The defense in depth principle is something that’s widely discussed in pretty much every web development community imaginable every other time when someone mentions the keyword “web application security.” But what is it exactly and why is it so important? That’s what we’re going to figure out in this article.
What is Defense in Depth?
Defense in depth is a security strategy referring to an approach using multiple layers of security to protect an application (a so-called “asset.”) This illustration illustrates the defense in depth strategy perfectly (image by Imperva.) – imagine the center of this circle as your application. Everything that surrounds it would be part of a defense-in-depth strategy.
You get the point – the more layers surround your web application, the more secure it gets. Obviously, this has another side to it as well – the better the security of your web application, the worse user-friendly it might get, so you really have to aim to get the best of both worlds. Most security engineers in the web application space aim to get a nice CDN (think CloudFlare, or the same Imperva) to protect the first layer of their web applications with a WAF, some aim to implement access control, some aim for bot protection, some also protect logins.
Making Use of Defense in Depth
Understanding defense in depth is nice, but remember that we have to actually practice what we preach – in other words, we must make use of the capabilities offered by defense in depth to protect our web applications. We’ve touched upon some of this in the subject above (protecting web applications with a WAF, implementing access control, etc.), but there’s so much more to that than utilizing capabilities provided by a WAF – proper usage of defense in depth comes down to the fact that we mustn’t only secure our web application, but also everything behind it: look into the above circle closely – there are administrative controls, technical controls, and physical controls as well. Technical controls come down to technical stuff discussed above, physical controls might come down to the physical security of your office perimeter (having security staff near the entrance to the office building, etc.), and administrative controls mostly come down to policy and procedures – that might mean making information known to only people that have the absolute necessity to know it, making sure guidelines defining personnel or business practices are made according to an organization’s security goals and they continue to stay in place. A proper defense-in-depth strategy allows our security practices to “slip” – even if one of them isn’t in place or fails, the presence of others is usually sufficient enough to warrant a good security posture nonetheless. Say, if our WAF fails and we have services like BreachDirectory guarding our organization from identity theft attacks, we will be in good hands no matter what happens – see how it all works together so nicely?
Defense in Depth In the Future
Some security experts say that defense in depth is a necessity for the future as well – as the threats posed to web applications are presumed to only grow, we can assume that defense-in-depth practices will be more and more relevant in the future. In the future, we could have not only physical and web application security defenses, but also remote and home-office security installments (since remote work is the new normal and as more and more people start and continue to work remotely, we might start to see some home-office security stuff hitting the market), etc.
Whether we will see these kinds of appliances or not, though, obviously depends on how things go in the future and possible market demand, but we can be almost sure that the defense in depth strategies employed now won’t be the same 10 or even 5 years down the line.
Summary
Defense-in-depth is a great tool for enhancing the security posture of any organization and application alike – employing just a couple of strategies mentioned in this article will ensure that both your application and organization is ready for whatever threats it might face. We hope that the information contained within this article was informational and you will put it to good use when securing your organization or web application from internal and external threats – make sure to secure your employees by running a search through BreachDirectory to make sure their information isn’t contained in any data breach as well, and until next time!