Defense in depth is a security mantra, usually for very good military security and information security reasons. However – defense in depth may be a very bad idea, if your fundamental assumptions are wrong or you get blinded by security technology.
The sin of wrong assumptions
In the defense space – we can learn from military history that incorrect security assumptions carry a high price tag.
The 1973 Yom Kippur war that resulted in a stunning Israel victory but cost 2,800 Israeli lives, and the recent American war in Iraq, that yielded little benefit for the cost of over 30,000 American lives are both illustrations of conceptual mistakes in security strategy.
Neither defense in depth (the Bar Lev line) nor military campaigns for democracy (the Iraq war) were a match for arguable security assumptions (the Arabs are deterred by Israeli military superiority (they weren’t), Americans can combat terror with conventional armies (no you cannot).
The sin of techno lust
In the business space it’s easy to get seduced by sexy security technologies but implementing too many security technologies will increase operational risk of information security instead of achieving defense in depth.
Why is this so?
Reason 1 : More security elements tends to increase risk instead of improving defenses
Adding more network security elements tends to increase the total system risk, as a result of the interaction between the elements and increased system complexity and resulting inability to maintain the systems properly.
For example – companies that attempt to prevent data loss with more user access lists, enterprise DRM , firewalls and proxies experience an inflation of ACLs, end point application software (that needs to be deployed and maintained), firewall rules that may be outmoded and clients that bypass the proxies.
A company may feel more secure while in practice they are less secure – with dormant accounts, shared passwords, excessive access rights, orphan accounts, redundant accounts, dormant users, underutilized accounts, abuse of administrator access, backdoor access and … paying more for the privilege.
Reason 2 – Product features do not mitigate threats
Many companies tend to spend a disproportionate amount of their time evaluating product features instead of performing a business threat analysis and selecting a short list of products that might mitigate the threats. I first realized this when I paid a sales call on the CSO of a large bank in Israel and his secretary told me that the CSO meets 3-5 vendors/day. It’s nice to be wanted, but 5 years later – the bank still does not have a coherent data security policy, encryption policy nor data loss prevention capability.
Focus on features and vendor profiles results in installing a product without understanding the return on security investment. After selecting a security product based on marketing and FUD tactics and then implementing the product without understanding how well it reduces value at risk – the customer (not the vendor) pays for ownership of an inappropriate solution in addition to paying for the damage caused by attackers who exploit the unmitigated vulnerabilities.