|
== Background ==
The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.<ref name=schneier2006>[https://www.schneier.com/blog/archives/2006/02/security_in_the.html Schneier on Security: Security in the Cloud]</ref> It is a layering tactic, conceived<ref>{{Cite web|title=Some principles of secure design. Designing Secure Systems module Autumn PDF Free Download|url=https://docplayer.net/17241198-Some-principles-of-secure-design-designing-secure-systems-module-autumn-2015.html|access-date=2020-12-12|website=docplayer.net |archiveurl=https://web.archive.org/web/20240511022456/https://docplayer.net/17241198-Some-principles-of-secure-design-designing-secure-systems-module-autumn-2015.html | archivedate=11 May 2024}}</ref> by the [[National Security Agency]] (NSA) as a comprehensive approach to information and electronic security.<ref name=nsa1>[https://web.archive.org/web/20121002051613/https://www.nsa.gov/ia/_files/support/defenseindepth.pdf Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.]</ref><ref name=owasp1>[https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html#2-the-principle-of-defense-in-depth OWASP CheatSheet: Defense in depth]</ref> The term defense in depth in computing is inspired by a military [[strategy]] of [[Defence in depth|the same name]], but is quite different in concept. The military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time, envelop, and ultimately counter-attack an opponent, whereas the information security strategy simply involves multiple layers of controls, but not intentionally ceding ground (''cf.'' [[Honeypot (computing)|honeypot.]])
[[File:Defense In Depth - Onion Model.svg|thumb|right|The [[onion model]] of defense in depth]]An insight into defense in depth can be gained by thinking of it as forming the layers of an onion, with data at the core of the onion, people the next outer layer of the onion, and [[network security]], host-based security, and [[application security]] forming the outermost layers of the onion.<ref>{{Cite book|chapter=Security Onion Control Scripts|date=2014|chapter-url=http://dx.doi.org/10.1016/b978-0-12-417208-1.09986-4|title=Applied Network Security Monitoring|pages=451–456|publisher=Elsevier|doi=10.1016/b978-0-12-417208-1.09986-4|isbn=978-0-12-417208-1|access-date=2021-05-29}}</ref> Both perspectives are equally valid, and each provides valuable insight into the implementation of a good defense in depth strategy.{{cn|date=July 2025}}
[[File:Defense In Depth - Onion Model.svg|thumb|right|The [[onion model]] of defense in depth]]
Information security must protect information throughout its lifespan, from the initial creation of the information on through to the final disposal of the information.<ref>{{Cite journal|date=1998-05-06|title=Residents Must Protect Their Private Information|journal=JAMA|volume=279|issue=17|pages=1410B|doi=10.1001/jama.279.17.1410|issn=0098-7484|doi-access=free}}</ref> The information must be protected while in motion and while at rest. During its lifetime, information may pass through many different information processing systems and through many different parts of information processing systems.<ref>{{Cite journal|date=2008|journal=Issues in Information Systems|doi=10.48009/2_iis_2008_343-350|issn=1529-7314|doi-access=free|title=Group Wisdom Support Systems: Aggregating the Insights of Many Through Information Technology}}</ref> There are many different ways the information and information systems can be threatened. To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms.<ref>{{Citation|title=INTERDEPENDENCIES OF INFORMATION SYSTEMS|url=http://dx.doi.org/10.2307/j.ctt1xhr7hq.13|work=Lessons Learned: Critical Information Infrastructure Protection|year=2018|pages=34–37|publisher=IT Governance Publishing|doi=10.2307/j.ctt1xhr7hq.13|isbn=978-1-84928-958-0|access-date=2021-05-29}}</ref> The building up, layering on, and overlapping of security measures is called "defense in depth."<ref>{{Citation|title=Managing Network Security|date=2003-10-27|url=http://dx.doi.org/10.1201/9780203508046-3|work=Network Perimeter Security|pages=17–66|publisher=Auerbach Publications|doi=10.1201/9780203508046-3|isbn=978-0-429-21157-7|access-date=2021-05-29}}</ref> In contrast to a metal chain, which is famously only as strong as its weakest link, the defense in depth strategy aims at a structure where, should one defensive measure fail, other measures will continue to provide protection.<ref name="VaccaComputer13">{{cite book |chapter-url=https://books.google.com/books?id=zb916YOr16wC&pg=PA546 |chapter=Chapter 31: What is Vulnerability Assessment? |title=Computer and Information Security Handbook |author=Kakareka, A. |editor=Vacca, J.R. |publisher=Elsevier |edition=2nd |pages=541–552 |year=2013 |isbn=9780123946126}}</ref>
Recall the earlier discussion about administrative controls, logical controls, and physical controls. The three types of controls can be used to form the basis upon which to build a defense in depth strategy.<ref name="Administrative Controls">{{Citation|title=Administrative Controls|date=2003-03-26|url=http://dx.doi.org/10.1201/9780203507933-6|work=Occupational Ergonomics|pages=443–666|publisher=CRC Press|doi=10.1201/9780203507933-6|isbn=978-0-429-21155-3|access-date=2021-05-29}}</ref> With this approach, defense in depth can be conceptualized as three distinct layers or planes laid one on top of the other.<ref>{{Cite journal|last1=Duke|first1=P. A.|last2=Howard|first2=I. P.|date=2012-08-17|title=Processing vertical size disparities in distinct depth planes|journal=Journal of Vision|volume=12|issue=8|pages=10|doi=10.1167/12.8.10|pmid=22904355|issn=1534-7362|doi-access=free}}</ref> Additional insight into defense in depth can be gained by thinking of it as forming the layers of an onion, with data at the core of the onion, people the next outer layer of the onion, and [[network security]], host-based security, and [[application security]] forming the outermost layers of the onion.<ref>{{Cite book|chapter=Security Onion Control Scripts|date=2014|chapter-url=http://dx.doi.org/10.1016/b978-0-12-417208-1.09986-4|title=Applied Network Security Monitoring|pages=451–456|publisher=Elsevier|doi=10.1016/b978-0-12-417208-1.09986-4|isbn=978-0-12-417208-1|access-date=2021-05-29}}</ref> Both perspectives are equally valid, and each provides valuable insight into the implementation of a good defense in depth strategy.<ref>{{Cite journal|title=Metabolomics Provides Valuable Insight for the Study of Durum Wheat: A Review|url=http://dx.doi.org/10.1021/acs.jafc.8b07097.s001|access-date=2021-05-29|doi=10.1021/acs.jafc.8b07097.s001|first1=Sergio |last1=Saia|first2=Mariagiovanna |last2=Fragasso|first3=Pasquale De |last3=Vita|first4=Romina |last4=Beleggia|journal=Journal of Agricultural and Food Chemistry}}</ref>
== Controls ==
=== Physical ===
Physical controls<ref name="nsa1" /> are anything that physically limits or prevents access to IT systems. FencesExamples of physical defensive security are: fences, guards, dogs, and [[Closed-circuit television|CCTV]] systems and the like.
=== Technical ===
Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, Filefile integrity software, and authentication. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.
=== Administrative ===
Administrative controls are the organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regard to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.
== Methods ==
Using more than one of the following layers constitutes an example of defense in depth.
=== System and application ===
* [[Antivirus software]]
* [[Authentication]] and [[password]] security
* [[Multi-factor authentication]]
* [[Vulnerability scanner]]s
* [[Timed access control]]
* [[Internet Security Awareness Training]]
* [[Sandbox (computer security)|Sandbox]]ing
* [[Intrusion detection system]]s (IDS)
=== Network ===
* [[Firewall (computing)|Firewall]]s (hardware or software)
* [[DMZ (computing)|Demilitarized zones]] (DMZ)
* [[Virtual private network]] (VPN)
=== Physical ===
* [[Biometrics]]
* [[Data-centric security]]
* [[Physical security]] (e.g. [[deadbolt]] locks)
| 