Information Security: Managing Risk with Defense in Depth

The expectation of always being connected via the internet, having instant information, and data sharing while remaining productive and efficient, comes with a substantial risk. As a result, we, as Information Security Professionals, are required to focus our attention on minimizing risk while maintaining the three bedrock principles of information security: Confidentiality, Integrity, and Availability. In order to accomplish this we are tasked with the design, implementation, and daily maintenance of a strategy know as Defense in Depth. The concept of Defense in Depth is to use multiple defense mechanisms in layers across your network infrastructure to protect your internal data, systems, networks, and users. We use multiple defenses so that if one defensive measure fails there are more behind it to continue to protect the assets. This paper will first give a detailed overview of risk/risk management & data classification and why we need the Defense in Depth strategy. Then it will lay out the blueprint for Defense in Depth. Each layer will be identified and followed up with a description and/or best practice depending on the technology involved. A conclusion section will bring the topic to a close, followed by a list of references, which were used to help support the document.