Layered security is the sentiment that no single security device or control is responsible for the overall security of the system. In this methodology, there is no single point of failure that would expose an organization’s sensitive data or infrastructure. Implementing a layered security approach will help to protect an organization’s assets and secure their environment.
What is Layered Security
Layered Security uses multiple layers of security technologies so that if one layer of security is breached or fails, additional security controls are in place to prevent an intruder from gaining access to the network or systems. Layered security can be a mix of Administrative, Technical, and Physical controls. Below are some examples of layered security controls that organizations can implement to enhance the security of their environment:
- Policies & Procedures: Policies and Procedures are critical to an organization to ensure employees understand what behavior is acceptable and define the processes and controls that must be followed throughout the organization.
- Role Based Access Control: Implementing role based access control ensures that users are provided access to systems based on a need-to-know approach, which helps to protect systems from unauthorized access.
- Security Awareness Training: Employees should be properly trained to how recognize and respond to security threats to the organizations.
- Firewalls: Firewalls are a critical line of defense in protecting your network. Implementing strong ACLs which restrict inbound and outbound traffic to that which is necessary is imperative to securing an environment from unauthorized access. Firewall rules should be reviewed on a regular basis to ensure only those rules which are necessary are in place.
- Intrusion Detection/Intrusion Prevention Systems (IDS/IPS): IDS/IPS systems are solutions which analyze inbound and outbound traffic and compare that traffic to known signatures or patterns for the detection and prevention of intrusions into an environment. In combination with the firewall, allowing only certain ports/protocols over the internet, this layered security approach helps protect your network infrastructure.
- Endpoint Security: Endpoint security controls help protect against data exfiltration as well as virus and malware infections across the network. Examples include: anti-virus/malware solutions, end-point protection, DLP, and email/disk encryption.
- Data Encryption: Data encryption can greatly reduce the risk of data compromise by rendering the data unreadable. Even if the data is breached, only authorized personnel with a secret key or password have the ability to unencrypt the data.
- Zero Trust Architecture: NIST SP 800-207 Zero Trust Architecture focuses on users and assets. Access is not granted to assets or users based on their physical or network location. Multiple layers of authentication and authorization must occur for users to be ‘trusted’ to access the network. Examples include, multi-factor authentication, least privilege principals, and microsegmentation solutions.
Physical Security ControlsPhysical security controls should be in place to protect physical access to systems and the facilities where they reside. By implementing a layered security control approach such as security guards, cameras, locks, and badge readers, organizations can reduce the risk of unauthorized physical access to sensitive areas.
How does Layered Security Contribute to Compliance?
Layered security can be seen implemented into many standards such as ISO, PCI-DSS, CTPRA, and NIST. While each standard has its own set of controls, all require the common practice of implementing multiple layers of security controls within the environment to protect sensitive data. No matter what standards your organization must comply with, the process for achieving and maintaining compliance is generally the same per standard; perform an assessment against the current controls, identify gaps and potential risks, and then remediate any findings.
How can MP help?
MegaplanIT offers a broad variety of compliance services to enhance your security posture. We have a qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants with decades of experience in performing security assessments, penetration testing, and compliance services. We can assist your organization with implementing layered security controls to help you become and stay compliant.
As a Managed Security Service Provider, we deploy and manage a range of security solutions such as anti-virus, file integrity monitoring, intrusion detection, and log aggregation to meet compliance requirements and improve the security of your infrastructure.