How you have layered security wrong and what it will cost you
I’m going to provide a simplified example of what layered security isn’t. Let’s assume you want to put up a physical wall. The technical term is “barrier,” but let’s use wall to keep it simple.
You start calling contractors and let them know that you are interested in having a wall put up. You schedule a meeting with three different contractors to hear their sales pitch. The first one shows you a picture of what you expect a wall to look like, the description matches what you expect a walls description to be, the material and thickness meet your needs.
The second contractor uses what appears to be the same graphics in their presentation. However, the contractor points out that their wall is actually two walls that are half as thick as the previous contractors wall. They tell you that this is because they implemented a security practice called “layered security.” “This improves security because if the first layer fails, you have a second one.” Everything else is the same, total thickness of the material, material used, wall height, etc. Except for the price of course. They charge twice as much for their wall.
The third contractor comes in and has a unique graphic that catches your eye immediately. They have a wall that is half as thick as the first contractors. Theirs is made out of the same material as the first contractors. They also have a line splitting it showing that it is “actually” two walls too, they’re just touching like the second contractors.
The major difference here is that they have another separate wall, well, not a wall exactly. It’s a chain link fence. They also tell you how important layered security is. They point to the fact that they have three layers, and even have a unique outer layer of security. They of course present the most expensive wall solution at four times the cost of the first.
Ladies and gentlemen of the jury, if I asked you based on this story what you thought of “layered security,” what would your answer be? Would you respond, “that seems brilliant?” Would you exclaim, “this seems like the emperor has no clothes?” Would you ask how you could get hired by the third company?
This is a common problem with people new to Information Security. They mistake “layered security,” also called the “security onion,” for what I have described above.
I could tell you a story about another company that builds impenetrable walls, because their walls have infinite layers… that are infinitesimally thick. But, they’ll tell you that it’ll take an infinite amount of time to get through them…
Instinctually, you know that something is wrong here. And you’re right, there is. Let me build a comparison example, and we’ll see what the difference is so that we can understand what layered security is.
At the last minute you meet with another contractor. They show you that they too will build the same wall as the first contractor does. Same height, same thickness, same material, same craftsmanship. “Well, okay, but I already have that option?” “We also include an alarm system that will alert you of any damage to the wall, or if anyone goes over it.” They tell you that the total system costs as much as the second contractors.
Now how do you feel? If security was the deciding factor, not money, would you purchase this “wall?” Why?
Layered security is often confused with redundancy. That was our third example. You actually have two walls (one is a chain link fence). They both exist at the same layer, and both function similarly, though not exactly the same way. If one fails, you expect the other to do the job the first failed at, but again, do the job a similar way.
What that last example gave you was security done a different way. If I were applying this design to network speak, I’d have a firewall with a SEIM. A firewall and a SEIM don’t operate at the same layer, don’t function similarly, and don’t require the existence of the other to function at all. Yet when used in concert, you have…
The term, when used correctly, describes an important concept. When the term is used incorrectly it provides a false sense of security and is an effective way to waste time and money.