Defence in depth and breadth

Figure 1: Defence in depth and breadth

Understanding the breadth of the problem

Defence in depth refers to layers of defensive mechanisms which are used to protect valuable data and information.

Defence in breadth is a more recently coined phrase that has come about due to the need to consider all the connections to any networked system. The complexity of the networks now in place in many organisations is staggering and, when connections to suppliers, customers, different physical locations around the world, homeworkers and many more are considered, they become ever more difficult to manage.

The concept of understanding the breadth of the network and its connectivity is critical. Security is only as strong as the weakest link and that is where the criminal or other intruder will most likely find their way in. Malware is now very sophisticated and once inside an organisation it will attempt to scan the network to find holes, service ports and login details for other, more protected areas, even allowing the intruder to appear as a trusted user.

Defence in depth and breadth is therefore a strategy for not only layering security to provide redundancy and to buy time to detect and enact a response, but also to span the wide-reaching end points and variety of security systems to provide a timely, co-ordinated response.

Accountability

Figure 2: Acountability

It’s important that organisations are able to hold individuals, groups, companies and other organisations accountable for their actions. With the right levels of accountability established, you’ll be better placed to detect and deter malicious or risky behaviour.

There are five stages to accountability, and these are illustrated on Figure 2 above. They are:

1. Identity
2. Authentication and Authenticity
3. Access Control and Authorisation
4. Logging
5. Auditing

In this Learning Path, we’re going to look at the first two stages, you’ll explore the others in later Learning Paths.

Identity

This is one of the more difficult concepts to explain and it’s fair to say that volumes have been written on this subject.

The definition here is taken from the British Computer Society’s CISMP textbook. This is not an official definition but worth remembering for the purposes of the exam:

'The properties of an individual or resource that can be used to identify, uniquely, one individual or resource.'

- (BCS, Information Security Management Principles)

Identification is the process of claiming an identity on a system. It’s natural to think this only applies to people but actually it can also apply to devices like mobile phones or even cars. Identification information is typically your username, but it might also be an email address, an ID number or a car numberplate.

Your username is the identity by which the system recognises you and can account for your actions. Identities are used to uniquely name system processes so that the system can establish which processes are performing which tasks.

Authentication

The key aspect of authentication is in the definition where it refers to an entity. If identification is the claiming of an identity, then authentication is proving that claim. There are many types of authentication processes, depending on what type of entity is being authenticated, however the most common form of authentication is a password.

Often the terms identification and authentication are used together in the acronym ID&A. The linkage between these two components is fundamental to the information security process. The entity that claims a particular identity must be authenticated to prove they are who they say they are.

Some examples might be:

• User authentication: A user logging on to a system with a username and password
• A user using a fingerprint to authenticate with their laptop
• Device authentication: A smart card being authenticated to a card reader

What’s next?

Now, with a clearer awareness of security principles it’s time to concentrate on risk management.