Protection in Depth, Defence in Depth & Security in Depth

Protection in Depth & Defence in Depth are interrelated yet distinct approaches in a security plan.

Security in Depth & Defence in Depth are often thought of synonymously. But they are separate conceptions in a physical security program.

Protection in Depth

The application of security measures or controls is defined as a physical, psychological, procedural, technical or other device that performs or contributes to one or more security functions is achieved through the demarcation/ division of physical space or rings of protection. Such rings are considered in the traditional sense of Protection in Depth, generally referred to as the onion ring model.

Protection in Depth involves several distinct measures an adversary must defeat in sequence & considers the avoidance of single point failure in any protection plan. Such an approach potentially incorporates multiple detection constituents, multiple delay measures & multiple response capabilities which can be implemented for protecting the movement of unauthorized activity across a single security zone, or multiple security zones. Within controlled or restricted spaces or zones, entry is based on valid reasons rather than desire.

The concept of security layers being provided by combining controls measures which contribute to reducing security threat capabilities at that layer through their ability to deter, or detect, delay & respond to attempts of unauthorized access. This approach is effectively used in many facility designs. However, sections within restricted zones may require additional access control authorizations.

The security zoning principle highlights the clear distinction between a security control & a security layer. A security layer refers to the implementation of a set of controls which can potentially stop a defined event from occurring or can eliminate its harmful consequences. In the protection of a facility there may be 2 means of detection & 1 means of delay coupled into a layer separating 1 access zone from another. Detection constituents may include intrusion detection technologies & procedural security to detect the unauthorized movement of people across an access zone, or an x-ray machine & an explosive trace technology aimed at detecting contraband moving across a secure zone through a manned checkpoint.

There exists a potential requirement to consider the necessity of a high probability of interruption & neutralization at each zone. Therefore, the probability of interruption must be calculated from the detection, delay & response variables as a combined system output for individual zones.

Defence in Depth

The concept of defence in depth is no different from physical security, such as that used for a building or to start work in an office environment. Building security has many layers, some of which may be considered redundant:?

1. An employee uses a key card to enter the building.?
2. A security guard keeps watch in the lobby.
3. Security cameras record all movements in the lobby, on each floor & in the elevator.
4. Once arriving at her floor, an employee must use her key card to open the door to the office floor.
5. Once at her desk, the employee turns on her computer & enters her password & 2FA to log in to the company network.

Security in Depth states that many layers are needed because it is difficult to build the perfect layer & different layers are more effective against different threats. This strategy leverages on multiple security measures to protect an asset. Here, the thinking is that if 1 line of defence is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Defence in depth addresses the security vulnerabilities inherent not only with hardware & software but also with people, as?negligence or human error?are often the cause of a security breach.?

Internal sabotage or internal threats are normally more dangerous than external risks. An employee gone rogue may know which organizational data is most valuable & where and how it is stored. Technology layers that combat only external risks will do nothing to prevent that individual from pilfering information & inflicting serious harm. Layering firewalls, intrusion detection systems, & many other network security tools will not reduce the exposure to the risk posed by an insider. Adding more & more layers that address similar risks will not make the situation any better.

Defence in Depth articulates that for security to be effective in controlling access to an asset, area or security zone, there must be a means of detecting, delaying & responding to adversary attempts to gain unauthorized access. Therefore, interruption & neutralization must occur prior to successful zone crossing. However, this strategy is often required across multiple layers of controls where some trusted insiders may have access to some areas, but not all areas within a protected site. In such instances, access is usually granted based on role & security clearance.

In separating security zones, there must be a means of detecting, delaying & responding to threats of unauthorized access across all zones within a security context. Depending on the risk, such separation may include multiple detection constituents, multiple delays & multiple response control measures interrelated as a system for each zone, forming a security layer between zones.

Defence in depth, layered security architecture

Physical controls?– These controls include security measures that prevent physical access to IT systems, such as security guards or locked doors.

Technical controls?– Technical controls include security measures that protect network systems or resources using specialized hardware or software, such as a firewall appliance or antivirus program.

Administrative controls?– Administrative controls are security measures consisting of policies or procedures directed at an organization’s employees.

Whilst Defence in Depth supported by Protection in Depth secure individual & multiple security zones within a facility, they refer to the elements of a physical protection systems. However, security & security zoning must also consider the existence of threats, which can be manifested against information technology infrastructures once physical access has been gained within a security zone. The vulnerabilities of building management systems (BMS) to logic-based attacks which, once physical access has been gained, can be manifested within a security zone against an asset in a different security zone. Security risk may be minimized by maximizing the effectiveness of any 1 security layer, where several security functions are entwined to achieve a specific security layer

Security in Depth is the sum of all security layers, physical & logical which stands between an adversary & a protected target, & is therefore separate to, rather than synonymous to Defence in Depth.

-----------------------------

Endro Sunarso is an expert in Security Management, Physical Security & Counter Terrorism. He is regularly consulted on matters pertaining to transportation security, off-shore security, critical infrastructure protection, security & threat assessments, & blast mitigation.

Besides being a Certified Protection Professional (CPP?), a Certified Identity & Access Manager (CIAM?), a Project Management Professional (PMP?) & a Certified Scrum Master (CSM?), Endro is also a Fellow of the Security Institute (FSyl) & the Institute of Strategic Risk Management (F.ISRM).

Endro has spent about 2 decades in Corporate Security (executive protection, crisis management, critical infrastructure protection, governance, business continuity, loss mitigation, due diligence, counter corporate espionage, etc). He also has more than a decade of experience in Security & Blast Consultancy work, initially in the Gulf Region & later in South East Asia.