What is Layered Security?

What is Layered Security?

Layered security, in an IT context, means protecting digital assets with several layers of security. The concept behind layered security is that if a hacker manages to breach one security measure, your sensitive data is still protected by yet others.

Think of the security portrayed in classic "heist movies," where a clever team of burglars must get past obstacle after obstacle before they can make off with the valuable jewels. The first layer of security is the locked doors and windows of the building; the second layer is the alarms on the doors and windows. The guards inside the building represent still another level, as do the video cameras monitoring the rooms. In addition, in the movies, there are fancy laser beam detectors surrounding the case where the jewels are, and yet a final layer is the detector that issues an alarm if the jewels are moved. For the burglars to get their prize, it's not enough to defeat one layer - they have to get past all of the many layers of security protecting the jewels.

Layered security is also known as 'defense-in-depth', a term borrowed from the military tactic with the same name. In a war, an army might choose to concentrate all of its forces along the front, so that it's as well defended as possible. The danger is that if the enemy concentrates its forces and breaks through the front in one spot, there are no further defenses protecting the area behind. With defense-in-depth, some defensive resources - troops, fortifications, weapons - are further back, so that if the front is breached, there are still troops and materiel available to stop the enemy advance. In the military context, even if less concentration in the first level makes it easier for the enemy to make an initial breach, they can be ultimately stopped more easily because their losses will continue to grow as they continue to try to work their way toward the goal.

Another classic example of defense-in-depth is the "concentric castle" model. A castle may be protected by an outer wall, then a moat, then a higher and more heavily fortified inner wall.

In the IT environment, layered security provides inherent redundancy. If one layer of security fails, another layer keeps the system and its data secure. To get through to the data, a threat would have to infiltrate every level of security. Layered security involves three main types of controls.

Layered security controls

To secure your data, it needs to be protected in three different realms, administrative, physical, and technical. In each realm, multiple security measures can be deployed to provide a layered defense.
Administrative controls
Administrative controls consist of policies and procedures put in place by an organization to minimize vulnerabilities and to prevent users within the company from accessing information they are not authorized to access. Some layers of administrative controls could include:
  • Making sure that only current employees have user accounts by putting a procedure in place to close the employee account on the network when someone leaves the company.
  • Putting policies and procedures in place to ensure that employees take the mandated steps required to secure corporate data.
  • Implementing role-based access control, which enables employees to only access the data that they need to do their jobs. See our article on access control for more information about different access control schemes.
  • Minimizing the use of privileged accounts, such as administrator accounts and placing restrictions on them.
Physical controls
Physical controls include anything that protects actual physical access to the IT system. It includes doors with locks, fingerprint scanners, CCTV footage, security guards and gates. Layers of physical controls could be the types of things described above in the introduction, in the description of security for the heist movie jewels.
Technical controls
Typically the most complex of the controls are technical controls for network security. These include software and hardware-based information security solutions that prevent unauthorized access to the IT system and the data within it. A combination of different hardware and software solutions provide the best protection from a wide array of cyber threats. With the many cyberthreats constantly emerging today, multiple layers of technical controls are a necessity for every business. Layers of technical controls could include the following:
  • Securing authorization
    • Requiring users to use strong passwords
    • Two factor authentication or multi-factor authentication (2FA/ MFA)
    • Biometric authentication
  • Preventing infections from malware
    • The first layer might be from the administrative realm - educating users not to click on suspicious links or to open suspicious files
    • The next layer could be conventional anti-virus and anti-malware software
    • An additional layer would be adding Remote Browser Isolation, so that if a user did click through to an infected site, damage would be contained away from the endpoint
  • Data security
    • Securing the network behind a firewall, which can be implemented as either hardware or software.
    • Encrypting data servers can protect data even if a bad character manages to access the server.
    • Encrypting emails can be an additional layer, to prevent information sent via email from being intercepted and compromised.
    • Following best practices for remote access can be an additional layer of protection that closes a vulnerability often exploited by hackers. For more information see our article Virtual Computing as a Security Solution.

For maximum protection, multiple solutions should be used for each type of control. Organizations must ensure that their chosen solutions are compatible. Together, the multiple layers of security should provide complete coverage, filling in any gaps through which cyber threats might access the system.

To learn how Ericom solutions can strengthen your layered security strategy, contact us.