Defense in depth is a concept in information technology (IT) security that involves the use of multiple layers of security to keep information safe. This does not refer to the use of particular software programs, but is a “best practices” methodology that can be used as a guideline for securing a system. There are three basic components to using this approach — people, technology, and operations — and securing all three components creates a strong overlap in security. Defense in depth is based on a military concept in which staggered layers of defense can be used to slow down advancing opposition.
The basic idea behind a defense in depth approach to IT security is that multiple layers of protection should be used to secure data. This means that while a virus scanner may be one effective way to keep out malicious software, it should also be paired with a firewall program, sensitive data should be encrypted and password protected, and users should be instructed in best practices. The “defense in depth” practices were established by the US National Security Agency (NSA) to protect computer systems from possible attacks.
There are three primary components in creating a defense in depth system, which are the people who have access to the system, the technology used, and the operations or management of that system. People include not only the employees of a company, who may be authorized to access sensitive data, but also those who may want to attack a company and access information illegally. Employees should be taught best practices, and a noticeable security presence should be seen to reinforce the importance of people as a component of IT security.
The actual technology used in a system is also vital to creating a defense in depth approach to security. This means that software should be reliable and verified by trusted third-parties that have tested the software. Layers of technological security should be established, including encryption, firewalls, systems for monitoring access to data, and password protection of computer terminals. The operations involved in this type of project is also vital, as effective management of people and technology is the only way to ensure these systems are in place and properly utilized.
Defense in depth is designed to not only better protect information, but to slow down and detect attacks on a company or agency. This approach acknowledges that an attack is a matter of “when” and not “if,” and so the system is designed to create a layered defense to slow down an attack. Since an attack then takes longer to complete, other systems can be utilized to detect it. This allows a company or agency to not only secure data, but also identify and act against attackers who try to access that data illegally.