Defense in Depth
- The objective of defense-in-depth is to protect information and prevent it from being stolen by those who aren't authorized to access it.
- A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring access to data.
Layers of defense-in-depth
You can visualize defense-in-depth as a set of layers, with the data to be secured at the center and all the other layers functioning to protect that central data layer.
- Physical security layer is the first line of defense to protect computing hardware in the datacenter.
- Identity and access layer controls access to infrastructure and change control.
- Perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
- Network layer limits communication between resources through segmentation and access controls.
- Compute layer secures access to virtual machines.
- Application layer helps ensure that applications are secure and free of security vulnerabilities.
- Data layer controls access to business and customer data that you need to protect.
Physical security
- Physically securing access to buildings and controlling access to computing hardware within the datacenter are the first line of defense.
- With physical security, the intent is to provide physical safeguards against access to assets.
- These safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.
Identity and access
- The identity and access layer is all about ensuring that identities are secure, that access is granted only to what's needed, and that sign-in events and changes are logged.
- At this layer, it's important to:
- Control access to infrastructure and change control.
- Use single sign-on (SSO) and multifactor authentication.
- Audit events and changes.
Perimeter
- The network perimeter protects your resources from network-based attacks. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.
- At this layer, it's important to:
- Use DDoS protection to filter large-scale attacks before they can affect the availability of a system for users.
- Use perimeter firewalls to identify and alert on malicious attacks against your network.
Network
- At this layer, the focus is on limiting the network connectivity across all your resources to allow only what's required. By limiting this communication, you reduce the risk of an attack spreading to other systems in your network.
- At this layer, it's important to:
- Limit communication between resources.
- Deny by default.
- Restrict inbound internet access and limit outbound access where appropriate.
- Implement secure connectivity to on-premises networks.
Compute
- The focus in this layer is on making sure that your compute resources are secure and that you have the proper controls in place to minimize security issues.
- At this layer, it's important to:
- Secure access to virtual machines.
- Implement endpoint protection on devices and keep systems patched and current.
Application
Integrating security into the application development lifecycle helps reduce the number of vulnerabilities introduced in code. Every development team should ensure that its applications are secure by default.
- At this layer, it's important to:
- Ensure that applications are secure and free of vulnerabilities.
- Store sensitive application secrets in a secure storage medium.
- Make security a design requirement for all application development.
Data
- Those who store and control access to data are responsible for ensuring that it's properly secured.
- Often, regulatory requirements dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.
- In almost all cases, attackers are after data:
- Stored in a database.
- Stored on disk inside virtual machines.
- Stored in software as a service (SaaS) applications, such as Office 365.
- Managed through cloud storage.