Back to the Future: Layered Security

In December of 2010 I posted a “Looking forward to 2011” entry that included the following simple advice: “One thing that we have learned in the last few years is that often times, it’s the simple and straightforward actions that make the most sense.” That is a theme that has been consistently used in this blog because it just turns out to be true. Albert Einstein once said: “Make things as simple as possible, but not simpler. ”

Related to that is this advice: do not rely on just one method of securing a resource, no matter how dynamic, exhaustive, or impressive it is. We have been a consistent supporter of this equally tried and true “Belt and Suspenders” approach to everything security. Using simple layers of security is often more dependable than expensive or complex products or strategies. Just this last week, the following news was in the headlines:

“The NCAA mistakenly left its internal SharePoint site unprotected, allowing fans, media … to have complete access to its most sensitive economic information. The leak involves years of accounting information, slideshows and much more.”

How is this possible? Probably because they assumed that since this data was on the “inside” (an assumption that used to be rampant throughout the industry that essentially makes no sense anymore) that the normal or default protections would be enough.

There are a number of “Belt and Suspender” tactics that probably would have prevented this exposure from happening. None of them sophisticated or complex; yet as a collection of protection layers they would have provided an environment that would have prevented the exposure, even if one or more of them had failed.

  • Internet facing firewall: have rules that are just as strict about what goes out as you have for what comes in: don’t allow file share protocols outbound
  • Monitoring: similar to the firewall, be just as concerned about traffic that is leaving the network as what is coming in: detect file share requests travelling outbound
  • Intrusion detection: notice that external IP addresses are accessing internal resources
  • Authentication: require users to provide credentials to use SharePoint services
  • Authorization: define acceptable users or groups that can access the SharePoint services

None of the above actions are hard to implement or require unique security infrastructure or expertise. Each one of them is providing a certain type of security awareness or protection that is related to but different than the others. No single one provides ultimate protection of the internal resource but as a whole, they represent a layered approach to protecting the asset; even if one or more of them are, for whatever reason, not working.

So, here we are ending 2011 just where we started the year: focusing on fundamentals; preaching about straightforward and layered security philosophies.

24 replies
  1. http://tinyurl.com/
    http://tinyurl.com/ says:

    Good day! This is my first visit to your blog! We are a team of volunteers and starting
    a new initiative in a community in the same niche.
    Your blog provided us valuable information to work on. You
    have done a wonderful job!

  2. ps4 games
    ps4 games says:

    Hola! I’ve been following your weblog for some time now and finally got the
    courage to go ahead and give you a shout out from Dallas
    Tx! Just wanted to say keep up the good work!

  3. quest bars cheap
    quest bars cheap says:

    You really make it seem so easy with your presentation but I find this topic to be really something that I think I would
    never understand. It seems too complex and extremely broad for me.
    I am looking forward for your next post, I will
    try to get the hang of it!

  4. quest bars cheap coupon twitter
    quest bars cheap coupon twitter says:

    Good day! I know this is kinda off topic nevertheless I’d figured I’d ask.

    Would you be interested in exchanging links or maybe guest authoring a blog article
    or vice-versa? My website addresses a lot of the same subjects
    as yours and I think we could greatly benefit from each other.
    If you might be interested feel free to send me an email.
    I look forward to hearing from you! Fantastic blog by
    the way!

  5. quest bars cheap
    quest bars cheap says:

    Hey, I think your site might be having browser compatibility issues.
    When I look at your blog in Chrome, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you a
    quick heads up! Other then that, superb blog!

  6. ps4 games
    ps4 games says:

    It’s really very complicated in this full of activity life
    to listen news on Television, thus I simply use web for that reason,
    and take the hottest news.

  7. ps4 games
    ps4 games says:

    Do you have a spam issue on this site; I also am a blogger, and I
    was curious about your situation; many of us have created some
    nice practices and we are looking to trade techniques with other folks, why
    not shoot me an e-mail if interested.

  8. ps4 games
    ps4 games says:

    Hi I am so thrilled I found your website, I really found you by accident, while I was searching on Aol
    for something else, Nonetheless I am here now and would just like to say thanks for a incredible post and a all round interesting blog (I also love the theme/design), I don’t have time to browse it all at
    the minute but I have book-marked it and also added in your RSS feeds, so when I have time I
    will be back to read more, Please do keep up the awesome work.

  9. ps4 games
    ps4 games says:

    Wow, superb blog layout! How long have you been blogging for?
    you make blogging look easy. The overall look of your site is wonderful, as well as the content!

  10. ps4 games
    ps4 games says:

    You have made some good points there. I looked on the web for more
    information about the issue and found most individuals will go along with your views on this website.

  11. Shakita
    Shakita says:

    Hiya, I am really glad I have found this info. Nowadays bloggers publish just about gossip and web stuff and this is really irritating. A good site with interesting content, this is what I need. Thanks for making this website, and I will be visiting again. Do you do newsletters by email?

  12. ps4 games
    ps4 games says:

    It’s really a great and helpful piece of info. I am glad that you simply shared this helpful info with us.
    Please stay us up to date like this. Thanks for sharing.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.