Defense in Depth
Defense in depth, also known as layering, is the practice of using multiple security controls in a series to protect against a variety of threats. A multilayered solution ensures that even if one control fails, other security measures remain in place to prevent exposure of systems or data.
A key aspect of defense in depth is the configuration of security controls in a series, not parallel. In a series configuration, each threat is evaluated by every security control, reducing the risk of a single failure rendering the system vulnerable. In contrast, parallel configurations, while effective in distributed computing, are not suitable for security as they increase the risk of bypassing essential protections.
Defense in depth employs various security terms such as classifications, zones, realms, compartments, silos, segmentations, lattice structures, and protection rings, all of which relate to creating multilayered defenses.
Abstraction
Abstraction groups similar elements, classes, or roles to assign security controls, restrictions, or permissions collectively. This simplifies security by applying controls to groups of objects, making it easier to manage permissions based on type or function.
In the context of security, abstraction helps in object-oriented programming, where users interact with objects without needing to understand their internal workings. This is also reflected in mediated access, where user mode applications request services from administrator mode, with access granted or denied based on the requester’s credentials.
Additionally, abstraction allows for defining object groups, where access controls are assigned collectively, making the administration of rights and privileges easier. This is especially useful in environments where security policies are based on job roles or responsibilities.
Data Hiding
Data hiding refers to the intentional act of preventing data from being discovered or accessed by unauthorized subjects. This involves placing data in secure compartments that are not visible or accessible to certain subjects. Data hiding ensures that sensitive information is only available to authorized individuals or processes.
In multilevel secure systems, data hiding ensures that data at different security levels remains isolated from processes running at other levels. Unlike security through obscurity, which relies on keeping information secret in hopes that it won’t be discovered, data hiding actively enforces security by restricting access based on defined policies.
Encryption
Encryption is the science of disguising the content of communication to prevent unauthorized access. Encryption should be applied to all forms of electronic communication and data storage to ensure that sensitive information remains secure. By encrypting data, even if it is intercepted, it remains unreadable without the proper decryption key.
