Optimize your cyber security through Defense in Depth: 3 underlying principles
To achieve cyber security, we rely on cyber security controls such as firewalls or antivirus software. Unfortunately, none of these controls are 100% efficient: for example, none of the antivirus software will block 100% of the malware. At best, they block the ones we know about. Defense in Depth (DiD) is the response to the fact that no matter how secure your cyber control is, it cannot be entirely failure or vulnerability proof.
DiD can be compared to an onion: like the onion has multiple layers of skin, your cyber security has layers upon layers of controls. If one layer fails to stop an attack, the next layer should stop or at least delay the attack. Defense in Depth is based on three underlying principles:
Redundancy is a well-understood principle that addresses the availability requirements of your controls: you need redundant controls to make sure that if one fails, the other one is available to step in. Typically, you have two identical firewalls, even if you need only one from the performance perspective.
Diversity is well-understood in safety engineering. For example, in a nuclear power plant, some safety injection pumps will be steam-driven and some will be motor-driven. They are diverse, hence if you lose electrical power, you still have access to steam, meaning some of the pumps will continue to be operational. Applied to cyber security, this concept dictates that similar types of cyber security controls should not have the same vulnerability. For example, assume the firewalls from brand X have an improper certificate validation vulnerability, then the firewalls from brand Y shouldn’t. So, if you use both brands of firewalls for the same control, you will achieve diversity. You may also want to consider diverse OS and hardware platforms.
Diversity is also reflected in the fact that your cyber security infrastructure is not only dependent on perimeter controls, but that you have all the depth of technology, process and people controls you need. This is a subject on its own, which we won’t elaborate on this time.
Independence is a less common principle in cyber security and is much more difficult to achieve. There are multiple interpretations of this concept. Let’s imagine that you have a Linux, an AIX, and a Windows server running different antivirus software. In this case, you achieve redundancy and diversity. But let’s say they use the same Open Source library to unzip files: an attacker could exploit a vulnerability in this library and compromise the three antivirus solutions at the same time. So, independence means that multiple controls will not fail because of the exploitation of a single vulnerability in a connected or relied-on system or subsystem.
Achieve Defense in Depth with a data diode
With a data diode, you can achieve redundancy, independence, and diversity. These devices are delivered in single-fault tolerant HA versions, taking care of redundancy. They have no component or sub-systems in common with any other network segregation controls, being a pure non-logic hardware, and therefore achieve independence with other network segregation controls. Since data diodes are a totally different technology, they achieve diversity if used in conjunction with other perimeter controls.
Written by Gilles Loridon who is CEO at Global Security Network (GSN) in the United Arab Emirates.
GSN is one of the Fox-IT DataDiode partners.