Join Mike Danseglio for an in-depth discussion in this video Introduction to defense in depth, part of Learning IT Security.
- So now, it' a different security model, a little bit of a different security model, and it's kind of a cool one, in that it incorporates a lot of what we know about security infrastructure, security planning, all that kind of stuff, into a nice agnostic model that gives us a lot of ideas. It's a really good planning tool. It's a really good threat modeling tool. It's called the Defense in Depth architecture or the Defense in Depth model. It's had a few different names over the years, and the way I explain it, I actually break it out a little bit differently than some other instructors do.
So, hopefully this will make a lot of sense. If you've seen it already, you might have seen it slightly differently, and there's nothing wrong with any of these particular variations. This is just one I find useful. Thinking about how to use all of our security models. These security models are built or designed to be thought-provoking or idea-provoking, different ways to approach security, different ways to think about security, and Defense in Depth is really really no different at all. Defense in Depth is all about looking at defense holistically, from the outside in, from the inside out, breaking it apart, sometimes by technology, sometimes by people or process.
So, the people, process, and technology idea fits right into Defense in Depth as well. But Defense in Depth allows us to look at these things in kind of a layered way and then determine which layers or which components are most appropriate, based on a given scenario, based on some security need, based on some data classification, based on some security compliance requirement or technology implementation, all of that kind of stuff.
And I think if Defense in Depth does anything for us, it reminds us that security is actually a bunch of little stuff. Excuse me, voice was fading a little bit. I actually spent a lot of time in Redmond, Washington. Worked for a software development company. They make operating systems and applications and this thing called Microsoft Bob. Yeah, it's Microsoft. And so, when we're at Microsoft, or when I was at Microsoft, not so much about the technology, but the place itself.
It's cold, it's damp, it's wet, and the only way to really protect against the cold damp, the wetness that was about 11-1/2 months a year, was to dress in layers. We had a bunch of layers that we'd wear, a bunch of light thin layers that we could peel off, that we could replace, that we could adapt to different situations. If I was going hiking, I'd wear one set of layers. If I was actually going to the office, I would probably wear a different set of layers. If I was going outside, anything's theoretical, sure, I'd wear different kinds of clothing than what I was wearing indoors, but these thin layers were very adaptive, and they all helped, to some degree.
And Defense in Depth actually is a very layered architecture layered approach to securing assets, and I quite like showing it in this particular model. This is slightly different. Actually had a guy that works with me, named Greg, helped design this. He's a graphics kind of guy. And this layout is especially near and dear to my heart. I quite like everything it's showing. First of all, it's showing different components of security that we can actually layer on top of an asset, and I'm going to go through all of these in a few moments.
Data security, so security applied directly to the data. Application security, so security not so much on the data itself, the stored data, the managed data, but the application that manages the data or accesses the data. Security at the host level. Host here we're using the network definition, or I'm using the network definition, so what that would mean is computer, tablet, laptop, phone, PC, whatever you got, a server, anything that accesses the application and the data, that's the host.
And then I break out network, internal network, network perimeter, and external network, different components of the network. If I've got a network inside my organization, I've got a network that connects to maybe an ISP, and then the ISP connects out to the broad, capital I, Internet. All of those different areas or zones, if you will, could potentially have different kinds of security considerations for me. So, in the Defense in Depth layer, I may secure some of those.
I may not secure some of those. And then wrapping all of these different layers, the network, the three different subdivisions of network layers, the host, the application, and the data layer are two concepts, these over-arching concepts or encompassments. These are the physical security Defense in Depth layer, which I'll explain more in depth in a moment, but, in summary, physical security, can't really do anything, security-wise, IT security, without physical security.
Everything starts with physical security, and a lot of what we do with the other layers depends on physical security. And finally, stewardship or people, process, and technology. Stewardship operations and management, someone that actually does some of the implementation, someone that follows procedures, someone that establishes procedures, the procedures themselves. These are the concepts of stewardship or good IT practices, good IT security operations.
Those also are encompassing, in that the stewardship layer encompasses all of this. None of this works without good stewardship. None of this works properly without good physical security or some consideration for physical security, but all of these vary, depending on the situation and depending greatly on the other layers, and you'll see how these things play together over the next few minutes.