"Security infrastructure should be layered."... I'm sure we've all heard this statement or even seen it on one or more IT Security exams. The idea seems logical once explained. Yet, many corporate "security" infrastructure designs don't include more than one layer of security. I always thought this was a bit of an odd disconnect between what we're teaching and what we are employing. But, never really thought much of it. Until...
I was recently in a local store to pick something up. It had been a pretty mind numbing day and so my brain was pretty bored. So, by the time I actually walked to the door of the store, my brain was trying to "spice things" up by processing anything and everything besides my shopping list. Before I knew it, I was observing the store's physical security. This particular store had multiple layers ranging from cameras in the parking lot to "door greeters" to cameras in the store to a structured checkout area that lead to a specific exit.
As I began making my way through the layers, I began really observing them. I also began to figure out how each one was tailored to a specific function and how they all interacted or complimented each other.
Over the last few days, I've been thinking a lot about the "layering" of items that the store used for physical security. I've also been thinking about how we as a society, tend to layer everything including meal plans, clothing, physical security at home, etc. For instance, a local apartment complex has the following: two entrances/exits, perimeter fencing and associated gates, roving security guards, and most of the apartments have a security system that can be monitored for a cost. This of course is in addition to your typical home security items like locking windows and doors, secondary door locks, etc.
Of course because of my profession, some of my brain cycles began to relate this to the IT world. This of course brought back the fond memories of my first security certification exam. One of the topics was relating to "Security infrastructure should be layered." Well, obviously this is a no brainer to me now. But back then I had to learn that a properly designed and configured IT environment needs to include multiple layers of security to protect the infrastructure. I also learned that some items within the design might include things like firewalls, DMZs, IPS solutions, spam filters, virus programs, user education, etc.
As I began to apply my recent analysis of the store's physical security layers to my existing IT related knowledge, I began to really see the layered approach much more clearly. I also, of course, with a new level of clarity, began to see how each IT "security" device fits into the layered approach and how each device interacts or compliments each other.
What is still a little surprising to me is that more companies aren't using this concept on their company's network. Some companies believe that a single piece of "security" equipment can protect their entire infrastructure. And so, they feel perfectly safe with a single router with "pre-configured firewall rules" that was supplied by the ISP. I know this is hard to believe and is somewhat a joke to those of us with any IT Security training. But, this was actually the case at one of my previous employers. So, I challenge you to take a look at your company's environment and identify and count the different layers in place. Can you count more than one layer at each "entrance and exit" including the user end?
As always, comments welcome below or you can email me at firstname.lastname@example.org if you prefer.