This article will outline a high-level overview of the concept of defense-in-depth as well as tie in how the concept relates to the ability to meet SOC 2 requirements.
What is the Principle of Defense-in-Depth?
Defense-in-depth is a very detailed and ‘in-depth’ concept, but I will provide a high-level base overview to help those unfamiliar understand the concept and how defense-in-depth can be implemented within an organization.
The concept of defense-in-depth is that control protections around assets need to be layered in order to have the ability to be able to withstand an attack on an organization’s assets. Further, given there is no one panacea or solution for protecting organizational data, and that the different layers of security can fail; having multi-layers (defense-in-depth) is the best practice approach to protecting data.
What is the Primary Benefit of Defense-in-Depth?
To reiterate, the primary benefit of defense-in-depth is to ascertain that even if one of the controls fails, the other controls would be able to prevent and/or detect an attack (i.e. you never want to have one layer of defense).
What is Defense-in-Depth?
The formal definition of defense-in-depth from NIST is the following: “Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.”
SANs defines defense-in-depth as the following: “…the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.”
Essentially, an organization needs to ascertain that if one control fails, there are more behind it. If they all fail, the attack then needs to be detected. Prevention is best but detection is necessary.
The process to start the practice of defense-in-depth and ascertaining appropriate defenses are in place to protect organizational assets begins with understanding and identifying the most valuable systems and data. The next step would be to implement controls to prevent non-authorized employees and unauthorized outsiders from accessing those most valuable systems and data.
What are the Layers in the Defense-in-Depth Security Model?
At a high level, the layers of an organization’s production environment to be protected to demonstrate and practice defense-in-depth can generally be described as follows:
- Perimeter Layer
- Network Layer
- Host Layer
- Application Layer
- Data Layer
Again, the concept of defense-in-depth is having layers of security controls (not one) to protect an organization’s “crown jewels” (i.e. data and services from disruption). Essentially, with this layered approach, to successfully get to your information, an outside (or inside) attacker would have to penetrate through your network, your host, your application, and finally your information protection layers.
What are Some of the Best Practice Controls to Implement at Each Layer of Defense?
Below I have outlined a set of controls (preventative, detective, and deterrent) that can be implemented at the different layers. This is by no means an exhaustive list. The controls can include but are not limited to the following:
- Perimeter – Network Firewalls (ascertaining that firewall ports are limited to what is required to conduct business; i.e. all unnecessary ports are closed; Deny all Rule is in place to deny all traffic except for what is explicitly allowed and required to conduct business and provide your services).
- Network – Segmentation of critical assets/data, Intrusion detection system, network monitoring tools.
- Host – System hardening/security configuration of the system, patching, anti-malware agents, HIDS (host intrusion detection system).
- Application – Web application firewalls, authentication controls, input validation checks.
- Data – Encryption at rest, encryption of data in transit, data classification requirements to thwart logical and physical (hardware) attacks
How Does Defense-in-Depth Support Overall SOC 2 Compliance, & Why is it Important in Information Security?
The requirements to obtain SOC 2 compliance require various types and layers of controls to protect an organization’s services and data. Hence, by obtaining SOC 2 compliance an organization is able to demonstrate that they have a certain level of defense-in-depth in order to protect their data and services from a breach and/or disruption of services from outside intruders.
What are Examples of Defense-in-Depth in Relation to SOC 2?
Outside of the entity level controls requirements to meet SOC 2 compliance there are technical control requirements as well. The areas and various criteria of the SOC 2 which focus on evaluating the technical control environment (which includes detective controls and deterrent controls) are as follows: Monitoring, Logical and Physical access, System Operations, Change Management as well as the Availability, and Confidentiality criteria.
To provide additional context on these areas, I have listed below the controls associated with each of these technical areas that would be tested in a SOC 2 examination (this is not an exhaustive list):
- Monitoring – Mostly detection controls: monitoring production systems for availability and performance, periodic reviews (entitlement reviews, internal audit, etc.).
- Logical and Physical Access – Authorization process for system access, RBAC for access to production systems and data, termination/access revocation procedures.
- System Operations – Incident response, anti-virus, host-based controls as noted earlier (workstations that access production data have time out configured, disk encryption, current patching, etc.)
- Change Management – Segregation of duties in the change management process, non-production data within lower environments (development and test).
- Availability – Test of the Disaster Recovery Plan, backup procedures and configurations, backup restore testing.
- Confidentiality – Implementation of data classification, client data segregation, data encryption in transit and at rest.
The implementation of the various types of controls required to meet SOC 2 compliance would demonstrate that defense-in-depth is in place; therefore, the SOC 2 compliant organization has various layers of controls to protect organization services and/or client and organizational data from attack.
Summary
Defense-in-depth is a key concept for an organization to consider when implementing its control environment. Practicing defense-in-depth provides layers of protection to prevent unauthorized access to an organization’s most valuable systems and data, in order to prevent and/or deter an attack. In other words, defense-in-depth is having multiple layers of technical and non-technical controls in place to accomplish the goal of protecting your information assets.
If you have any questions or would like more information about Linford & Co or our audit services, please feel free to contact us.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.