‘Defense in Layers’ — The Enterprise Framework
Article 1 of ‘Defense In Layers’ in the Enterprise
As long as there is money to be made from hacking an enterprise, hackers will find new ways to exploit vulnerabilities. Looking into the 2022 Uber hack, a typical story took place. An individual was able to chain together a series of exploitations to impersonate an identity, log into the cloud environment, discover hidden credentials, penetrate secret stores, and access private data.
Enterprises need to ensure they have ‘zero trust’ applied to a ‘Defense in Layers’ strategy to make accessing your most important data more difficult. Traditionally, enterprises use a ‘Defense in Depth’ practice to build out physical, technical, and administrative controls tied to the perimeter, network, endpoint, application, and data layers to ensure a tight-knit weave of prevention and protection across the attack surfaces.
Defense in Depth — “Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.” NIST SP 800–53 Rev. 5
Realistically this is difficult for stakeholders to understand or even envision fully. Executives often need to see a visual representation demonstrating security capabilities across security layers. This defense also…
