Defense in depth is an easy way to discuss layers of security. The military strategy can be applied in both physical and digital realms. Ultimately, the integration of physical and digital security is what provides the most effective layered capabilities. However, complacency and policy continue to wedge the perception of security and reality.
- [Instructor] When talking about security, defense in depth is a concept that will help describe the many aspects. Originally a military strategy, defense in depth can be expanded into many other realms. The key concept is layers of defense so that an attacker cannot be successful by a single action. This provides the defender time and space to adjust the defense as needed. This defense in depth concept describes the necessary environment with which physical and digital security are integrated.
A simple representation of defense in depth can be shown in home fire safety. For instance, fire resistant materials prevent the ignition of fire. You'll see this in curtains, carpet, bedding, clothing, and wall material. Additionally, a fire alarm creates a very loud sound to alert the occupants. This is your warning that something is going badly. Fire extinguishers do not prevent fires, however, can provide time for first responders.
It could mean the difference in overall fire size and the ability to leave. The evacuation plan is another example of indirect action. The plan allows for the coordinated evacuation in the event of a fire. Finally, emergency services, or 911, is available for additional assistance. These resources could be life-savers. This simple example shows defense in depth with each layer adding additional time for the occupants and for the responder.
So, now if we applied defense in depth to computing, what differences do you think you would see? SANS Institute defines it as less of an aspect with delay of time, and more of an aspect of redundant defensive mechanisms. Every case is a bit unique, but there are many approaches to consider. I think the most prominent approach is the OSI Layers. OSI stands for Open System Interconnection, but no one calls it that.
It really is seven layers that characterize and standardize the communication functions of computing systems without regard to their underlying internal structure and technology. The numerous documents you sign in agreement for a workplace, unofficial or even unwritten policies can be included in this. Making assumptions that everyone knows is the wrong thing to do, so education is a great approach, tiered training requirements for roles or certification requirements, for example.
Look for strong passwords, but also the enforcement and best practices. Capable systems should meet minimum industry standards, but the system still only takes four digits pins, it is time to upgrade. Controlling access is just as important as blocking it, so gates and fences are good to consider. Anything from three-foot garden, eight-foot chain link, or 12-foot prison-style barbed fences, to a chain with a sign, dropdown bars, or steel-reinforced gates.
Checkpoints go well with gates. Having a sign-in log, mantraps, or security guards, most importantly, have posted rules and policies so guests aren't caught off by surprise and folks don't forget. Another big deal is supply management, where your systems come from, how you get upgrades and repairs, built-in deficiencies. Are there any additional things you could consider? The OSI Layers are a great aspect to view computing security.
As the technology evolves, the layers have seemed to actually withstand time. I remember first seeing the layers in the 90s, and would agree they are still applicable, granted the application layer is a pretty vast concept right now. Adding physical layers to the OSI Layers really adds a lot of security to the environment. In this presentation, we'll go over this and a lot more detail. Now there are technologies that integrate physical and digital security, however, it really comes down to the policy that makes the technology and security actually work.
If your policies don't support the security plan, then the security plan won't be followed. So, this is what layered security looks like, it can be pretty simple, actually. Now, let's get into more detail on physical security.
Note: This course was recorded and produced by Mentor Source, Inc. We're pleased to host this training in our library.
- Introduction to Spring
- Configuring the ApplicationContext
- Using the Spring expression language
- Configuring proxies
- Autowiring beans
- Using lifecycle methods
- Configuring beans with XML
- Understanding the initialization phases of the bean lifecycle
- Aspect-oriented programming and Spring