Defense in depth: building a holistic security infrastructure
Defense in depth: building a holistic security infrastructure

Today's technology landscape includes more ways than ever to connect in real time.

In addition, more than ever, the information we handle and process is governed and regulated by industry ombudsman or, worse yet, government examiners.

The nature of this ubiquitous regulated connectivity implies that we gain access to systems outside our control, while exposing our own networks to the outside world, and consequently, to increased risk.

In the old days, viruses and other malware were spread first by floppy disks, later by freeware software, and then by email. Today, and until a newer, slyer mechanism emerges, attackers are using the web to launch their attacks.

With so many possible entry points and vulnerabilities for hackers and other attackers to exploit, you must secure your organization and its data at multiple levels.

The reasons for this are twofold. First, should a security device or mechanism at one level fail, there will be another there to mitigate the damage, or at the least, notify an administrator about the breach. Secondly, one defense measure, for example, a firewall, is not capable of defending every potential path into the business.

The most successful security systems utilize a four-pronged approach that includes network security, application security, host security, and lastly, data-level security.


The network security layer, also referred to as the perimeter security layer, refers to the point at which traffic passes from the outside (untrusted) network to the inside (trusted) network. This is where your firewall, the building block of any security policy and, likely, the defense mechanism you are most familiar with, resides.

A firewall is often supported by an intrusion detection system (IDS) or intrusion prevention system (IPS).

An IDS is used to detect a variety of malicious behaviors that can compromise the security and trust of a computer system, including network attacks against vulnerable services, data-driven attacks on applications, host based attacks (i.e. unauthorized logins) and malware.

In a passive system, an IDS sensor detects a potential security breach, logs the information and sounds an alert. In a reactive system, also known as the IPS, the IDS responds to the suspicious activity by resetting the connection or reprogramming the firewall to block traffic from the suspected malicious source.


The application security layer controls access to sensitive information and represents your company's digital presence in the world. It includes your web servers, email, e-commerce, internet services and voice. This layer is so critical that often, as is the case with denial-of-service attacks, the layer itself is the target of attack rather than the data it utilizes and protects.

Comprehensive protections at the application security layer include access controls to authenticate, authorize and account for secure communications to an application or service. The password is the oldest and most basic form of access control.

Application isolation, which can be likened to a form of access control for the application, should also be utilized. Additional security mechanisms, including authenticated, encrypted communication and fail-safe mechanisms, should be placed in line between applications needing to communicate with one another.

The goal is to protect the system so that if one application is compromised, it cannot be used to attack other system applications or resources.

Code protection is also necessary. Be sure to perform routine software maintenance to ensure all patches related to security flaws are current, and require your software vendors to conduct regular vulnerability assessments and hands-on penetration testing.


All network traffic has a source and a destination device – that is, a workstation, server, phone, mobile device, etc.

Security at this layer is often the most challenging, since these devices are designed to multitask and interact with multiple applications and services simultaneously.

A host-based intrusion prevention systems (HIPS) resides on the device and contains rule sets the host must follow. Behaviors that fall outside these rule sets are denied and reported to the security management software. This is perhaps the most reliable method to date for securing hosts on a network.

Content filtering services that are designed to thoroughly clean and verify content before delivering it to the host should also be implemented. A common example is your email filter that quarantines and reports spam, viruses, dangerous executables, etc.


The final layer in a defense-in-depth security policy protects the sensitive data itself.

Protection strategies at this layer should focus on stored data and also information in transit. Encryption is a key component here.

You'll also need data leakage prevention strategies to monitor, document and often prevent sensitive information from leaving your organization without authorization. These tools scan data in motion, that is, information leaving the organization via email, instant messaging or removable media. Once it is determined that confidential data is on its way out the door, the action can be blocked or quarantined if necessary.

While security measures at any one of these layers are imperative, alone, they will not be successful.

Only a truly comprehensive, defense-in-depth security policy involving protections at each layer of your organization can effectively safeguard against a multitude of security risks and plug vulnerabilities.