Gartner Blog Network


Revisiting Defense in Depth…

by James McGovern  |  April 10, 2017  |  Submit a Comment

Today, I want to question the sage wisdom of Security Architecture Professionals. The notion of defense-in-depth may need to be revisited. More security doesn’t necessarily mean better security. In fact, the current strategy of most organizations—layering on many different technologies—is not only proving ineffective, it is overly complex and expensive. This notion needs better enterprise architecture stewardship.

Can we agree on the following:

  • While some people equate layers to Defense in Depth, they aren’t always the same thing?
  • Defense in Depth is not just about thinking in layers but about parallel constructs, principles and business facilitation?
  • Attacks nowadays can originate inside the layers and don’t always originate from the outside?
  • We are now placing our data outside of corporate-controlled layers (think Cloud, SaaS, etc) and we might need to have a federation of layers?
  • If organizations rely on multiple layers, none of which are informed by the others, their use might be limited?
  • We may need a reference accountability model for layers? For example, when should a web application detect anti-automation vs another layer?

How can we improve our thinking on layering? How should enterprise architecture organizations push back on information security organizations when they oversimplify security principles?

Category: information-protection  solution-architecture  

James McGovern
Research Director
1 years at Gartner
28 years IT Industry

James McGovern is a Research Director responsible for conducting research in the Enterprise Architecture and Technology Innovation areas. James is specifically focused on how organizations can use business-outcome-driven EA to respond to disruptive trends and leverage technology to deliver successful business outcomes. Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.