Security Think Tank: In-depth protection is a matter of basic hygiene
4 min read
The belief that effective perimeter security is the best way to protect data is a fallacy that is being repeatedly exposed. We must recognise the need for a data-centric security model to protect data from both internal and external threats, but what does this mean for security professionals?
Over many years, myself and my associates have advocated "security in-depth". To solely rely on perimeter security, in our book, was never enough.

Security in-depth aims to protect not just data, be it at rest or traversing a network, but all the assets within a network, such as Ethernet switches, servers, routers and so on. This is done by implementing multiple layers of controls and defences throughout an IT infrastructure. The choice of controls used and deployed defences will depend on the technologies employed and values of the assets to be protected.

In the following paragraphs I'll go through a typical scenario that I believe an infosec professional should be an advocate for and be building strategies to achieve.

Strategies to achieve a good sustainable level of defence in-depth that will in turn provide better protection of data from both internal and external threats will depend on a number of variables.

Those variables will include such items as the business's risk appetite, budget availability and budget cycle, the attitude of the company's board and senior managers towards IT and IT security, the age and architecture of the company's IT estate including whether there is an element of bring-your-own-device (BYOD), internet of things (IoT) device usage or visitor Wi-Fi access and, of course, there is the value of and location of company data.

Start with the basics The starting point for good defence in-depth – and…
Read full article