Let’s build a castle: the defense-in-depth cybersecurity model defined and explained

As businesses’ attack surface continues to grow, CIOs everywhere have their work cut out for them to find new tools and tactics to fend off cyber threats. According to VentureBeat’s Tim Keary, it “doesn’t just include resources within a ring-fenced network, but in all apps and services, traversing through the cloud and networks’ edge.” They range from laptops, mobile and IoT devices, and USB ports on the physical frontier to code, websites, cloud platforms, and servers on the digital one.

The US Defense Department confirmed that a cloud server had been secured after being online without a password for two weeks. A security researcher who discovered the breach said the exposed server contained three terabytes of internal military emails, including highly sensitive personal and health information as well as correspondence of those related to the US Special Operations Command. It took one misconfigured server to make this info dump accessible for anyone on the internet.

No wonder that a new movement is rapidly gaining momentum, promising to eliminate security vulnerabilities across companies’ workforce, technology, and operations. In this article, we’re taking a deep dive into what the defense-in-depth cybersecurity approach means and how it can help fix enterprise security woes across the board.

Defense in depth: meaning and key concepts

According to the US National Institute of Standards and Technology (NIST), cybersecurity defense-in-depth (DiD) is an “information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.” This is done by “layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another.”

As a cybersecurity defense mechanism, defense-in-depth is based on the idea that no single software or strategy is able to safeguard an organization and its data assets against every kind of cyber attack, and rightfully so. Based on the FBI’s latest Internet Crime report, 2021 saw a record number of complaints from the American public with 847,376 reported incidents, including malware, phishing and personal data breach attacks, and potential losses exceeding $6.9 billion.

Let's build a castle: how the defense-in-depth model works

The defense-in-depth concept is often referred to as the “castle approach” because its inner workings can be best described with the help of a castle analogy. MedStack Co-Founder and CEO Simon Woodside does a stellar job explaining it on Medium, but we’ll give you the TL;DR. Medieval castles were famous for being virtually impenetrable and seen as a pinnacle of military engineering. They could withhold attacks by armies many times the size of their defenders, thanks to an engineering principle called, you’ve guessed it, defense-in-depth.

Castle builders were well aware of the fact that on its own no security feature is infallible. Wrapping a fortress in layers and layers of standalone defense mechanisms, however, they could make breaching the castle walls so difficult that the enemy would think twice about even launching an attack, let alone moving forward. Woodside explains, “Each layer multiplies the effects of the previous layer. If the outer wall deters 90% of attacks, and the inner walls deter 90% of attacks, then in combination they deter 99% of attacks.”

This is exactly how defense-in-depth architecture works in cybersecurity. It’s based on the idea of stacking defensive mechanisms on top of each other to create redundancies to the point of overkill. This way, if one defense fails, another one immediately takes its place in keeping the attackers outside.

Technology, training, and policies: 3 key elements of the defense-in-depth strategy

According to Perry Carpenter, author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, defense-in-depth security is built on three pillars:

1. Policies and procedures

   Meaning guidance for staff and suppliers on the importance of enterprise security and their roles and responsibilities in keeping information assets and networks safe. For example, acceptable use policies, anti-phishing policies, and business continuity and disaster recovery plans.

2. Technology

   These include the technical tools that scan enterprise systems for security vulnerabilities and prevent intrusion. Examples of defense-in-depth solutions range from antivirus, endpoint detection as well as email protection software to reputation services and password managers.

3. Staff training

   You can have the most well-thought-out protocols and the latest tools, but your enterprise security culture, just as medieval castles, will only ever be as strong as its weakest point. Often, that means employees. It’s crucial to offer ongoing training and guidance on security practices to staff at every level of the organization.

Layered security vs. DiD: what’s the difference?

At this point you might wonder, “Isn’t defense-in-depth just another word for a layered security architecture?” In short: it shouldn’t be. Layered security refers to security systems that rely on multiple components to protect their information networks and data assets on several levels. In essence, the “how” of the layered and defense-in-depth approach to security is the same: using as many defense layers as possible so that they counter any flaws or gaps in your capabilities and strengthen your security posture. The “why” behind the two methodologies, however, is different.

The end goal with layered security, TechRepublic explains, is to cover for the failings of each component by combining several of them into a single, comprehensive strategy against all kinds of hacking, phishing, denial of service, and other cyberattacks. Defense-in-depth, by contrast, arises from the understanding that total security cannot be achieved, no matter how many data and network security layers you implement. The security components of a DiD architecture aren’t supposed to serve as an impassable wall but as “stumbling blocks that hinder the progress of a threat.”

Key layers of defense-in-depth data and network security strategies

According to CSO Online, essential defense-in-depth layers roughly fall into one of the following categories:

1. Network security tools. Your first line of defense should be in the perimeter zone. Set up a firewall or intrusion detection system (IDS) to analyze and categorize traffic as well as to block unwanted access. Virtual private networks (VPN) provide users with security and anonymity when they connect to enterprise applications using public networks.
2. Anti-malware software. If your firewall and other perimeter controls fail you, antivirus software can still save the day. Signature-based solutions scan your infrastructure for malware by matching files based on their signature against a database, while heuristic vulnerability scanners use heuristic analysis to spot suspicious patterns and activity.
3. Behavior analytics tools. While we’re on the topic of suspicious activity, irregular file and network behaviors can be a tell-tale sign of an ongoing or successful cyber attack. Once you’ve set a baseline for regular behavior, behavioral analytics solutions can monitor your users’ activity and spot patterns, trends, and anomalies before it’s too late.
4. Data integrity monitoring. If you notice that your files are being copied or exfiltrated, an unknown IP address is linked to a file, or an incoming file has the same name as an existing one on your network but contains different information, your network is probably under siege – and the attackers are making strides. Add file integrity monitoring as a defense layer to nip hacking attempts in the bud.

Here’s a list of tools that you can use to further fortify your security strategy:

• Encryption

  As we discussed in an earlier post, encryption, at rest or in transit, is critical to bulletproofing data protection strategies, as it ensures that information is only accessed by authorized users. Even more so if it uses zero-knowledge technology, a method that makes it impossible even for your service provider to have any knowledge of your encryption key or the data you’re processing or storing on its servers.

• Data loss prevention (DLP)

  Also called data leak or extrusion prevention, DLP is a strategy for companies to safeguard their critical data assets against loss, theft, misuse, or unauthorized access with the help of automated policy enforcement. Interest in DLP tools soared during the pandemic, with 90% of organizations implementing at least one form of integrated DLP in 2021, up from 50% in 2017, according to Gartner’s estimate.

• Patch management

  Patch management refers to “the systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.” It allows businesses not only to keep networks and computers safe and reliable but also to improve performance, bringing software up to date so it can run on the latest hardware without any errors, bugs, and crashes, TechTarget points out.

• Two-factor authentication (2FA)

  Two-step verification provides an extra layer of security to your accounts, preventing unauthorized access to your data even if your password has been compromised. With 2FA enabled, every time you sign in to Tresorit, for example, in addition to your password you will be required to enter a randomly generated verification code sent to you through a text message, email, phone call, or verification app.

Making the most of defense-in-depth security: how Tresorit can help

An end-to-end encrypted content collaboration platform, Tresorit empowers you to:

• Make the cloud a safer place with E2E encryption

  Every file and relevant metadata on our users’ devices are encrypted with randomly generated encryption keys. Accessing files is only possible with a user’s unique decryption key that no one else, not even Tresorit, has knowledge of. Meaning that even if our servers were breached, no one would be able to read their contents.

• Keep access secure and limited

  Monitor and decide which devices are allowed to access which files and from where users are allowed to log in to their company account to safeguard business-critical documents. Manage files and tresors at a granular level to ensure they’re only accessible to those who need them and limit downloads or revoke access at any time.

• Stay in control of what happens to your data

  Implement data protection measures, including controlling who has access to what data, logging file activities, and creating internal security policies for data management. No file content can be modified without you knowing about it, thanks to cryptographic authentication applied to all encrypted data in the form of HMAC or AEAD.

• Set up and enforce enterprise security policies in one place

  Make sure that everyone on your team is on the same page when it comes to using crucial data security tools and processes. Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies, create different policies for each template and modify them at any moment through a single interface.

• Encrypt attachments automatically in Gmail and Outlook

  Empower your teams to work efficiently and send encrypted emails by integrating Tresorit with Google Workspace or Azure Active Directory and Office 365. The add-ins offer a fast and easy way for users to replace risky email attachments with encrypted share links and password-protected files using their existing email addresses.