Security managers must have a good appreciation of associated physical security issues to ensure there’s a seamless information security management system across the entire organisation.

No matter how you apply security, systems can still be compromised. However, in this step you’ll look at one approach that makes it a lot harder for intruders.

Onion model (Layered security)

What better place to start than by looking at one of the best solutions for implementing effective physical security? It’s called the onion model, and, if used properly, will bring any cybercriminal to tears!

Mainly inspired by the layers of an onion, the model requires you to adopt a layered approach, whereby different types of operational security controls are used to varying degrees to protect your organisation’s information assets.

Layered security is also called defence in depth, which is based on the military strategy of the same name. In war, suppose an army concentrates all of its forces at the front. By putting all their troops at the front, there’s nothing protecting the area behind them. With defence in depth, some forces are held back, so that if the front is breached, there are still troops and material available to stop the enemy. To put this in the context of an IT environment, if one layer of security fails, another layer keeps the system and its data secure. To get through to the data, a threat has to infiltrate every layer.

Let’s peel back each layer of this onion to consider the areas where controls may be needed.

The inside of an onion, with each layer labelled with the following controls: physical access, network, voice, servers, endpoint devices and people.

Figure 1: Layered security – The onion model

Physical access: Locked rooms and restricted areas.

Network: Local area network switches, routers, firewalls, wireless, intrusion prevention systems, remote access servers etc.

Voice: Private branch exchange phone system, voice gateways, voice mail services and instant messages.

Servers: OS (Operating Systems), applications, and databases.

Endpoint Devices: Printers, scanners, desktops, laptops, tablets, and smartphones.

People: Security policies, business conduct guidelines and local regulations.

You have to be careful to manage the right balance between performance and security. If your data security is too restrictive, your flexibility and ability to conduct business will be negatively affected. On the other hand, if your security is too lenient, you might be making it easier for potential intruders to find a backdoor.

Key points

Let’s take a look at some of the key points to take with you as you move through the rest of this lesson:

Mainly inspired by the layers of an onion, the model requires you to adopt a layered approach, whereby different types of operational security controls are used to varying degrees to protect your organisation’s information assets. Layered security is also called defence in depth.
Layers of security include physical access, network, voice, servers, endpoint devices and people.

How strong are your defences? How ready are you to go to battle with intruders? Adopting a defence in depth approach is recommended to improve your organisation’s resilience to threats. The types of controls you implement as part of this approach will vary depending on your environment. These controls are categorised into physical, technical, and procedural.