Defense in depth is the design principal of creating multiple layers of security in an application. Relying solely on one method allows a greater chance of vulnerabilities to be exploited. By adding firewalls, authentication, and encryption, it can be made harder for malicious attacks to gain access to useful information. However, when considering too little security you must also look at the opposite. Implementing as much security as possible can also have the same effect as too little. Defense layers must be implemented correctly and thoughtfully. Testing must be done regularly to make sure that security libraries or encryption are not found to have vulnerabilities. Many layers of mismanaged security may have the same effect of implementing none at all.
As with anything there are time, money, reputation, and operational considerations when choosing security layers. If the security stack is too large this may become cost and time prohibitive. Larger companies will have the resources to be able to implement more layers correctly where small organizations will need to be selective in what they choose. If a breach is discovered in a companies system it can create a large impact on their reputation. Organizations such as medical facilities can have legal and financial repercussions on top of a loss of trust from patients. If there are other options in the market place, customers will move to a facility that will protect their private health information.
Health care is one example of an industry that uses technology extensively in their workflows but there are many others. They each have their own unique aspects that must be considered when designing the security of the organization. Systems that only use intranet inside of the facility do not have to worry about fire-walling outside access if the system is closed. However they may need to invest more into physical security to protect the hardware from in-person attacks. Smaller companies who host everything in the cloud do not have any infrastructure to protect but must be aware of third party security breaches. Regardless of the type of facility, any company that employs more than one employee should consider the “Zero Trust” mindset. This is the idea that anyone in the company could cause harm and that everyone should have the least amount of access needed in order to do their jobs. OS and software permissions can be set so that users are able to access specific parts of a system which can decrease the harm a malicious individual can do. This mindset combined with industry specific security layers can decrease the likelihood of a successful attack on the organization.
1. What is defense in depth? Forcepoint. (2021, May 6). Retrieved January 9, 2022, from https://www.forcepoint.com/cyber-edu/defense-depth
2. Defense-in-depth. CyberArk. (2021, September 28). Retrieved January 9, 2022, from https://www.cyberark.com/what-is/defense-in-depth/