Friday 18 May 2007
A layered security strategy is a good practice to enhance the overall IT security in companies.
The essence of layered security is to implement security measures in different parts of the IT infrastructure.
This approach is comparable with physical security. If a burglar wants to steal money from your house, he has to go over the fence in the garden, than through an closed front door with locks, then he has to find the safe with the money, he has to break it open, get the money and leave the premises. All of this must be done without being seen or heard, and he must not be noticed by anyone during all these steps.
It is obvious why this works so well in daily practice:
- Many barriers must be crossed (fence, door, safe);
- Opening every barrier takes different technical skills (climbing over the fence, lockpicking a door with a mechanical lock, opening a safe with a digital lock);
- The burglar is slowed down by every barrier he tempts to cross, which increased the possibility of detection;
- The burglar doesn't know in advance how many barriers he has to cross, how much time each barrier takes, and which knowledge is needed for every barrier, which is very demotivating;
- The chance of getting caught is present in every step;
- When one barrier is crossed, the security of all other barriers are still intact.
It will be obvious for everyone that this works much better than having one big expensive safe somewhere in a dark forest without taking further measurements.
In IT security this principle works the same (layered security). Instead of having one big firewall and let all your security depend on it, it is better to add several layers. Preferably these layers make use of several different technologies, which makes it harder for hackers to break through all barriers. They will need much knowledge for this.
Every layer can be utilized with an IDS (Intrusion Detection System) or some other measurement to detect break-ins (increase the chance of getting caught). On top of this, more layers introduce uncertainty for the hacker: How many barriers must be passed to get to the data, and how long will this take (demotivation).
If one layer is passed unnoticed, or if one security layer contains a vulnerability (caused by a bug or a mistake in the configuration), the total security is still intact (although with less layers).
A disadvantage of the use of layered security is that the complexity of system management increases. Every security layer must be managed, and administrators must have knowledge about all used technologies.
But as always with security: It costs money and causes inconvenience. But is it always better than having insufficient security.