Defense in Depth is a security strategy that prevents data breaches and slows down unauthenticated attempts to access data by deploying an intense environment with 7 layers of protection and validation. The principles that help define a security posture are confidentiality, integrity, and availability.
- Confidentiality-This pillar ensures that the ‘protect surface’ can be accessed only by those who have been granted direct/express permission.
- Integrity– A unique fingerprint of the data is created by using a one-way hashing algorithm. The receiver is then sent the hash. The goal of integrity is to preserve the data throughout the transmission. Therefore, after the recipient receives the hash, he/she can recalculate the original value of the hash and compare the values to detect data consistency.
- Availability-Data should be made available only to authentic users. Authentic users shouldn’t be denied access. This happens in a DDOS or a Distributed Denial of Service attack wherein even bona fide users are denied access.
Layers in Defense in Depth :
Security in the Defense in Depth strategy is multi-layered. The ‘protect surface’ is stored in the core of this arrangement. This approach removes the dependence on just a single layer of security.
1. Physical Security
This is the outermost shell of security that regulates physical access to the cloud/ data-center infrastructure. Microsoft Azure adheres to a well-architected security pipeline with data centers distributed globally. It adopts a layered approach to diminish any risks of physical penetration of clients’ data. Eligible personnel with legitimate causes(audit, compliance, etc.) and official identification only are granted permission to enter the facility. Permissions are granted only for a fixed portal, after which they expire and a new order of permission must be issued. The data center perimeter is under resilient CCTV surveillance. Visiting personnel need to reach a pre-defined access point to be eligible for entry. Heavily weaponed and rigorously trained security staff are posted on every access point to conduct background verifications of the visitor. Passing a two-factor authentication via biometrics is mandatory to permit the visitor to access only the section of the data center he/she is entitled to. Full body metal detection scans are conducted on the visitor before he/she can visit the designated floor heavily fitted with video cameras. All these safeguards are meant to ensure that the data is protected from unauthenticated access.
2. Identity and Access
This is the 2nd layer of Azure’s defense-in-depth strategy. Data, applications, and software at the front gate are protected with Azure’s identity and access management solutions. This layer ensures that access is granted to authentic users for only what’s needed and sign-in/log-in attempts are saved and validated. This is used to protect against malicious sign-in attempts and to safeguard credentials with risk-based access controls. Multi-factor authentication, single sign-on, and event audits are dynamic features of this layer.
One of the crucial parts of governing this many users is handled by the Azure active directory. A service like the Azure Privileged Identity management can be used to restrict or grant access to various resources over the azure ecosystem and more.
3. Perimeter
The perimeter is the 3rd layer of the defense-in-depth strategy. The perimeter is used to protect the data from large-scale network-based attacks. It is sometimes called a demilitarized zone. The perimeter is responsible for identifying network threats/attacks, alerting clients’ about a plausible breach, and eliminating risks/threats.DDoS (Distributed Denial-of-service) protection is used to filter large-scale attacks. Firewalls are put on the perimeter to detect malicious activity. They ensure that only desired traffic is directed into the network
4. Network
This is the 4th layer of the strategy. This targets limiting the network connectivity across all resources to allow only what’s required. This layer strives to limit communication between resources to prevent malware transmission. Inbound and outbound access is restricted/ limited and visitors are denied by default. Azure Virtual Networks also allow network isolation and security controls that could be leveraged on-premise network
5.) Compute
Compute is the 5th layer of the defense in depth strategy. This layer ensures that all the compute resources are secured and that the user has complete control to minimize security issues. Azure also provides its users a confidential computing service. This provides a host of tools, services, and applications that the user could leverage in a virtualized environment. This prevents unauthorized access, regulatory compliance, and untrustworthy collaborations by blind processing.
6.) Applications
The 6th layer of the defense in depth strategy aims to reduce risks and vulnerabilities associated with the application’s development lifecycle. This also seeks to integrate security features mandatorily with application development. Confidential information used or received from applications should be stored in a secure storage endpoint.
7. Data
This is the innermost layer of the strategy. Attackers pose threats to data stored in databases, disks inside virtual machines, Software-as-a-service applications, and data manageable via the Azure cloud. Personnel storing and controlling access to data are responsible for ensuring that it’s properly secured. The regulatory requirements govern the processes that must be ordered to ensure the confidentiality, integrity, and availability of the data.