Defense in depth (computing): Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 17:25, 29 November 2020 edit ClueBot NG (talk \| contribs) Bots, Pending changes reviewers, Rollbackers 6,480,325 edits m Reverting possible vandalism by Hausmaus7 to version by FedericoCeratto. Report False Positive? Thanks, ClueBot NG. (3834405) (Bot) Tag: Rollback ← Previous edit		Latest revision as of 12:45, 22 July 2025 edit undo AnomieBOT (talk \| contribs) Bots 6,864,522 edits m Dating maintenance tags: {{Cn}}
(48 intermediate revisions by 28 users not shown)
Line 1: {{Short description\|Concept in information security}} ~~{{for\|the military strategy\|Defence in depth}}~~ '''Defense in depth''' is a concept used in [[~~Information~~information security]] in which multiple layers of security controls (defense) are placed throughout an [[information technology]] (IT) system. Its intent is to provide [[Redundancy (engineering)\|redundancy]] in the event a [[Security controls\|security control]] fails or a vulnerability is exploited that can cover aspects of ''personnel'', ''procedural'', ''technical'' and ''physical'' security for the duration of the system's life cycle.▼ ~~{{refimprove\|date=April 2012}}~~ ▲'''Defense in depth''' is a concept used in [[Information security]] in which multiple layers of security controls (defense) are placed throughout an [[information technology]] (IT) system. Its intent is to provide redundancy in the event a [[Security controls\|security control]] fails or a vulnerability is exploited that can cover aspects of ''personnel'', ''procedural'', ''technical'' and ''physical'' security for the duration of the system's life cycle. == Background == The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.<ref name=schneier2006>[https://www.schneier.com/blog/archives/2006/02/security_in_the.html Schneier on Security: Security in the Cloud]</ref> It is a layering tactic, conceived<ref>{{~~citation~~Cite ~~needed~~web\|title=Some principles of secure design. Designing Secure Systems module Autumn PDF Free Download\|url=https://docplayer.net/17241198-Some-principles-of-secure-design-designing-secure-systems-module-autumn-2015.html\|access-date=~~April~~2020-12-12\|website=docplayer.net ~~2020~~\|archiveurl=https://web.archive.org/web/20240511022456/https://docplayer.net/17241198-Some-principles-of-secure-design-designing-secure-systems-module-autumn-2015.html \| archivedate=11 May 2024}}.</ref> by the [[National Security Agency]] (NSA) as a comprehensive approach to information and electronic security.<ref name=nsa1>[https://web.archive.org/web/20121002051613/https://www.nsa.gov/ia/_files/support/defenseindepth.pdf Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.]</ref><ref name=owasp1>[https://~~www~~cheatsheetseries.owasp.org/~~index~~cheatsheets/Secure_Product_Design_Cheat_Sheet.~~php/Defense_in_depth~~html#2-the-principle-of-defense-in-depth OWASP ~~Wiki~~CheatSheet: Defense in depth] ~~{{unreliable source?\|date=April 2012}}~~</ref> The term defense in depth in computing is inspired by a military [[strategy]] of [[Defence in depth\|the same name]], but is quite different in concept. The military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time, envelop, and ultimately counter-attack an opponent, whereas the information security strategy simply involves multiple layers of controls, but not intentionally ceding ground (''cf.'' [[Honeypot_(computing)\|honeypot.]]) [[File:Defense In Depth - Onion Model.svg\|thumb\|right\|The [[onion model]] of defense in depth]]An insight into defense in depth can be gained by thinking of it as forming the layers of an onion, with data at the core of the onion, people the next outer layer of the onion, and [[network security]], host-based security, and [[application security]] forming the outermost layers of the onion.<ref>{{Cite book\|chapter=Security Onion Control Scripts\|date=2014\|chapter-url=http://dx.doi.org/10.1016/b978-0-12-417208-1.09986-4\|title=Applied Network Security Monitoring\|pages=451–456\|publisher=Elsevier\|doi=10.1016/b978-0-12-417208-1.09986-4\|isbn=978-0-12-417208-1\|access-date=2021-05-29}}</ref> Both perspectives are equally valid, and each provides valuable insight into the implementation of a good defense in depth strategy.{{cn\|date=July 2025}} == Controls == Defense in depth can be divided into three areas: Physical, Technical, and Administrative.<ref>{{cite book \| last1=Stewart \| first1=James Michael \|url=https://books.google.com/books?id=xSvdCQAAQBAJ \|title=CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide \|last2=Chapple \| first2=Mike \| last3=Gibson \| first3=Darril \| date=2015\|~~title~~publisher=~~CISSP~~John ~~(ISC)2~~Wiley ~~Certified~~& ~~Information~~Sons ~~Systems~~\|isbn=978-1-119-04271-6 ~~Security Professional Official Study Guide~~}}</ref> === Physical ~~controls~~ === Physical controls<ref name="nsa1" /> are anything that physically limits or prevents access to IT systems. ~~Fences~~Examples of physical defensive security are: fences, guards, dogs, and [[Closed-circuit television\|CCTV]] systems ~~and the like~~. === Technical ~~controls~~ === Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, ~~fingerprint~~file ~~readers~~integrity software, and authentication. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves. === Administrative ~~controls~~ === Administrative controls are anthe organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in ~~regards~~regard to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements. ~~== Commonly used methods ==~~ ~~Using more than one of the following layers constitutes an example of defense in depth.~~ ~~System/application security:~~ == Methods == * [[Antivirus software]] * [[Authentication]] and [[password]] security Line 30 ⟶ 27: * [[Multi-factor authentication]] * [[Vulnerability scanner]]s * [[Timed access control]] * [[Internet Security Awareness Training]] * [[Sandbox (computer security)\|Sandbox]]ing * [[Intrusion detection system]]s (IDS) ~~Network security:~~ * [[Firewall (computing)\|Firewall]]s (hardware or software) * [[DMZ (computing)\|Demilitarized zones]] (DMZ) * [[Virtual private network]] (VPN) ~~Physical security:~~ * [[Biometrics]] * [[Data-centric security]] * [[Physical security]] (e.g. [[deadbolt]] locks) ~~=== Example ===~~ ~~In the following scenario a web browser is developed using defense in depth:~~ * the browser developers receive security training * the codebase is checked automatically using security analysis tools * the browser is regularly audited by an internal security team * ... is occasionally audited by an external security team * ... is executed inside a sandbox ==See also== [[Defence-in-depth (Roman military)]] [[Defense strategy (computing)]] ==References== {{Reflist}} [[Category:Computer network security]] [[Category:Computer security procedures]]