Layered Security Part 2 - Defense In-Depth
Hello everyone and welcome to what I hope will be an “Agora” for security enthusiasts and to all people wishing to share a discussion and learn from what we discuss, or better, teach us and share with us their knowledge.
In the first article entitled “Layered Security”, I have introduced in a very short way a definition of information security as a whole. In this second part, I will try to advance one step further in order to achieve (by the end of this series), the final purpose of applying a layered approach in order the secure networks and information systems.TLDR
I hope I can get directly into the core of the layered security approach, but it is better to understand the idea behind it and how it is something logical, and yet not so trivial, and applicable in a plethora of contexts with few differences (this principal applies to security in general).
For instance, let us drive away from the security of information systems, and present one example from real life that is more understandable, and let us analyze the need for security and how it is implemented in this given case. We will also try to explore how this layered approach is used intuitively without paying close attention to it.
Please allow me to give you a short trip to a luxurious museum and let us all explore the beauty of it, and more importantly the tight security in it.[caption id="attachment_84943" align="aligncenter" width="476"] (The Louvre Museum: https://en.wikipedia.org/wiki/Louvre)[/caption]
Museums are places of high importance and value, for they preserve sets and collections of unique objects and art pieces that tell stories and hold the ruins of cultures and civilizations. No one (hopefully) doubts that these objects and items are irreplaceable and extremely expensive.
Given the value of the pieces and the mission of a museum, it is logical to spend huge amounts of money and efforts in order to secure such entities from all the risks that might compromise its safety. The security measures that museums take must be tight. It would be great to take a closer look at how these entities ensure the security of their assets, and more importantly, get a glance of the philosophy behind architecting a systematic protection scheme against various risks.
To simplify things (because security of museums is obviously not our main concern), I will shorten the scope and present a small attempt to break into an imaginary museum. There is a museum that houses a famous “golden cage” from the age of Ancient Egyptians. People from around the world come to witness the beauty of this piece of art. But I desire to take it for myself! I am that bad person!
First things first, I need to bypass the security checkpoint and access the building. It is really hard but let's assume that I have succeeded in overcoming this first hindrance. That is not the end. Now that I am inside the museum, I still need to get into the room where this piece of art is placed, but there are plenty of cameras installed in every corner of the museum. If I get caught sneaking inside the museum, it will be my end. I double my efforts to overcome this problem and I succeed. Unfortunately, there are other internal access control mechanisms (mechanical doors needing authentication, guards on the fields, etc.). It is getting more and more frustrating, but I am a determined criminal willing to invest more time and resources to get what I want. With a little help from a friend (please do not ask how), I managed to surpass this situation and now I can see the prey that I am willing to take home with me. Unfortunately again, there are sensors all over the room. They are movement sensors that will raise alarms if I move inside a radius of 3 meters near the “piece of art”. I spot other digital devices and I have no idea what they are used for. To make things worse, the piece of art is kept inside a hardened glass with a 7cm diameter. I think the only way to get this piece is to raise an army, I will give up and I hope that I can get out whiteout being captured.
Please bear with me as our main objective is to see what a layered methodology is. TLDR: What I hope you will understand from this horrible short story is that the museum uses a lot of layers of security distributed in a way that reveals a new layer once you overcome the previous … Like an onion if you want to peel it! You take off the top skin and there appears another layer of skin underneath it.
Why do museums use this method? Put yourself in the shoes of a malicious person. If you can see in front of you one line of defense that you need to breach, it might be tight, but you will do your calculations and prepare yourself in order to get in. On the other hand, let's assume that you see one line of the defense, you do your calculation and invest resources to breach in, eventually you succeed, but then another line of defense appears in front of you. You surpass the second defense only to see another. By that time, you will lose momentum and the psychological edge, you will fall in despair and eventually give up. But what if you are the defender? This method provides you with time. Once you feel that one line of your defenses has been breached, you know you can resolve things and get on your feet as you still have other lines of defense.
And that is the basic idea behind layered security. It is better known as “defense in depth” and it was first used in the military (somehow military seems to be the first at using most advanced things). The advantages of this methodology remain almost the same under any context, even when applied to secure networks and SI. Next time we will again step closer to our final purpose, and I will begin talking about applying this method in the context of networks and SI security.
I hope you enjoyed reading it even though it is long. Feel free to ask questions, and do not hesitate to comment. Let me know if something is wrong, or if there needs to be more advanced details. See you in the next part!