Lawrence Pingree

A member of the Gartner Blog Network

Lawrence Pingree
Research Director
2 years with Gartner
16 years IT industry

Lawrence Pingree's responsibilities include coverage of security technologies and the cloud security space. His main focus is on conducting research targeted at the security aspects of products in the data center… Read Full Bio

Coverage Areas:

How do you define “defense in depth”?

by Lawrence Pingree  |  August 29, 2013  |  1 Comment

I’ve had some recent conversations that lead me to believe there may be some misunderstanding of the term defense in depth. Some practitioners may propose that this is a simple architecture that translates into a specific finite set of products and architectures. In a note I wrote last year (which is currently being updated) I used the term to bolster the support that our clients (for example a security manager, engineer or architect) may need to be able to increase their security capabilities (see Best Practices for Mitigating Advanced Persistent Threats). When some practitioners hear this term (especially those that are senior) they cringe and sometimes have the reaction or believe that  its “old school” philosophy.  I disagree.  I’m saddened when I hear that some security practitioners seem to have abandoned this concept, in fact I feel it may need to be expanded.

  • Defense In Depth – Implement preventative controls as much as possible/affordable.

Should we expand the terms used to be (DDR):

  • Defend In Depth – Implement preventative controls as much as possible/affordable.
  • Detect In Depth – Implement detective controls as a final “last straw” approach.
  • Respond in Depth – Respond as quickly as possible to avoid the negative effects of security control failures.

Should practitioners expand their thinking and this new strategic approach to their security programs?

What are your own thoughts?

1 Comment »

Category: Security     Tags:

1 response so far ↓

  • 1 Doug Laney   August 30, 2013 at 4:50 am

    Response to my auto GBN RSS retweet of your blog:

    From @scmunk:
    “@Doug_Laney Changes are that you have more levels, also closer to and including the data, can’t assume outside to in.”

    FF to respond on Twitter.

    –Doug Laney, VP Research, Gartner, @doug_laney