Defence in depth refers to layers of defensive mechanisms which are used to protect valuable data and information. Defence in breadth is a more recently coined phrase that has come about due to the need to consider all the connections to any networked system.

The complexity of the networks now in place in many organisations is staggering. When you consider the connections to suppliers, customers, different physical locations around the world, homeworkers and many more, they become ever more difficult to manage.

Let’s look at Figure 1 as an example. Protecting the data at the centre of the model is a whole host of different methods of security, including:

Database security
Information security
Content security
Message Level security
Policies, procedures and awareness
Usage policies
Single-sign on and identity security
Firewalls and denial or service
Physical protection

This, put simply, is defence in depth and breadth.

Figure 1: Defence in depth and breadth

Security is only as strong as the weakest link and that is where the criminal or other intruder will most likely find their way in. Malware is now very sophisticated and once inside an organisation it will attempt to scan the network to find holes, service ports and login details for other, more protected areas, even allowing the intruder to appear as a trusted user.

Defence in depth and breadth is a strategy that protects you in a number of ways:

By layering security to provide redundancy (keeping data in two or more places within a data system).
By buying time to detect a security breach and enact a response.
It covers a variety of systems and connections and provides a timely, coordinated response to attack.

Diagram showing elements of Accountability: Identity distinguishes a unique identity; Authentication and Authenticity verifies the identity of an entity; Access control restricts permission to use a resource; Logging creates a record of activity; Auditing: the checking of records to monitor activity

Figure 2: Acountability

Accountability

It’s important that organisations are able to hold individuals, groups, companies and other organisations accountable for their actions. With the right levels of accountability established, you’ll be better placed to detect and deter malicious or risky behaviour.

There are five stages to accountability, and these are illustrated on Figure 2 above. They are:

Identity
Authentication and Authenticity
Access Control and Authorisation
Logging
Auditing

In this section, we’re going to look at the first two stages, you’ll explore the others in later sections.

Identity

This is one of the more difficult concepts to explain and it’s fair to say that volumes have been written on this subject.

The definition here is taken from the British Computer Society’s CISMP textbook. This is not an official definition but worth remembering for the purposes of the exam:

'The properties of an individual or resource that can be used to identify, uniquely, one individual or resource.'

- (BCS, Information Security Management Principles)

Identification is the process of claiming an identity on a system. It’s natural to think this only applies to people but actually it can also apply to devices like mobile phones or even cars. Identification information is typically your username, but it might also be an email address, an ID number, or a car numberplate.

Your username is the identity by which the system recognises you and can account for your actions. Identities are used to uniquely name system processes so that the system can establish which processes are performing which tasks.

Authentication

If identification is the claiming of an identity, then authentication is proving you are who you say you are. There are many types of authentication processes, depending on what type of entity is being authenticated. The most common form of authentication is a password:

Authentication (prove who you are):
- Something you know, such as a password
- Something you have, such as a token
- Something you are, such as a fingerprint
- Somewhere you are, such as your IP address
- Something you can do, such as a signature

Authorisation covers what you are allowed to access. Often, the terms identification and authentication are used together in the acronym ID&A. The linkage between these two components is fundamental to the information security process. The entity that claims a particular identity must be authenticated to prove they are who they say they are.

Some examples might be:

User authentication: A user logging on to a system with a username and password
A user using a fingerprint to authenticate with their laptop
Device authentication: A smart card being authenticated to a card reader

Key points

Let’s take a look at the key points from this lecture:

Defence in depth is about having layers of defensive mechanisms.
Defence in breadth is about providing security across all connections to a networked system.
Identification is the process of claiming an identity on a system using some sort of unique identifier.
Authentication is the process of providing that you are who you say you are, using an identifier such as a password.
Access control ensures that access to information is authorised and restricted, based on business and security requirements.

Conclusion

Understanding defence in depth and breadth should give you a clearer understanding of how information security principles are implemented in practice. All defence systems aim to support you and your information security team in managing and reducing risk.