Today, I want to question the sage wisdom of Security Architecture Professionals. The notion of defense-in-depth may need to be revisited. More security doesn’t necessarily mean better security. In fact, the current strategy of most organizations—layering on many different technologies—is not only proving ineffective, it is overly complex and expensive. This notion needs better enterprise architecture stewardship.
Can we agree on the following:
- While some people equate layers to Defense in Depth, they aren’t always the same thing?
- Defense in Depth is not just about thinking in layers but about parallel constructs, principles and business facilitation?
- Attacks nowadays can originate inside the layers and don’t always originate from the outside?
- We are now placing our data outside of corporate-controlled layers (think Cloud, SaaS, etc) and we might need to have a federation of layers?
- If organizations rely on multiple layers, none of which are informed by the others, their use might be limited?
- We may need a reference accountability model for layers? For example, when should a web application detect anti-automation vs another layer?
How can we improve our thinking on layering? How should enterprise architecture organizations push back on information security organizations when they oversimplify security principles?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.