Defense in Depth: What It Is & How It Relates to SOC 2 Compliance

This article will outline a high-level overview of the concept of defense in depth, how it was applied to help a client, as well as tie in how the concept relates to the ability to meet SOC 2 requirements. To start, we would like to share a real-life scenario where defense in depth was applied in a practical situation –

We worked with a firm in the healthcare IT software services industry and noted that they had concerns about the protection of their sensitive client data which included health records and personal information.

The Challenge:

We were tasked with helping the firm with the following security challenges:

• Increasing Cyber Threats: The healthcare industry is a prime target for cybercriminals, who are constantly evolving their tactics. The firm faced a growing number of phishing attempts, ransomware attacks, and insider threats.
• Regulatory Compliance: The firm was subject to strict regulatory requirements and achieving and maintaining compliance was a priority.
• Client Trust: Clients in the healthcare industry place a high premium on the security of health records and personal identifiable information (PII). Maintaining trust was essential to retaining and attracting clients.

But First…What Is Defense in Depth (DiD)?

Defense in depth is a cybersecurity strategy based on the idea that a single security measure is insufficient to safeguard against evolving cyber threats. By creating multiple layers of defense, an organization can significantly reduce its risk exposure and enhance its ability to detect and respond to security incidents.

The formal definition of defense in depth from NIST is the following: “Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.”

SANs defines defense in depth as the following: “…the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.”

Essentially, an organization needs to ascertain that if one control fails, there are more behind it. If they all fail, the attack then needs to be detected. Prevention is best but detection is necessary.

 

The Solution:

We guided the firm with a defense in depth strategy to mitigate these challenges. The concept of defense in depth is having layers of security controls (not one) to protect an organization’s “crown jewels” (i.e. data and services from disruption). Essentially, with this layered approach, to successfully get to your information, an outside (or inside) attacker would have to penetrate through your network, your host, your application, and finally your information protection layers. Here was the approach that outlined the principles and layers of defense in depth:

• Perimeter Security: Firewall and intrusion detection and prevention systems to safeguard its network perimeter.
• Network Security: Implementation of strong access controls, including role-based access permissions, two-factor authentication, and network segmentation.
• Endpoint Security: Implementation of a mobile device management (MDM) tool to monitor employee workstations and mobile devices. The tool allowed for the workstations to continuously run antivirus software and enable full-disk encryption.
• Data Security: Strong encryption for data at rest and in transit. Access to sensitive data was restricted to authorized personnel only, with regular audits to monitor access.
• Employee Training and Awareness: Established a security awareness program that included phishing simulations and clear reporting mechanisms for employees to alert the IT team to potential threats.
• Incident Response and Monitoring: Security Information and Event Management (SIEM) system to continuously monitor network and system activity. This enabled the rapid detection of anomalies and swift incident response.
•  Physical Security: Data centers/Server rooms were upgraded with advanced physical security measures, including biometric access controls and 24/7 monitoring.

The Outcome:

By implementing defense in depth, the firm significantly improved its security posture. Here were some of the outcomes:

• Enhanced Security: The layered security approach effectively mitigated many cyber threats, reducing the risk of data breaches and unauthorized access.
• Regulatory Compliance: The firm met the stringent regulatory requirements, passing SOC 2 and HIPAA audits with ease.
• Client Trust: Clients were assured of the firm’s commitment to security. As a result, they retained existing clients and attracted new ones who valued strong security measures.
• Incident Response: With robust monitoring and incident response capabilities, the firm could detect and respond to security incidents promptly, minimizing potential damage.

In this scenario, the firm’s decision to implement defense in depth not only strengthened its security but also ensured that it remained compliant with industry regulations and maintained the trust of its clients. Defense in depth allowed the firm to address its unique challenges in a holistic and effective manner.

 

How Does Defense in Depth Support Overall SOC 2 Compliance & Why Is It Important in Information Security?

The requirements to obtain SOC 2 compliance require various types and layers of controls to protect an organization’s services and data. Hence, by obtaining SOC 2 compliance an organization is able to demonstrate that they have a certain level of defense in depth in order to protect their data and services from a breach and/or disruption of services from outside intruders.

What Are Examples of Defense in Depth in Relation to SOC 2?

Outside of the entity-level controls requirements to meet SOC 2 compliance, there are technical control requirements as well. The areas and various criteria of the SOC 2 which focus on evaluating the technical control environment (which includes detective controls and deterrent controls) are as follows: Monitoring, Logical and Physical access, System Operations, Change Management as well as the Availability, and Confidentiality criteria.

To provide additional context on these areas, we have listed below the controls associated with each of these technical areas that would be tested in a SOC 2 examination (this is not an exhaustive list):

• Monitoring – Mostly detection controls: monitoring production systems for availability and performance, periodic reviews (entitlement reviews, internal audit, etc.).
• Logical and Physical Access – Authorization process for system access,  RBAC for access to production systems and data, termination/access revocation procedures.
• System Operations – Incident response, antivirus, host-based controls as noted earlier (workstations that access production data have time out configured, disk encryption, current patching, etc.)
• Change Management – Segregation of duties in the IT change management process, non-production data within lower environments (development and test).
• Availability – Test of the Disaster Recovery Plan, backup procedures and configurations, and backup restore testing.
• Confidentiality – Implementation of data classification, client data segregation, data encryption in transit and at rest.

The implementation of the various types of controls required to meet SOC 2 compliance would demonstrate that defense in depth is in place. Therefore, the SOC 2-compliant organization has various layers of controls to protect organization services and/or client and organizational data from attack.

 

Frequently Asked Questions (FAQs) on Defense in Depth

Here are some of the most frequently asked questions we get from clients regarding defense in depth.

What Is the Primary Benefit of Defense in Depth?

The primary benefit of defense in depth is to ascertain that even if one of the controls fails, the other controls would be able to prevent and/or detect an attack (i.e. you never want to have one layer of defense).

What Are the Layers in the Defense in Depth Security Model?

1. Perimeter Layer
2. Network Layer
3. Host Layer
4. Application Layer
5. Data Layer

Essentially, with this layered approach, to successfully get to your information, an outside (or inside) attacker would have to penetrate through your network, your host, your application, and finally your information protection layers. Take a look at this article to learn about the different types of penetration tests that can be performed and tools you can use to test your system.

What Are the Three Elements of Defense in Depth?

1. Administrative – Policies and procedures for access to systems and data.
2. Physical – Physical security controls to data centers and server rooms.
3. Technical – Consists of hardware and software components that protect systems against cyberattacks.

Summary

Defense in depth is a key concept for an organization to consider when implementing its control environment. Practicing defense in depth provides layers of protection to prevent unauthorized access to an organization’s most valuable systems and data, in order to prevent and/or deter an attack. In other words, defense in depth is having multiple layers of technical and non-technical controls in place to accomplish the goal of protecting your information assets.

If you’re looking for more information on SOC 2 compliance, check out our website. We have a wealth of articles about this topic, as well as relevant cybersecurity and IT audit information.

If you are interested in engaging Linford & Company for our auditing services, if you need a SOC audit report, or if you have any questions, please feel free to contact us. Our team consists of IT audit professionals that are highly skilled at SOC 2 audit reports. We will be happy to answer any questions you may have and to assist with your compliance needs.

This article was originally published on 8/31/2022 and was updated on 11/1/2023.