in your career.

    ReplyDelete
  5. Chennai's best software training institute, Infycle Technologies, offers the best Hadoop training in Chennai for students and tech professionals along with other courses such as Python, Oracle, Selenium, Java, Hadoop, iOS, and Android development with 100% hands-on training. Once the completion of training, the students will be sent for placement interviews in the core MNC's. Call 7504633633 to get more info and a free demo.Top Hadoop Training in Chennai | Infycle Technologies

    ReplyDelete
  6. Infycle Technologies, the top software training institute and placement center in Chennai offers the Best Digital Marketing Course in Chennai | Infycle Technologies for freshers, students, and tech professionals at the best offers. In addition to Digital Marketing, other in-demand courses such as DevOps, Data Science, Python, Selenium, Big Data, Java, Power BI, Oracle will also be trained with 100% practical classes. After the completion of training, the trainees will be sent for placement interviews in the top MNC's. Call 7504633633 to get more info and a free demo.

    ReplyDelete