Layered security has long been a significant element of many organizations' security strategy. In an IT context, layered security means protecting digital assets with several layers, each layer providing an additional defense. The goal is simple -- to make it much harder for a hacker to get through a network perimeter and into a network. Even if a hacker managed to breach one layer of security, all the data and resources inside the network remain safely guarded by the other layers of security which are in place.

While the concept is easy to explain, it isn’t without its pitfalls - namely, layered security only focuses on protecting the network perimeter. More specifically, the layered security approach operates on the assumption that any individual who is within the network is, by definition, a trusted insider. As a result, once a hacker gets inside the network, there’s nothing stopping them from moving laterally throughout the network, accessing valuable data and resources. No matter how many layers of security protect the network perimeter, the network is vulnerable to malicious agents who get in.

This wasn’t as major an issue in the days when workers worked from the office, and software ran and data was stored on the corporate network. The only way into the network was through the perimeter, so layered security was (mostly) good enough. However, as organizations increasingly move resources and apps to the cloud, leverage SaaS applications, and adopt remote work, this “network perimeter” has been altered beyond recognition. Rather than a simple moat around a castle where the treasures are kept, the virtual network perimeter comprises diverse access points, which hackers can penetrate in myriad ways. Some users work onsite, and others work from remote locations; some resources may be stored onsite, and others in the cloud. This creates new security challenges and complex access requirements.

Due to these changes, layered security is no longer considered to be the optimal security strategy that it once was. However, many individual elements of layered security are as important as ever and have been adapted, extended and combined with other strategies to better suit today’s ever-changing cybersecurity landscape.

Let’s find out more about layered security, and see how it is changing to support a comprehensive security strategy.

Layered security is somewhat similar to the security approach portrayed in classic "heist movies," where a team of burglars must get past obstacle after obstacle, each one providing its own challenge, before they finally manage to gain access to the valuable jewels and make off with them into the night. The first layer of security might be the locked doors and windows on the building's exterior, while the second layer would be intrusion detection systems, such as the alarms on all of the doors and windows, which detect if someone manages to unlock the doors and get past that first layer. The guards inside the building represent yet another level of security, as do the video cameras monitoring the rooms. In addition, in the movies, there are fancy laser beam detectors surrounding the case where the jewels are kept, and then a final layer to get past - the motion detector that issues an alarm if the jewels are moved from their place. For the burglars to get their prize, it's not enough to defeat one layer - they have to get past all of the many layers of security protecting the jewels.

Layered security is also known as 'defense in depth', a term borrowed from the military tactic with the same name. In a war, an army might choose to concentrate all of its forces along the front, so that it's as well defended as possible. The danger is that if the enemy concentrates its forces and breaks through the front in one spot, there are no further defenses protecting the area behind. With defense in depth, some defensive resources - troops, fortifications, weapons - are further back, so that if the front is breached, there are still troops and materiel available to stop the enemy advance. In the military context, even if less concentration in the first level makes it easier for the enemy to make an initial breach, they can be ultimately stopped more easily because their losses will continue to grow as they continue to try to work their way toward the goal.

Another classic example of defense in depth is the "concentric castle" model. A castle may be protected by an outer wall, then a moat, then a higher and more heavily fortified inner wall.

In the IT environment, layered security provides defensive redundancy. If one layer of security fails, another layer keeps the system and its data secure. To get through to the data, a threat has to infiltrate every level of security.

The layered security approach typically involves three main types of security controls.

Administrative controls

Administrative controls consist of policies and procedures put in place by an organization to minimize vulnerabilities and to prevent users within the company from accessing information they are not authorized to access. Some layers of administrative controls could include:

Making sure that only current employees have user accounts, by putting a procedure in place to close an employee's account on the network in the event that someone leaves the company.

Putting detailed policies and procedures in place to ensure that all employees take the mandated steps required to secure corporate data, especially sensitive data.

Implementing role-based access control, which enables employees to only access the actual data that they need to do their own jobs. See our article on access control for more information about different access control schemes.

Minimizing the use of privileged accounts, such as administrator accounts, and placing additional restrictions on their use.

Physical controls

Physical controls are another crucial aspect of the layered approach. These include anything that prevents actual physical access to the IT system. For example:

Physical doors with locks in any area with computer equipment.

Fingerprint scanners for access to areas with computer equipment, and/or for logging into the system.

CCTV footage as a deterrent and to alert security to any possible cyber threats.

Security guards to monitor the area.

Gates to prevent easy access to the site.

Layers of physical controls could be the types of things described in the heist movie example - the multiple layers of protection that prevent the burglars from gaining access to the jewels.

Technical controls

These controls include software and hardware-based information security solutions that prevent unauthorized access to the IT network. A combination of different hardware and software solutions provide the best protection from a wide array of cyber threats. Layers of technical controls could include the following:

Securing authorization

• Requiring users to use strong passwords that are difficult to guess or crack using password cracking tools.
• Two factor authentication or multi-factor authentication (2FA/ MFA) to further verify the user's identity by using multiple devices to login.
• Biometric authentication to ensure a user's identity through the use of facial recognition or fingerprint scanning, for example.

Preventing infections from malware and similar threats

• The first layer might be from the administrative realm - educating users not to click on suspicious links on the web, or open suspicious files that are sent to them by email.
• The next layer could be conventional detection-based anti-virus and anti-malware software.
• An additional layer would be adding Remote Browser Isolation, so that if a user did click through to an infected site, damage would be contained away from the endpoint machine.
  
  

Data security

• Securing the network behind a firewall, which can be implemented as either a hardware or software solution, depending on the network infrastructure.
• Encrypting data servers, to protect data even if a bad character manages to access the server.
• Encrypting emails as an additional layer, to prevent information sent via email from being intercepted and compromised by an unknown third party.
• Following best practices for remote access can be an additional layer of protection that closes a vulnerability often exploited by hackers. For more information, see our article Virtual Computing as a Security Solution.

The three types of controls described above are designed to provide protection at the network perimeter. As mentioned previously, perimeter-based network security is no longer adequate, as organization resources are today distributed among internal servers, private clouds, public clouds and the web. With users accessing resources from many locations, the number of entry points into organization networks has increased exponentially. It is easier for hackers to breach the network perimeter and once in, they are able to move through the network and access all resources and data. So, instead of focusing on controls at the perimeter, organizations are looking towards the new gold standard of network security, the zero-trust approach, to combat this problem.
With the zero-trust approach, microsegmentation is used together with identity and access controls, to prevent individual resources from being accessed by hackers and malicious insiders alike. Least-privilege access ensures that users can only access the specific data and apps they need, and once inside the network, they are no longer able to move freely through it. At every ‘microperimeter’ that surrounds data, resources, and apps, whether on premise or in the cloud, security controls are in place, and the user must re-authenticate before gaining access. So, in effect, today’s perimeters are one-to-one, enabling specific users to access only their permitted individual resources, as opposed to one large perimeter surrounding the entire network. The layered security approach has evolved and transformed in response to the adoption of zero-trust. Many of the controls described above, as part of traditional perimeter-based layered security, have been adapted and broadened and integrated to suit the needs of today’s complex networks, and remain an important part of general security strategy.

Administrative controls, such as role-based access control, are very much a part of securing the microperimeters of apps and network resources. In the case of zero-trust, granular access controls grant access to individual resources, as opposed to larger areas of the network.

Physical controls remain as important as ever. As long as companies have their own physical resources, there is still a need to protect them from unauthorized physical access.

Technical controls also include many solutions that are now leveraged as part of a more detailed approach, and focus on sealing gaps within the network and between resources in the network, instead of focusing on protecting the full network perimeter. Multi-factor authentication remains crucial, and is used to protect each microperimeter. Especially relevant for remote workers, MFA allows for secure user identification from any location.

Layered security was once the primary approach to protecting networks. This approach is no longer sufficient, and security teams now depend on zero-trust models that provide better protection for today’s complex and dynamic networks. Along with sophisticated new controls designed for cloud-based security, the legacy controls that were previously deployed as part of a layered security approach have been updated and integrated into zero-trust platforms, to protect distributed networks and resources, in tune with the modern, granular approach to access and authentication.

To learn how Ericom security solutions can strengthen your security strategy, contact us.

For more information about Layered Security, see these blog posts:

Choosing the best enterprise malware protection for your business

Keeping the Zero Trust Picture for Businesses in Focus