Information Security

by Andy Taylor

What is layered security and do I need it?

Layered security is a term that has come to prominence within recent years, but the concept has been around for millennia. When primitive tribes built their homes, they might select a prime position on the top of a hill with commanding views, adding a defensive ditch or palisade for additional protection. They might then build earthworks to provide additional obstacles for any potential attackers. Any potential attacker would have to deal with the many obstacles put in their way – layered security – not to mention ferocious warriors.

In today’s more technical world, the types of layer may have changed, but the principles have not. The available defences are many and varied, falling into one of the three main categories discussed in detail elsewhere – physical (the locks, doors, fences and similar physical barriers used), technological (the firewall, CCTV, electronic accesses systems and the like) and people or procedural (policies, rules, best practice, training and similar people-based measures.)

How many layers do I need?

As with ancient people, it depends on the attackers you face. If the only threat is from staff in whom the senior management have implicit trust, the number of layers could be very few, perhaps even just one. On the other hand, if it is the full force of the threats from the World Wide Web that are a concern, it would be sensible to use many layers of different types and several different mechanisms. It is all back to the threat analysis and the potential damage that could affect the organisation (see Is information security really a problem?).

Variety is often classed as one of the layers and it may well be that the best possible combination is a physical barrier, followed by some technical protection, with the ultimate protection of the threat of dismissal for staff who do what they know they should not do.

Nor is it necessary to have the same or similar numbers of layers to protect all the assets of an organisation. You can reduce the overall cost if you decide it is only necessary to protect the especially valuable assets with expensive measures, while other areas can be protected more cheaply. In some areas, a simple fence with locked gates might be adequate protection, while secure rooms, with fingerprint-reader locks, passwords and two-factor authentication might be necessary elsewhere.

What is the overall effect?

Naturally, the required overall aim is to install effective degrees of security in a cost-effective way. The key point behind layered security is that appropriate degrees of security are used to protect different information assets. This is a cost-effective and pragmatic approach to protecting assets without unnecessary duplication. It also means there is always the option of increasing or decreasing layers of security if they are proven inappropriate. Individually, the layers are often relatively cheap, so additional layers can be added at comparatively small cost if the need arises.

Must I use encryption?

Perhaps the answer is not too surprising: it depends whether the threat and impact are appropriately high. Encryption is simply a means of disguising the message being sent or the information that is stored so that, should anyone gain inappropriate access to it, they are unable to decipher it. It is usually information in transit – emails and the movement of sensitive information from one place (physical or logical) to another – that may need to be encrypted.

There is now a wide range of encryption techniques, from the comparatively cheap and easy, such as the use of the widely-available Secure Sockets Layer (SSL), through to the very expensive and high-quality encryption used by, for example, secret services around the world. The system required by your business may not need to be particularly complex or expensive. Naturally, for the more complex and secure systems you may well need specialist advice – there is little worse than a poorly-implemented system that has more security loopholes in it than a string vest while instilling a false sense of security.