Understanding Defense in Depth

Published: June 11, 2008


By Kai Axford, CISSP, a Senior Security Strategist with the Microsoft Trustworthy Computing Group. A nine-year Microsoft veteran, Kai is responsible for discussing and recommending security solutions for both private- and public-sector organizations. His popular 2008 Defense in Depth webcast series is one of the highest-rated webcasts at Microsoft.

See other Viewpoint articles.

Understanding Risky Business

I spend a great deal of my time flying around the world talking to IT and business people about information security. It never ceases to amaze me when I hear some overpaid “security expert” spend hours detailing how complicated security is. It’s not. Security can be summarized in two simple words: Risk Management. It’s not about risk elimination, it’s about risk mitigation.

Before we jump in with a bunch of security jargon, I want you to really think about this concept. If you don’t understand risk, you won’t understand security, and if you don’t understand security, then the concept of Defense in Depth will be meaningless to you. Risk is the big picture. There are plenty of methodologies out there to assess risk. Sure, it’s a lot to ask for you to understand things like asset valuation, annual loss expectancy, ROI, etc., but we need to truly understand risk before we can move on.

Figure 1. Overview of the Microsoft Defense in Depth Model

Figure 1. Overview of the Microsoft Defense in Depth Model

Layer 1 Policies, Procedures, and Awareness (All Bark and No Bite)

As we consider the model in Figure 1, I’d like you to think about the importance of Defense in Depth. We all remember the great movie trilogy Lord of the Rings, when the bad guys were storming the castle. The defenders were able to use a defense-in-depth model to keep the attackers at bay. The attackers would break through one wall, and the defenders would retreat behind another. Same thing applies here! The first and best investment you can make is around Layer 1: Policies, Procedures, and Awareness. I’m talking about the establishment of some good written security policies and practices such as a companywide Acceptable Use Policy. Most important of all, it’s about actually enforcing the policies you create. Users quickly realize if you’re policy is all bark and no bite. Get executive support for your policy, and this will help with any enforcement issues. If you have policies that aren’t being enforced…toss them out. They’re not worth the paper they’re written on.

One of the best “bangs for the buck” (a.k.a. Return on Investment for our business friends) in the world of computer security is a strong and creative security awareness campaign. Users quickly forget the lessons learned during the “annual security training,” so make it something they’ll remember. Contests, quizzes, prizes, newsletters, funny videos -- these are only a few of the things you can do on a tight budget. Bean counters got you running pretty lean? Have you taken a look at the Microsoft Security Awareness materials you can get for free?

Layer 2: Physical Security (Gates, Guards, and Guns)

Physical Security. It’s a layer that we as IT people tend to overlook. We don’t really have a warm fuzzy for things like IP video surveillance and magnetic locks and man traps (that’s a real word…look it up). But that doesn’t make this layer any less important. All those PKI, IPSec, multifactor authentication technologies don’t mean a thing if I can pick up your domain controller and put it in my truck. How many times has a laptop been stolen in your company? Did you know that every year at the big hacker convention in Las Vegas, DEFCON, the lock-picking contest is one of the most popular? Why is that?

As physical security and technology start to get more integrated, it’s important that we understand how each works. This discussion of “convergence” is getting a lot of buzz. The physical security guys are running IP video surveillance, and these bits now traverse your network. Same goes for building access logs that get stored on your servers. The concept of physical security is one that we need to become more aware of in our roles. Spend some time and talk to the people who work in this area. Find a local chapter of the American Society for Industrial Security (ASIS) and check out a meeting. You won’t find more expertise on this topic in one place anywhere else. Bonus: Microsoft and ASIS just signed a partnership agreement, because we know how important having a good understanding of physical security is to you.

Layer 3: Perimeter Security (Living on the Edge)

I’m not going to go into the Microsoft sales pitch about the beauty of such technologies as Intelligent Application Gateway (IAG) 2007 and Internet Security and Acceleration Server 2006. You know what those things do, and they are critical to protecting the perimeter. I want you to think outside the box for a moment and consider, if you will, what would happen if we simply got rid of our perimeter altogether? What if we could even do away with things like VPNs (which reduce the effectiveness of your firewall by opening ports) and RAS connections? This idea is one that is getting a lot of interest, especially with groups like the Jericho Project.

Look seriously as Microsoft starts to move towards this new idea of Access Anywhere. With the adoption of new technologies like IPv6, where we can have a single IP address for every device in the world, there will come a day when your corporate policies will be enforced no matter where that corporate laptop is, because it will always be connected to the domain, not just when the remote user needs to get to the file server. A world where IT administrators can control all corporate assets so long as it’s turned on and connected to the Internet? It brings a tear to my eyes it’s so beautiful.

Layer 4: Network Security (Protecting Your House)

It was a whole new day in computer security the day that someone connected two computers together via a cable. Of course, it increased productivity, but it also increased risk. One way to secure the network is by restricting who can talk to whom. One of the best ways to do this is to use a technology I hinted at previously: IP Security, more widely referred to as IPSec. IPSec is simply a mechanism that allows O/S to talk security through an encrypted channel. IPSec has essentially two modes: Transport Mode, which is used for end-to-end connections, and Tunnel Mode, which is used for portal-to-portal connections. IPSec is built into IPv6 and is optional for IPv4. By using IPSec we can ensure that only specific machines, all using the same encryption key, can talk to one another. We can also ensure that machines without this key are not allowed to talk to machines with it. This allows us to isolate trusted domain member computers from untrusted devices at the network level. It also allows trusted domain members to restrict inbound network access to a specific group of domain member computers. The best part -- This stuff is available now! Are you using it? Why not??

Layer 5: Host Security (Save the Box, Save the Network)

You’d be crazy not to be protecting the actual servers that run your business-critical applications. I’m not going to preach to the choir here. Let me tell you about a little thing that concerns me in this area, however. It’s the concept of virtualization security. There’s a big push nowadays to roll out some virtualization solutions in an effort to consolidate servers. Great idea. We cannot overlook the importance and necessity to secure the virtual machines (VM) and the host machines they reside on. I’ve heard a bunch of incorrect assumptions like “If the host is secure, the VM is secure” and other such fairy tales. With regard to security, you need to treat these virtual machines like physical servers. That means running antivirus inside the VM. That means using ACLs to lock down who can modify the config files. That means being aware of the threat landscape with regard to virtualization.

Layer 6: Application Security (If You Build It…Securely, They Won't Come)

In case you haven’t heard, it’s getting harder and harder to pull off successful attacks against operating systems and commercial off-the-shelf software. The fact of the matter is that methodologies for developing code securely, like our Security Development Life Cycle (SDLC), are paying off, and more and more vendors are starting to implement this or similar techniques. What are attackers to do? Simple. They start to target your custom-built, in-house applications that your Devs have written with security being an afterthought, or worse, choosing to simply throw in a little “username and password” feature just before they roll out the new application companywide.

If your Dev team is not implementing some sort of secure coding methodology within your own company, it’s not a matter of if you’ll be breached, it’s a matter of when.

Layer 7: Data Security (If Your Terabyte Falls in the Middle of the Active Directory Forest…)

We’re coming to the end of an amazing journey, but this last step is probably the most critical. Our key mission is Data Protection. So what are you doing to secure the data? One of the easiest things you can do is implement some sort of encryption strategy for your data. The use of technologies like BitLocker for domain controllers and road warriors is so obvious I hesitate to mention it -- until, that is, I read about yet another company that suffered a breach…and failed to encrypt. Do you know that some state breach laws actually limit your company’s exposure if you properly encrypted the data? Tell that to the CEO and I bet he has some love for encryption. Encryption is simply too easy to implement to ignore and, given the diverse threats and attacks that exist, it just makes sense.


Defense in Depth is a crucial model for implementing effective information security. I’ve attempted to summarize some of the important aspects of the Defense in Depth model for you in this short space. Because the details of such a diverse model are what make it successful, I have put together a series of eight webcasts on this topic. I would encourage you to watch them because they go into much more depth on each aspect of this concept -- in what we think is a lighthearted and enjoyable manner. I hope you enjoy them as much as we did making them.