Layered Security Part 2 – Defense In-Depth

January 27, 2017 | Views: 4066

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Estimated reading time: 6 minutes

Hello everyone and welcome to what I hope will be an “Agora” for security enthusiasts and to all people wishing to share a discussion and learn from what we discuss, or better, teach us and share with us their knowledge.

In the first article entitled “Layered Security”, I have introduced in a very short way a definition of information security as a whole. In this second part, I will try to advance one step further in order to achieve (by the end of this series), the final purpose of applying a layered approach in order the secure networks and information systems.


I hope I can get directly into the core of the layered security approach, but it is better to understand the idea behind it and how it is something logical, and yet not so trivial, and applicable in a plethora of contexts with few differences (this principal applies to security in general).

For instance, let us drive away from the security of information systems, and present one example from real life that is more understandable, and let us analyze the need for security and how it is implemented in this given case. We will also try to explore how this layered approach is used intuitively without paying close attention to it.

Please allow me to give you a short trip to a luxurious museum and let us all explore the beauty of it, and more importantly the tight security in it.


(The Louvre Museum:

Museums are places of high importance and value, for they preserve sets and collections of unique objects and art pieces that tell stories and hold the ruins of cultures and civilizations. No one (hopefully) doubts that these objects and items are irreplaceable and extremely expensive.

Given the value of the pieces and the mission of a museum, it is logical to spend huge amounts of money and efforts in order to secure such entities from all the risks that might compromise its safety. The security measures that museums take must be tight. It would be great to take a closer look at how these entities ensure the security of their assets, and more importantly, get a glance of the philosophy behind architecting a systematic protection scheme against various risks.

To simplify things (because security of museums is obviously not our main concern), I will shorten the scope and present a small attempt to break into an imaginary museum. There is a museum that houses a famous “golden cage” from the age of Ancient Egyptians. People from around the world come to witness the beauty of this piece of art. But I desire to take it for myself! I am that bad person!

First things first, I need to bypass the security checkpoint and access the building. It is really hard but let’s assume that I have succeeded in overcoming this first hindrance. That is not the end. Now that I am inside the museum, I still need to get into the room where this piece of art is placed, but there are plenty of cameras installed in every corner of the museum. If I get caught sneaking inside the museum, it will be my end. I double my efforts to overcome this problem and I succeed. Unfortunately, there are other internal access control mechanisms (mechanical doors needing authentication, guards on the fields, etc.). It is getting more and more frustrating, but I am a determined criminal willing to invest more time and resources to get what I want. With a little help from a friend (please do not ask how), I managed to surpass this situation and now I can see the prey that I am willing to take home with me. Unfortunately again, there are sensors all over the room. They are movement sensors that will raise alarms if I move inside a radius of 3 meters near the “piece of art”.  I spot other digital devices and I have no idea what they are used for. To make things worse, the piece of art is kept inside a hardened glass with a 7cm diameter. I think the only way to get this piece is to raise an army, I will give up and I hope that I can get out whiteout being captured.

Please bear with me as our main objective is to see what a layered methodology is. TLDR: What I hope you will understand from this horrible short story is that the museum uses a lot of layers of security distributed in a way that reveals a new layer once you overcome the previous … Like an onion if you want to peel it! You take off the top skin and there appears another layer of skin underneath it.

Why do museums use this method? Put yourself in the shoes of a malicious person. If you can see in front of you one line of defense that you need to breach, it might be tight, but you will do your calculations and prepare yourself in order to get in. On the other hand, let’s assume that you see one line of the defense, you do your calculation and invest resources to breach in, eventually you succeed, but then another line of defense appears in front of you. You surpass the second defense only to see another. By that time, you will lose momentum and the psychological edge, you will fall in despair and eventually give up. But what if you are the defender? This method provides you with time. Once you feel that one line of your defenses has been breached, you know you can resolve things and get on your feet as you still have other lines of defense.

And that is the basic idea behind layered security. It is better known as “defense in depth” and it was first used in the military (somehow military seems to be the first at using most advanced things). The advantages of this methodology remain almost the same under any context, even when applied to secure networks and SI. Next time we will again step closer to our final purpose, and I will begin talking about applying this method in the context of networks and SI security.

I hope you enjoyed reading it even though it is long. Feel free to ask questions, and do not hesitate to comment. Let me know if something is wrong, or if there needs to be more advanced details. See you in the next part!

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Good job done

  2. Nice Article! I’m looking forward to the next one.

  3. Great article. Very straight on subject. Thank you!

  4. Thank you for the Article. I also like the onion comment. There are companies that spend way to much money on security and companies that spend very little money on security. You need to be in the middle somewhere even if you get attack because they over spend in security.

    • First of all, thank you for your comment. You are absolutely right, even though i tend to think that there are other parameters that the IT manager takes into consideration when deciding how much resources he wants to spend on security, and while evaluating the cost-benefit of his strategy. unfortunately i do not have that knowledge to share with you for the mean time

  5. Great Article. I see the goal of penetration testing as learning the parts of the specific onion and then peeling it back one layer at a time.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?