The digital transformation has had a profound impact on the way organizations operate. Long-standing security solutions have demonstrated signs of wear against the rapid speed of innovation from cybercriminals. However, one paradigm has quickly risen to be the new standard of cybersecurity, and for good reason. Utilizing a zero trust approach to cybersecurity federal agencies and organizations can cultivate a fundamental change in the security posture that severely curtails malicious intrusions. While zero trust is wildly becoming accepted as the standard base for modern cybersecurity positions, another approach has begun to make some waves: Defense in Depth. To best understand what each posture entails, and ultimately how effective it is, let’s take a step back and understand where we are and what we need to successfully defend an organization.
With a digital transformation – as with the pioneers of the American West or Captain Kirk’s crew of the starship Enterprise – the mission is most important. The goal is to keep moving toward your objective as best you can while overcoming known and unknown challenges. In addition to efficient operational processes, the success of your mission also depends on your security strategy as an attack can come at any time and from any quarter. But what is the best strategy? Do you circle the wagons to form a perimeter around all that is precious thus assuming nothing bad will breach your externally facing defenses; or as with the Trekkies, do you extend security internally – trust no one – and compartmentalize all your people and valuables with access-controlled doors that make a sound like partially whistling compressed air when opening and closing?
Zero Trust vs. Defense-In-Depth
As attackers – such as tribbles, Klingons, and state-sponsored cyber thieves — have become more sophisticated, recommended cybersecurity strategies have shifted and enterprises have developed a variety of defense strategies to secure users and data. Chief among these strategies are ‘defense-in-depth’ and ‘Zero Trust’. What are they and how do they differ? The following will define them and dig into the differences between Zero Trust vs. defense-in-depth. Let’s take a look, shall we?
What is Zero Trust?
So, what is Zero Trust? It is based on the concept of “never trust, always verify.” This cybersecurity framework is based on the idea that no entity – inside or outside of a network – should be implicitly trusted. Everything and everyone needs to prove who they are and that they have the right permissions to access the target resource. In short, they need to undergo continual authentication, verification, and authorization to keep access to applications and data.
This is akin to crew members of the Enterprise verifying and authenticating their identity at every doorway before they are allowed to access the next area.
What is Defense-in-depth?
Now, defense-in-depth refers to the practice of using layers of security measures, such as firewalls, secured gateways, authentication, and intrusion detection systems, to protect internal networks from external attacks. This provides backup levels of security in case other security measures fail.
It’s circling the wagons, but with multiple layers of protective devices and processes to keep threat actors outside of the perimeter.
In short, if one defensive measure is compromised, another set of defense mechanisms can detect and prevent a breach attempt. By including redundancies and using security defenses across solutions, enterprises can aim to close gaps in security and thwart potential attacks.
What is the difference between Zero Trust vs defense-in-depth?
The main difference between Zero Trust and defense-in-depth security strategies is that Zero Trust never implicitly trusts users inside or outside network perimeters. Whereas with a defense-in-depth security strategy, users within a network are usually implicitly trusted.
While Zero Trust aims to prevent attackers from the outset, the defense-in-depth strategy simply aims to delay the attack by increasing the number of barriers an attacker must overcome to get within the security perimeter.
What are the benefits of a defense-in-depth approach?
The main cited benefit of a defense-in-depth approach is through layered security. If one part of an enterprise fails, then other networks and platforms are kept safe. To build it effectively, you must consider your strengths and weaknesses, and add layers where a breach is most likely. This redundancy helps to ensure that a single point of failure won’t be the sole factor in a successful breach. By layering perimeter defense with a defense-in-depth configuration, threat actors must clear multiple hedgerows which slows down threat advancement and adds complications to their efforts.
Downsides to defense-in-depth
Although defense-in-depth has been a solid strategy for quite a while, there are some downsides. Some of the key shortcomings of defense-in-depth are that there are always new threat techniques being created while existing ones continue to evolve.
As these threats develop, the focus of attacks changes. What was safe yesterday is vulnerable today. And if you’re not aware, you are unlikely to have appropriate protection against a threat. Often there’s a lack of integration among the various security measures in a defense-in-depth strategy, which makes coordinating across various security layers difficult. This non-integration leads to gaps in defenses and can extend the time before a breach is detected. Furthermore, it can be expensive to procure, maintain and manage a multilayer cybersecurity strategy, particularly across the modern hybrid, heterogeneous enterprise. Also, you can add other cybersecurity complications to the list, such as third-party contractors, RPA technology, BYOD, and remote working. Any time there is a change or modification in how work gets done, the defense-in-depth model needs to have a suitable response, which isn’t always possible.
With the migration to ‘work from anywhere’ and ‘as-a-service’ business applications, many of the defense-in-depth concepts no longer apply in their original form. The ‘depth’ now becomes the human and the identity that requires protection.
- A continually growing attack surface
- BYOD and cloud applications
- Complex management
- Expensive to maintain
- Time to identify threats
- Visibility across the enterprise
- Siloed solutions and data
- Compliance challenges
- Cost of hiring staff and consultants to integrate ecosystems
What are the benefits of Zero Trust?
Whereas defense-in-depth is the festival seating of cybersecurity, Zero Trust is more along the lines of an exclusive club-style security with velvet ropes controlling access to specific tables and sections, including the VIP and super VIP areas. First, just to get in the front door, you might need to show two forms of ID. Plus, there are bouncers inside that monitor for bad behavior, and for people and activities that don’t belong. If you don’t have the right credentials, can’t act appropriately, or seem suspicious for any reason, your night at the club is over.
As they say, Never Trust, Verify Everything. Then, because it’s Zero Trust, a user doesn’t have automatic access to anything. In fact, at the most, their access is governed by the least-privilege framework, where they only have access to the minimum of resources to get their daily job done.
With the processing speed of modern security technology, just-in-time (JIT) access protocols can be applied with minimal impact on productivity or speed of access. If a user needs to access a cloud application or a proprietary database, they need to authenticate, and their identity needs to be verified for each access session.
Escalation processes can be applied to users (human or machine) that are attempting to get to sensitive resources they don’t normally access. These escalation processes can be automated or require manual approvals by managers and/or application owners – or a combination of approvals processes depending on the security policies of your organization.
Whereas defense-in-depth focuses on keeping bad actors out, Zero Trust has the huge benefit of protecting against internal threats. With defense-in-depth, once in, you’re free to move around the cabin, but with Zero Trust, even if you have privileged access, at every critical access point you must authenticate and verify. Add in the collection of user-behavior data, and even if a user normally has access to a resource, if their activities veer too far from their known baseline behaviors, they may be asked to prove they are who they say they are with an MFA process or have their session immediately shut down. As many breaches are executed via compromised identities of legitimate users or by disgruntled employees, this monitoring of internal users is a massively important element of any cybersecurity strategy.
So those are the basics of defense-in-depth and Zero Trust. There are pros and cons to both and which you choose depends on where your organization’s cybersecurity needs to be in the near future, your threshold of risk vs your available budget, and your best estimation of vulnerability to internal and external threat actors. We’re biased at One Identity, but we strongly encourage organizations to move to a unified identity security strategy that can deliver visibility across your enterprise. This will help your organization live long and prosper.
To learn more about how federal agencies can bolster their security posture, click here.