Multi-layered security

A multi-layer security architecture is sometimes referred to as defense-in-depth, helping to protect each touchpoint using tools purposefully built for that touchpoint. For example, a laptop in your organization may have a VPN for securely accessing the company’s resources and antivirus software to continuously scan the laptop for potential malware and other threats. Redundancy is a key aspect of multi-layered security. Data on the laptop may be encrypted and it may be backed up for redundancy and to support multiple recovery points.

Physical — This element involves using physical devices or mechanisms to secure data access touchpoints. Safeguards such as fingerprint scanners on a laptop and mobile, employee cards used to enter or leave the office premises, and CCTV cameras in the server room, belong to this category. For example, employees working from home are using a host of devices to access their organization’s data. In such a scenario, physical elements ensure that access to the device is restricted to the authorized user. 

Administrative — The policies and protocols used to secure data form the administrative element of multi-layered security. Good examples are employee cyber security training, using least-privilege access methodology when granting access to a network, building a cyber incident response plan, and so on. 

Technical — Perhaps the most important of all defense-in-depth security elements, the technical part consists of hardware and software used to secure data. Multi-factor authentication, data backup and recovery systems, antivirus, web content filtering, firewalls, antivirus software, and so on form part of the technical element.

In ideal circumstances, a multi-layered security approach is the best way to protect your organization from cyber attacks. However, if not carefully monitored, the benefits of defense-in-depth security can become its disadvantages.

• Complexity — The most common problem with a layered approach is complexity. In an attempt to make things more secure, organizations often deploy a plethora of security tools. Jason Brvenik, principal engineer in the Cisco Security Business Group, mentions that he’s seen organizations using 80 different technologies in between layers¹. This leads to overspending, operational challenges, and tools interfering with each other, creating security gaps. 
• Trying to stay relevant — Potential customers often demand adherence to new security protocols and processes. Such requirements make an organization invest in security technologies to close the deal without considering long-term impact. Often, such short-term decisions are forgotten about. Later, it becomes difficult to accommodate such tools in the entire security stack that a company uses.
• Integrations — Tighter integration between layers helps information pass seamlessly from one layer to the next. This ensures that layers have more than sufficient information to improve their defense. However, this is easier said than done. Not all tools use the same data taxonomy. Infosec teams have to deal with multiple kinds of information, making extracting meaningful insights from the data difficult. A lot of manual effort is wasted in integrating security tools with one another.

The cloud has transformed how businesses look at multi-layered security. It brings all the advantages of a multi-layered security approach, minus the operational and financial overhead. 

Cloud providers specialize in the storage and transmission of data. Their storage systems comply with several security and compliance standards, such as PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA. Their systems are regularly audited and they have the best security certifications, such as SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1.

When you adopt and use cloud-based applications or store data in the cloud, you auto-comply with such standards. This reduces the operational and financial overhead that comes with strong data security managed by your company. 

However, it’s important to note that protecting the data stored in the cloud is your responsibility. The notion that cloud storage is impervious is incorrect. Most cloud applications and platforms clearly state that you are responsible for securing the data stored in the cloud. After all, if someone gets escalated privileges to a cloud account they can change or delete that data. For example, here’s an excerpt from Microsoft Azure’s shared responsibility in the cloud article²: 

Quote:

“For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).”

Even if you are using the cloud, you need other layers of security to ensure that your data is safe.