When Great Britain’s Royal Engineer, Maurice built Dover Castle in the late 1100s, he focused not just on the grandeur but on the security of its architecture. In Medieval times, castles were the backbone of power, meaning that it had to withstand assaults from enemies. When building Dover Castle, Maurice The Engineer, who served King Henry II, designed a castle with multiple layers of defense based on a concentric castle design, i.e. a castle within a castle.
Maurice’s design consisted of an outer ditch or moat surrounding the entire Castle, followed by an exterior wall and a fence of stakes. The inside walls were built higher than the outside walls so that archers could fire arrows over the heads of soldiers defending the outside walls. These walls meant that if an enemy broke through the exterior wall, there was yet another wall to penetrate. At the heart of the castle was the tower, also known as the “keep”, and in the Dover Castle case, it was a formidable 83-foot-tall, 100-square-foot Great Tower that had walls with up to 21 feet in thickness.
This architecture effectively protected its inhabitants from multiple sieges, including one by Prince Louis of France that lasted almost three months.
This architecture, in many ways, exemplifies the philosophy behind defense in depth. The ideal castle design had multiple layers of defense – ditches, fences, ramparts, gates, high walls—all designed serve as barriers to hinder attackers. Similarly, with defense-in-depth, you secure confidential customer data or resources behind a series of multi-layered security products –including anti-virus software, intrusion-prevention systems (IPS), next-generation firewalls, and secure web gateways.
But, is defense-in-depth still the appropriate security architecture? After all, we hear about organizations being breach, many of which adopt these principles. It doesn’t seem like defense-in-depth is really working?
The reality is the castle mentality, aka defense-in-depth is easy to aspire in theory, but difficult to implement in practice. First, it only works if all the layers work together as one, so that there is a cohesive view across all attack vectors. If there is no intelligence or ability to process all the events occurring, then you’ve missed a possible attack. Assuming you have the proper system (and time) in place to perform all forms of analytics, you need a team of skilled IT security resources to understand the results, and trigger the right alerts or configure the right policies to mitigate an attack.
The other assumption with the defense-in-depth model is that the insiders are friendlies. Just like how you can bribe the inhabitants inside a castle to open the castle gates (thereby bypassing the archers, the burning tar and and spiked pits), a phishing attack on a privileged user helps you bypass multiple layers to get to the critical data inside an organization.
Finally, the castle mentality is completely ineffective in a cloud and mobile world. When the “keep” or critical data resides in infrastructure outside the castle walls, all the king’s horses and all the king’s men won’t be able to secure it. In fact, with SaaS applications, the only barrier between the user and the cloud application is merely internet access and login credentials.
A defensible security design really depends on context. Many castles in medieval times were virtually impregnable to direct assault. Once cannons and gunpowder were available, they collapsed. Similarly, focusing on defense against attacks, i.e. a crunchy exterior and squishy center, made sense before the advent of targeted attacks, mobility and cloud.
Today, a castle-like defense-in-depth architecture just doesn’t work anymore. It’s time for IT professionals to recognize that doubling down on that failed security philosophy is a waste of time and resources. In its place, the idea of “Assume Breach” and an approach to security that focuses on rapid detection and containment is necessary. It’s not about building more “walls”, it is about building smarter user behavior analytics, optimizing the security solutions you’ve already deployed and focusing on both insider threats as well as external attacks.