Today, I want to question the sage wisdom of Security Architecture Professionals. The notion of defense-in-depth may need to be revisited. More security doesn’t necessarily mean better security. In fact, the current strategy of most organizations—layering on many different technologies—is not only proving ineffective, it is overly complex and expensive. This notion needs better enterprise architecture stewardship.
Can we agree on the following:
- While some people equate layers to Defense in Depth, they aren’t always the same thing?
- Defense in Depth is not just about thinking in layers but about parallel constructs, principles and business facilitation?
- Attacks nowadays can originate inside the layers and don’t always originate from the outside?
- We are now placing our data outside of corporate-controlled layers (think Cloud, SaaS, etc) and we might need to have a federation of layers?
- If organizations rely on multiple layers, none of which are informed by the others, their use might be limited?
- We may need a reference accountability model for layers? For example, when should a web application detect anti-automation vs another layer?
How can we improve our thinking on layering? How should enterprise architecture organizations push back on information security organizations when they oversimplify security principles?