Saturday, August 6, 2011
Security in depth is a concept similar to peeling back the skin of an onion. Each layer you pull back reveals another layer. The more you peel back, the more layers remain. Eventually you wear it away, but it takes a while to get there.
According to Defense Security Service DSS security training, "Security-in-depth is a concept that employs security measures in levels or steps."
This concept can be demonstrated in a walk through a virtual walk through a cleared facility. The cleared facility is approved to store secret information. As such, the only requirement is to keep the classified information in a General Services Administration GSA approved container or safe.
Let's begin at the security container. The container provides the deter and detect capability necessary to protect the secret information, documents or hardware. It is difficult, but not impossible to break the container open, but once you do, it will be difficult to hide the damage. Therefore, you'll take a while to beat, tear, pry, explode and etc. While attempting, you will create a lot of noise dust and commotion.
As we back out, we can see that the door has a lock on it. This lock is another layer of protection. The protection can be more effective if a high security lock, bio scanner, bio reader, combination or other cipher lock is employed.
As we move out even further, we might find additional layers such as alarms, card or badge readers, guard stations, closed caption television CCTV or other security measures are employed. Again, not necessary according to NISPOM but can be considered security in depth.
We can continue all the way outside of the building where we might find barriers to entry to include a receptionist, more card readers, scanners or bio readers. The parking lot may have additional lighting, jersey barriers or other ways to prevent unauthorized access.
The physical security measures create layers of protection, where different assets may require different levels of protection. As we demonstrated in earlier blogs and DoD Security Clearances and Contracts Guidebook, the best way to evaluate security in depth needs is to conduct a risk assessment. Use the assessment to integrate physical, IT and information security protection and protective systems.