There is a concept commonly used in cybersecurity and information assurance known as layered security. Layered security is a concept that refers to a strategy that involves multiple security control types that form a robust barrier between the organization and any potential threats. Layered security often involves the use of several branches of security such as physical security, network security and administrative security. Each branch in a layered security strategy is designed to protect the organization from a specific type of internal or external threat.
In any industry there are a variety of specific threats that an organization will design their security strategy around. For example in the financial industry there is a large emphasis on implementing technical controls to protect user’s credit card data. An example of this is through the use of tokenization which protects a users credit card data by using a randomized token in place of the actual data. If a hacker is able to steal this data it will be useless as it is only an ephemeral representation of the actual data they are after.
Based on the findings of a well produced threat assessment an organization will be able to determine their relevant attack surface, common attack vectors in their industry, organization assets and vulnerabilities. This information will help the security staff construct and implement a robust layered security approach tailored to their threat environment and risk tolerance. The use of layered security using a branch system is a method in which an organization can prevent a wide range of incidents involving data loss.
The security branches involved in cybersecurity and information assurance are as follows: 1) physical security, 2) personnel security, 3) network security, 4) computer security, 5) device security, 6) data security, 7) application security, 8) operations security and 9) database security. Each of these security branches are graphically depicted in a series of concentric circles representing each domain. A central concept involving security branches and layered security is that each branch functions individually within its own domain but together the branches form a group of robust and fully integrated security practices.
Each of the security branches used in the strategy are designed for three primary defensive objectives which are 1) defense, 2) deterrence and 3) detection. A security control within a branch will conduct one or more of these three objectives. Additionally, other objectives are defined such as risk avoidance, prevention and recovery. A well crafted security branch will have multiple security controls that accomplish most of the above listed objectives.
For example physical security refers primarily to access control and the monitoring of physical security within an organization. This could include detective controls such as surveillance cameras, deterrent controls such as gated access control and defensive controls such as security guards. Additionally, the organization could implement physical controls for risk avoidance such as installing handrails, preventative controls such as bollards and compensating controls such as a fire suppressant system. This model of implementing controls that protect against multiple areas of risk would then be replicated across the nine previously listed security branches.
The Importance of Security Branches
Modern organizations both government or commercial are at risk for a multitude of potential risks to information security. Much of the information and data needed for essential functions is stored on information systems which are vulnerable to a variety of threats. The more our society relies on information technology to conduct daily operations the larger this risk becomes. Organizations of today must implement a comprehensive security strategy that is relevant to their industry and specific threat environment.
There are many threats which can cause data loss or disruption which could potentially cause irreparable damage to an organization, their associates, partners and clients. Certain industries are more prone to certain types of threat than others which must be considered when developing a security strategy. For example e-commerce businesses are commonly targeted by cyber criminals who desire financial gain. Data such as customer payment information, bank account details and transaction data is at risk if not properly secured.
The security staff of an organization must create a custom security strategy that protects against the vulnerabilities of their industry, specific environment and organization. There are many threats that can cause data loss that are not associated with cyber crime or espionage. Events such as power outages and natural events can also threaten an organization. For example if data is not backed up to servers at a remote location after a severe hurricane or natural disaster then sensitive data may be lost forever. An incident such as this can disrupt essential operations and even permanently destroy an organization depending on the individual circumstance.
Using security branches, layered security and multiple security controls are the foundation of a robust security strategy. There are several universal concepts such as the ones described in this report that organizations can use to form a template for a layered security approach. However, each organization must invest the time and resources to develop a custom plan relevant to their particular threat environment. Organizations must also consider assets and vulnerabilities that may not be readily apparent. This is a common reason for outsourcing security assessments to industry professionals who can conduct security audits and penetration tests. As the world becomes more dependent on information technology, as well as the digital transfer and storage of information, so will the need for comprehensive security strategies that avoid, reduce and transfer risk.