A defense-in-depth approach to cybersecurity—a vision first championed by the Defense Department but taken up by civilian cyber leaders as well —is drawing new interest and taking on new meaning in light of on-going modernization efforts.
In a sense, defense-in-depth—a strategy that does not hinge wholly on a strong network perimeter but instead incorporates security measures throughout the enterprise—was ahead of its time. When originally articulated, the network architecture of most defense agencies was still tied to a hierarchical client-server model, with the server being the hub of cyber efforts and the perimeter the first line of defense.
That is no longer practical. With the growing use of cloud, mobility and related technologies, as well as the focus on arming the warfighter on the frontlines with information, the network perimeter has all but disappeared, with threats coming in through countless attack vectors, including cloud applications, mobile devices/apps, and e-mail. In this environment, defense agencies need to trust less in host-based, perimeter-centric security and focus more on data- and related application-level protections that extend wherever data might be, even remote, forward locations. Data is the new perimeter.
It’s commonly understood that a perimetric-centric approach assumes that anyone who gains access to a network is trustworthy, while a defense-in-depth or layered defense approach assumes that malicious actors are bound to gain access and so individual assets (that is, data or applications) must still be protected. But that’s just part of the story: Perimeter security also assumes that all assets of value remain within the bounds of the network—which increasingly is not the case.
In practice, this requires defense agencies to review existing cyber solutions and policies. Encryption, both for data at rest and in motion, is critical, but it must be part of a broader data protection framework.
Consider data loss prevention (DLP). DLP strategies typically assume a traditional network architecture, with data residing in the cloud or on mobile devices handled separately if at all. This does not square with the modern military enterprise, in which end-users connect through a wide-range of devices, both physically and virtually, from various access points around the world. Data protection must be consistent, whether data resides on-premise, in a commercial cloud or on a mobile device. Cloud or mobility cannot become security blind spots.
Authentication also must be revisited. For good reason, a growing number of defense agencies are incorporating two-factor authentication, requiring users to provide both a password and a physical credential of some sort, such as a token or fingerprint. Unfortunately, authentication often is applied at the network level, providing an end-user with freedom of movement once they are authenticated.
In a layered defense, authentication is extended to the application and data levels. As a rule, the more granular the permissions the better. Defense agencies should make conscious choices about who has access to what data and applications, always erring on the side of the least privilege needed.
Understandably, organizations might be daunted by the concept of a layered defense. Whatever its failings, perimeter-centric security has the advantage of being relatively simple to manage. But, of course, its simplicity is also its principal downfall. Once cracked—and perimeters are cracked with alarming frequency—a perimeter defense is useless. In a military environment, this obviously presents an even greater risk as missions – and lives – are on stake.
A layered defense is inherently more complex, but that complexity can be managed. In fact, managing complexity is key. As the enterprise evolves, an agency must develop a cohesive cyber strategy that sees the enterprise as a whole, securing data and applications wherever they reside and however they are being accessed.
In the long run, treating data as the perimeter will help defense agencies adapt more easily to future changes in the network architecture. The transition to the cloud has been slow and painful in large part because cloud security did not fit the model of perimeter defense. But whatever new approaches for delivering IT services emerge in years to come, data- and application-level security will always provide a reliable foundation.
Aubrey Merchant-Dest is the federal chief technical officer for Symantec.