Defense in Depth

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We're going to talk about one of the most
00:00
critical concepts when it comes
00:00
to properly securing the Cloud
00:00
and any information security environment
00:00
>> for that matter.
00:00
>> In this lesson, we're going to talk about
00:00
the concept of defense in depth.
00:00
We're also going to talk about
00:00
the different types of controls,
00:00
categories and also walk through
00:00
some examples of controls
00:00
and how they reflect defense in depth.
00:00
What is defense in depth?
00:00
I would think of it from the perspective of
00:00
>> if you may have a door on your house
00:00
>> and that door has a lock, that's one control.
00:00
>> Well, what if someone kicks in the door,
00:00
what stops the person from going
00:00
into the house and robbing you blind
00:00
>> if you're not at home?
00:00
>> Do you have an alarm that alerts you?
00:00
I've seen all these nifty ring doorbells
00:00
>> where someone clicks on the doorbell and
00:00
>> there you can talk to the person and they immediately
00:00
run away once they realize that they've been detected?
00:00
This is an example of defense in depth
00:00
>> where one control is good,
00:00
>> but layered controls that protect
00:00
your organization are really the ideal way
00:00
>> to keep your organization safe.
00:00
>> Now, some controls are
00:00
going to be more critical than other.
00:00
But the idea about defense in depth is that
00:00
>> once your controls are implemented at
00:00
>> various layers of your system,
00:00
that is the best way to protect your data,
00:00
information in the Cloud
00:00
>> and ensure that your business can continue
00:00
>> operating and reaping all those great benefits
00:00
that come with Cloud computing.
00:00
The controls really fall into
00:00
three major flavors or categories.
00:00
Management level controls,
00:00
those are also referred to as administrative controls.
00:00
Those are the controls such as policies.
00:00
These are how do
00:00
you categorize data in your organization?
00:00
What are the policies around
00:00
the encryption standards you implement?
00:00
How is data managed and observe the lifecycle?
00:00
What policies do you have regarding the retention
00:00
and secure destruction of information?
00:00
What are your policies with regards
00:00
>> to the proper documentation
00:00
>> and handling of computer resources?
00:00
>> How are costs associated
00:00
>> with your environments captured?
00:00
>> Policy and administrative controls really
00:00
set the rules of the road as well as manage
00:00
the culture within an organization
00:00
to help establish the tone
00:00
of how serious security is within your organization,
00:00
and what requirements there are on
00:00
your employees to maintain security responsibilities.
00:00
Now, if the management controls are
00:00
>> more of the why and the what,
00:00
>> the technical controls are the how.
00:00
These are the actual either devices or software
00:00
or alerts that are implemented on a system to
00:00
>> provide control depth.
00:00
>> Technical controls, anything you're technically
00:00
implementing in terms of software
00:00
>> to detect violations and threats.
00:00
>> Finally, physical controls.
00:00
These are the controls that might be inflated.
00:00
They're really the data center level.
00:00
We're talking about the Cloud.
00:00
Is there adequate security as they're fencing lights,
00:00
full-time security camera monitoring of the facility?
00:00
What controls are in place to ensure
00:00
that someone can't just go in
00:00
>> and tamper with the physical hardware that
00:00
>> customers have their applications hosted on?
00:00
Physical controls are our last control group.
00:00
Now, let's talk about the different types of controls.
00:00
Preventative controls are those that
00:00
>> as the name implies,
00:00
>> they over reduce risks,
00:00
that a risk is going to occur.
00:00
When you think about a preventative control
00:00
would be something such as
00:00
having an intrusion detection system
00:00
to alert you to problems coming in.
00:00
Actually a pretty good detection is
00:00
>> more of a detective control
00:00
>> which are our next flavor of control.
00:00
>> This detects and identifies
00:00
violations or incidents that are occurring.
00:00
A corrective control is any control
00:00
>> that's really used to remediate
00:00
>> or fix a risk or situation.
00:00
>> The context of the Cloud being able
00:00
to sense when an application isn't
00:00
performing properly or isn't available
00:00
>> and immediately beginning data recovery process
00:00
>> to fill over to another location to ensure
00:00
>> that customers don't experience
00:00
>> a prolonged outage beyond their expectations.
00:00
>> A deterrent control is
00:00
something that discourages violations.
00:00
Often in the physical world,
00:00
we talk about lights or signs.
00:00
Saying not to go in on
00:00
private property are really
00:00
the best way to deter violations.
00:00
Recovery, these are controls for
00:00
recovering the system or information.
00:00
We talked about disaster
00:00
recovery as a corrective control,
00:00
but it is also a recovery control,
00:00
and then compensating controls.
00:00
There are some instances where you may
00:00
not be able to put in your ideal control.
00:00
However, you might be able to put in
00:00
other controls that help you
00:00
figure out how to monitor to the system.
00:00
Perhaps you can't necessarily audit
00:00
or document something as well as you'd like,
00:00
but you find another means of
00:00
>> capturing that information.
00:00
>> That's an example of a compensating control.
00:00
These six different control types
00:00
really help provide you with
00:00
a different way of thinking through the types of risks
00:00
>> that may affect your Cloud system,
00:00
>> and what controls should be put
00:00
>> in place to reduce that risk.
00:00
>> Quiz question.
00:00
The Cloud provider has the greatest control and
00:00
responsibility over which control type?
00:00
Management, technical or physical.
00:00
If you said physical, you're absolutely right.
00:00
We talked about physical controls
00:00
>> being just as guards and lights
00:00
>> and the lock on the door.
00:00
>> Often, I think guards, gates,
00:00
and guns is a term that's used to
00:00
remember the typical physical controls.
00:00
But those are the controls
00:00
>> that are necessary to protect
00:00
>> those actual assets that are in the data center.
00:00
Another important concept or thing to keep in mind is
00:00
that from a security perspective,
00:00
if you don't have physical security,
00:00
you really can't ensure the reliability of
00:00
>> any of the other aspects of security.
00:00
>> In this module, we covered
00:00
the importance of defense in depth,
00:00
having layered controls that
00:00
start at that high management level,
00:00
are enforced through technical mechanisms
00:00
>> and also maintain fundamentally
00:00
>> through physical controls.
00:00
>> We've talked about the six control types as well as
00:00
those three broad control categories.
00:00
All right. I'll see you in the next lesson.
Up Next