Defense in Depth: A Layered Approach to Network Security
In light of all the headline-grabbing network security breaches in the last year it's understandable that enterprises might be on high alert to prevent their own organization from being thrust into the spotlight.
In light of all the headline-grabbing network security breaches in the last year – Heartbleed, Target, eBay, Adobe – it's understandable that enterprises might be on high alert to prevent their own organization from being thrust into the spotlight. Unfortunately, the silver bullet they may be looking for does not exist – today's cyber criminals are just too persistent.
Still, there is an answer.
A multi-layered defense in depth strategy helps organizations address many of the most common causes of breaches. Mobile endpoints are susceptible to malware and malicious attacks, particularly when devices are used outside the safe confines of the immediate corporate network. And even as the Bring Your Own Device (BYOD) and the Internet of Things (IoT) trends increase the number of mobile endpoints in corporate settings, defense in depth – network and security components providing redundancy and constant communication – lessens the chance these devices will become exploitable vulnerabilities.
The Basics of Defense in Depth
The first step of a defense in depth strategy to protect against network breaches should be to establish proper access control systems. Before granting access rights, an enterprise’s system should check whether users have the correct device identities (software, hardware and network attributes) and user identities (each individual attribute of a user). They should also have to meet certain role requirements. For example, a network could grant access only to employees using approved devices who are in managerial positions at the company and using secure network connections.
Network and security components must be able to communicate so that if an attacker penetrates one system, others can respond immediately to take preventative measures. IF-MAP (www.if-map.org) is a robust protocol that enables information sharing between disparate systems.
If an unauthorized user is able to break through these first layers of defense, perhaps by stealing user credentials, an enterprise can deprovision devices via a centrally managed VPN or revoke remote access rights. Both of these actions could be triggered as soon as a breach is detected.
As this example shows, defense in depth does not create an impenetrable cyber shield. Rather, it minimizes risk and keeps organizations one step ahead of cybercriminals.
By Joerg Hirschmann, Chief Technology Officer for NCP Secure Communications