Security layering just makes sense, doesn’t it? When you want to protect something valuable, you don’t use only one method to do it.
Just as a bank has multiple layers of defense between the street and its cash – a security guard at the door, bullet-proof glass between the teller and the floor, an alarm system, a fireproof vault – good network security places multiple layers between would-be attackers and valuable data and applications.
Security layering (sometimes called defense-in-depth) involves implementing multiple controls at varying levels within your network.
Each layer slows down a potential security breach, and if it fails, another layer will attempt to put a stop to the attack before it gets far enough to do significant damage. If a network firewall fails, for example, antivirus software can still put a stop to a potential breach.
Security Layering — Things to Consider
A good network security strategy will implement some level of layered security to minimize single points of failure. There are some disadvantages and things to consider as you build out your security layering, however, such as:
Cost and resource control: In a perfect world, you’d be able to implement the best security measures at every level. It’s not a perfect world, though. Security budgets, skills of your IT team, and time pressure all put limits on the number and strength of the controls you can implement. Sometimes you have to prioritize the best controls for your unique business requirements. Starting with a thorough vulnerability assessment will help you get a clearer understanding of your current security posture and where to focus as you implement your layering strategy.
End user experience issues: There is sometimes a natural tension between good security and good end user experience. Slowing down potential attacks may unintentionally cause slow-downs to your systems and user productivity, too. Just as you weigh the ROI of investing time and budget in various security measures, weigh the pros and cons for your end users.
When slow-downs or annoyances are unavoidable, good communication can go a long way in reducing complaints and improving compliance.
For example, most tech users are aware that multifactor authentication is a good practice, but it’s still annoying when you want to get logged in and get your work done. As you implement new approaches that may affect users, communicate up front about what they should expect and why it’s necessary to keep the organization (and, arguably, their jobs) protected.
Avoid a one-and-done approach: Once you’ve implemented your layering strategy, ongoing maintenance remains critical. Assess your security layering periodically (at least once per year) to make sure that your measures still make the most sense for your business. As your organization grows, implements new technologies, or faces new types of threats, your security strategy and layering will need to evolve.
Security layering is a must, but it requires a thoughtful approach to avoid pitfalls like cost overruns, end user experience issues, and a false sense of security once initial implementation is complete.
If you’re new to security layering, the SANS Institute offers a good primer on the topic.
And if you’re researching the best hardware investments to support your security strategy, experienced Summit account executives are here to help.