Wednesday, February 1, 2017

Tech-Sec Guideline: Defense in Depth and Ubiquitous Security

Guideline: Defense in Depth and Ubiquitous Security

Part of: Technology Security Guidelines
OverviewBuilding a set of Guidelines for Security and Privacy

There should be a redundancy of security Controls within the environment and security Controls should be ubiquitous (everywhere present). When one layer fails or gets breached, another one should step in automatically.

The analogy of the castle has its place with this guideline also. A castle consist of multiple layers of defense. Think about the trenches, bridges, outer-walls, inner-walls and towers. The entire security is a multitude of such controls and where one fails, another controls steps in. In the end it is not about making it impenetrable, but to slow down the progress of the breach. And when it is slow enough, there is a good chance you can kill the attack-chain. This is called defense in depth.

Ubiquitous security has in essence the same meaning, but the underlying principle is somewhat different than that of defense in depth. Ubiquitous security means that it is security that is everywhere around you. It also beholds the guideline of Security by Design to make it possible. This type of security means that you don't have to think about using it, it is just there.

Much like the airbag, seat-belts, electronic brake system (EBS), lane detection and what not. And also traffic lights, traffic signs, road-repairs and traffic-police are examples of security controls to make safe driving possible. When users roam your network, do not only incorporate advanced security controls for a specific application, but also in every aspect of their work in a usable manner.

More information from OWASP about Defense in depth.


Post a Comment