Business Innovation Homepage > Governance

As security threats have become increasingly sophisticated and diverse, organizations have had to find more effective ways to protect their data, applications, systems and networks.

For many, that means implementing “layered security.” The layered approach to information security refers to the deployment and use of multiple types of security tools or risk mitigation techniques, rather than relying on a single tool or mechanism to protect against threats.

“The idea is that a single mechanism may have weaknesses that can be strengthened by using other mechanisms,” says Eric Maiwald, senior analyst at Burton Group.

For example, Maiwald says, on a network an enterprise might use a network firewall to limit the traffic that’s allowed to enter the enterprise's internal network. But one weakness of a firewall is that if the traffic matches the firewall rule set, it’s allowed in. “So the enterprise might layer an intrusion detection or prevention system behind the firewall to look at the traffic and see whether any of the allowed traffic also includes attempted exploits,” Maiwald says.

Layered security approaches are not limited to information security technology, Maiwald says. Organizations can also use physical security mechanisms, such as locking devices, as part of the layered approach.

The majority of businesses today use some type of layered approach to security. “Even in the SMB [small and midsize business] market, most companies use some form of layering, whether they call it that or not,” Maiwald says. “A layered approach is the proper way to implement a risk management architecture simply because no single mechanism will provide the controls that most enterprises require.”

All security implementations include tradeoffs, Maiwald says. “The primary tradeoff is between cost and risk mitigation,” he says. “The more mechanisms that are installed, the higher the cost. The enterprise needs to see a benefit from the additional mechanisms in the form of a reduced risk.”

But the benefits of implementing a layered security strategy are clear. Security vulnerabilities are many, and they vary greatly in terms of the systems and applications they can affect and the potential damage they can inflict.

No single information security technology is capable of stopping all types of attacks and providing the risk management that organizations need. But each tool has its strengths. A firewall might reduce the attack surface of a network; an intrusion detection/prevention system might reduce the likelihood of a known attack reaching internal servers; a Web application firewall might control the risk of inappropriate use of an application; and authentication mechanisms help to control the likelihood of an unauthorized individual gaining access to sensitive information, Maiwald says.

One of the key advantages of a layered architecture “is the control over potential weaknesses or vulnerabilities within a mechanism,” Maiwald adds. “If a firewall has a vulnerability that [might] be exploited, other mechanisms in a layered architecture will likely identify the failure of the firewall and at least notify the enterprise of the failure,” or even prevent or reduce the negative consequences.

Click here for more Governance articles