What is Defense-in-depth
Defense-in-depth is an information assurance strategy that provides multiple, redundant defensive measures in case a security control fails or a vulnerability is exploited. It originates from a military strategy by the same name, which seeks to delay the advance of an attack, rather than defeating it with one strong line of defense.
Defense-in-depth cybersecurity use cases include end-user security, product design and network security.
An opposing principle to defense in depth is known as simplicity-in-security, which operates under the assumption that too many security measures might introduce problems or gaps that attackers can leverage.
Defense-in-depth architecture: Layered security
Defense-in-depth security architecture is based on controls that are designed to protect the physical, technical and administrative aspects of your network.
Defense in depth, layered security architecture
- Physical controls – These controls include security measures that prevent physical access to IT systems, such as security guards or locked doors.
- Technical controls – Technical controls include security measures that protect network systems or resources using specialized hardware or software, such as a firewall appliance or antivirus program.
- Administrative controls – Administrative controls are security measures consisting of policies or procedures directed at an organization’s employees, e.g., instructing users to label sensitive information as “confidential”.
Additionally, the following security layers help protect individual facets of your network:
- Access measures – Access measures include authentication controls, biometrics, timed access and VPN.
- Workstation defenses – Workstation defense measures include antivirus and anti-spam software.
- Data protection – Data protection methods include data at rest encryption, hashing, secure data transmission and encrypted backups.
- Perimeter defenses – Network perimeter defenses include firewalls, intrusion detection systems and intrusion prevention systems.
- Monitoring and prevention – The monitoring and prevention of network attacks involves logging and auditing network activity, vulnerability scanners, sandboxing and security awareness training.
Defense-in-depth information assurance: Use cases
Broadly speaking, defense-in-depth use cases can be broken down into user protection scenarios and network security scenarios.
Website protection
Defense-in-depth user protection involves a combination of security offerings (e.g., WAF, antivirus, antispam software, etc.) and training to block threats and protect critical data.
A vendor providing software to protect end-users from cyberattacks can bundle multiple security offerings in the same product. For example, packaging together antivirus, firewall, anti-spam and privacy controls.
As a result, the user’s network is secured against malware, web application attacks (e.g., XSS, CSRF).
Network security
- An organization sets up a firewall, and in addition, encrypts data flowing through the network, and encrypts data at rest. Even if attackers get past the firewall and steal data, the data is encrypted.
- An organization sets up a firewall, runs an Intrusion Protection System with trained security operators, and deploys an antivirus program. This provides three layers of security – even if attackers get past the firewall, they can be detected and stopped by the IPS. And if they reach an end-user computer and try to install malware, it can be detected and removed by the antivirus.
Imperva defense-in-depth solutions
Imperva offers a complete suite of defense in depth security solutions, providing multiple lines of defense to secure your data and network.
Our data security solutions include database monitoring, data masking and vulnerability detection. Meanwhile, our web facing solutions, i.e., WAF and DDoS protection, ensure that your network is protected against all application layer attacks as well as smoke-screen DDoS assaults.
