Layering information security controls

Publish date:

In February 2015 various news outlets reported that millions of encryption keys were stolen from Dutch computer chip producer Gemalto during breaches in 2010 by both the NSA and GCHQ. In March 2015, sources reported that Dutch computer chip producer ASML was hacked, probably by hackers in service of the Chinese government. Government espionage is […]

In February 2015 various news outlets reported that millions of encryption keys were stolen from Dutch computer chip producer Gemalto during breaches in 2010 by both the NSA and GCHQ. In March 2015, sources reported that Dutch computer chip producer ASML was hacked, probably by hackers in service of the Chinese government. Government espionage is a current and growing threat to both government and multinational organizations. The Netherlands is an attractive target because of its high-tech industry and its role in the European Union, the United Nations and the NATO.

Traditional information security is focused on preventing attacks by building large Chinese walls around their digital assets. However, the hacks on both Gemalto and ASML show that companies need to do more than building a digital wall around their valuable information assets. High-tech companies, universities and governmental agencies alike have to ramp up their cyber defenses to protect their information assets against these kinds of advanced persistent threats (APT). Advanced persistent threats are covert and continuous attacks, often orchestrated by foreign governments. Since APTs are usually funded by large budgets, they are very difficult to prevent. However, companies should strive to counter attackers by making it as hard (and unprofitable) as possible to get to the most valuable information assets. This means information security should consist of multiple layers, comparable with the rings of an onion. The most valuable assets are in the center, protected by a multitude of layers.
Layered defense implements security mechanisms at multiple layers in the organization.
Layered defense implements security mechanisms at multiple layers in the organization.

 “Layered defense”
This approach of stacking or layering security mechanisms is called layered defense. Originally conceived as a military strategy to delay the advance of an attacker by exhausting its resources, the term is used today for the concept of stacking different security mechanisms. Layered defense typically involves a combination of preventative, detective, reactive and recovery security mechanisms at different levels within the organization. When one mechanism fails, other mechanisms are in place to detect, prevent or counter an attack.

The image above shows this information security strategy. The purpose of the outer layer is to ensure proper security policies and procedures are in place. All subsequent layers follow the policies set in the outer layer. Every layer adds more depth and more concreteness to the security mechanisms, from physical security mechanisms to prevent unauthorized access to buildings or server rooms to the separation of network segments to the encryption of data. By layering different preventative, detective, reactive and recovery mechanisms, attacks that successfully defeat a security mechanism on one layer are countered by security mechanisms on the other layers.

Cyber-attacks are difficult (if not impossible) to stop completely. The former director of the NSA even said that almost every US company has been hacked at one time or another. This means a paradigm shift is taking place. Instead of focusing on preventing cyber-attacks, companies should accept the fact that they cannot stop every attack. Rather, their focus should shift towards making it as hard and as unprofitable as possible for an attacker to get to critical systems and valuable information assets. A layered defense can help companies achieve this goal. By layering security mechanisms that counter a wide range of risks to information security, the chance of unauthorized access to critical information assets is reduced greatly.

Related Posts

Battery Storage

How power storage technologies are about to disrupt the energy industry

Nicolas Bariatti
August 17, 2018

Energy storage solutions coupled with renewables could provide nothing short of self-sufficiency...

Cloud Security

Cloud security is not too different

Roy Samson
August 13, 2018

Take a closer look at your current security options before investing in new ones.

Cybersecurity

IAM DevOps in Capgemini

Terence Stamp
August 10, 2018

The Agile methodology has been gaining traction in its adoption throughout the business world. ...

cookies.

By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.

Close

Close cookie information