A Layered approach to information security

A layered approach to information security, also known as defence in depth, is a security

strategy that employs multiple layers of protection to safeguard information systems. The
concept is based on the principle that no single security measure is entirely foolproof. By
implementing various overlapping security controls and practices, organizations can create a
more robust defence against a range of potential threats and vulnerabilities.

Key Aspects of a Layered Approach

o Physical security: Deploy closed-circuit television (CCTV) cameras to monitor
and record activities in and around sensitive areas. Ensure cameras cover
entrances, server rooms, and other critical locations.
o Perimeter Security: Includes firewalls, intrusion detection/prevention
systems (IDS/IPS), and network segmentation to protect the boundaries of
the network from external threats.
o Network Security: Uses tools such as virtual private networks (VPNs),
network access control (NAC), and secure network design to protect internal
network traffic and resources.
o Endpoint Security: Involves protecting individual devices such as computers,
smartphones, and tablets with antivirus software, endpoint detection and
response (EDR) solutions, and device management policies.
o Application Security: Ensures that software applications are secure through
practices like secure coding, application firewalls, and regular vulnerability
assessments.
o Data Security: Protects data through encryption, access controls, data
masking, and backup solutions to ensure data integrity and confidentiality.
o Identity and Access Management (IAM): Controls who has access to systems
and data through mechanisms like strong authentication, role-based access
control (RBAC), and multi-factor authentication (MFA).
o Role based access control: Role-Based Access Control (RBAC) is a key
component of the layered approach to information security that focuses on
managing user access to resources based on their roles within an
organization. It ensures that individuals have access only to the information
and systems necessary for their job functions, thus reducing the risk of
unauthorized access and minimizing potential damage from insider threats.
 Information Security Architecture

Information Security Architecture refers to the structured framework of

policies, controls, and practices designed to safeguard an organization's
information assets from threats and vulnerabilities. It encompasses the design
and implementation of security measures across an organization's IT
infrastructure to ensure the confidentiality, integrity, and availability of
information.

Key Components of Information Security Architecture

1. Security Policies and Standards are integral components of an Information Security

Architecture, providing a structured framework for managing and protecting information
assets. They define the rules, guidelines, and requirements necessary to safeguard systems,
data, and networks from threats and vulnerabilities.
2. Security Controls
 Administrative Controls: Include security policies, procedures, and guidelines. They
govern how security measures are implemented and managed.
 Technical Controls: Include tools and technologies such as firewalls, intrusion
detection systems (IDS), encryption, and access controls that protect information
systems and data.
 Physical Controls: Include physical barriers and safeguards such as access controls,
surveillance systems, and environmental controls to protect physical assets and
facilities.
3. Security architecture frameworks provide structured approaches to designing,
implementing, and managing an organization's security infrastructure. These frameworks
offer guidelines, best practices, and methodologies for establishing a comprehensive security
posture that aligns with business objectives and regulatory requirements. E.g.: SABSA –
Sherwood Applied Business Security Architecture

4. Network Security Architecture within a layered approach to information security involves

designing and implementing multiple layers of security measures to protect network
infrastructure from threats and vulnerabilities. The goal is to create a defence-in-depth
strategy that ensures comprehensive protection by addressing different aspects of network
security.

o Firewalls: Act as a barrier between internal networks and external threats,

controlling incoming and outgoing traffic based on security rules.

o Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS): Monitor

network traffic for suspicious activities and can automatically respond to potential
threats.
 o Demilitarized Zone (DMZ): A separate network segment that isolates external-facing
services (e.g., web servers) from the internal network to reduce exposure to external
attacks.

5. Data Security Architecture refers to the structured design and implementation of policies,
controls, and technologies to protect data throughout its lifecycle—from creation and
storage to transmission and disposal. It aims to ensure the confidentiality, integrity, and
availability of data, aligning with organizational objectives and regulatory requirements.

6. Identity and Access Management (IAM) is a critical component of a layered approach to

information security, focusing on managing and controlling user identities and their access to
information systems. IAM ensures that only authorized individuals have access to resources
and that their access is consistent with their roles and responsibilities. Eg: Multi Factor
Authentication (MFA)

7. Incident Response and Recovery are critical components of a layered approach to

information security. They focus on detecting, managing, and recovering from security
incidents to minimize damage and restore normal operations. Integrating these processes
into a multi-layered security strategy ensures a comprehensive and effective response to
various types of security threats and breaches.

8. Physical security: Physical Security is a crucial layer in a comprehensive approach to

information security. It focuses on protecting physical assets and infrastructure from
unauthorized access, damage, or interference. Effective physical security helps safeguard
information systems and data by securing the environments where these assets are housed.

9. Secure monitoring and reporting: Secure Monitoring and Reporting are essential elements
of information security architecture, focusing on the continuous observation of security
events and the systematic reporting of security-related information. These practices help
organizations detect, analyse, and respond to security threats, ensuring that security policies
and controls are effective. E.g.: SIEM- Security Information and Event management

10. Risk management: Risk Management in information security architecture is a systematic

process for identifying, assessing, and mitigating risks to protect information assets and
ensure the organization's overall security posture. It involves evaluating potential threats and
vulnerabilities, determining their impact, and implementing controls to manage and reduce
risks to acceptable levels.
SABSA – Sherwood Applied Business Security Architecture
What is SABSA?
SABSA is a proven methodology for developing business-driven, risk and opportunity
focused Security Architectures at both enterprise and solutions level that traceably
support business objectives.
It is also widely used for Information Assurance Architectures, Risk Management
Frameworks, and to align and seamlessly integrate security and risk management into IT
Architecture methods and frameworks.
The SABSA framework and methodology is used successfully around the globe to meet a
wide variety of Enterprise needs including Risk Management, Information Assurance,
Governance, and Continuity Management. SABSA has evolved since 1995 to be the
‘approach of choice’ for organisations in 50 countries and in sectors as diverse as Banking,
Homeless Management, Nuclear Power, Information Services, Communications
Technology, Manufacturing and Government.
SABSA ensures that the needs of your Enterprise are met completely and that security
services are designed, delivered and supported as an integral part of your business and IT
management infrastructure. Although copyright protected, SABSA is an open-use
methodology, not a commercial product.
SABSA is comprised of a series of integrated frameworks, models, methods and processes,
used independently or as a holistic integrated enterprise solution, including:
 Business Requirements Engineering Framework (known as Attributes Profiling)
 Risk and Opportunity Management Framework
 Policy Architecture Framework
 Security Services-Oriented Architecture Framework
 Governance Framework
 Security Domain Framework
 Through-life Security Service Management & Performance Management
Framework

Refer to the website mentioned below:

[Link]
Layered Architecture: SABSA is structured into six layers, each addressing different aspects
of the architecture:
 Contextual: Business requirements, context, and goals.
 Conceptual: High-level security models and concepts.
 Logical: Security policies, procedures, and guidelines.
 Physical: The actual security mechanisms and controls.
 Component: Specific security solutions and tools.
 Operational: Daily security operations and management.

Advantages of SABSA
 SABSA ensures that security architectures are aligned with business objectives,
helping to balance security needs with business goals.
 The framework's layered approach (Contextual, Conceptual, Logical, Physical,
Component, Operational) provides a clear and organized way to develop security
architectures.
 SABSA can be adapted to various industries, organizational sizes, and specific
business needs.
 SABSA emphasizes a lifecycle approach, ensuring that security measures are
continually updated and improved in response to changing threats and business
needs.
 It covers all aspects of security architecture, including technical, organizational, and
procedural elements

Disadvantages of SABSA

 The framework's depth and breadth can be challenging for those new to it,
requiring significant training and experience.
 Implementing SABSA can be resource-intensive, requiring skilled personnel
and significant time investment.
 Aligning high-level business objectives with specific security requirements
can be challenging, especially in rapidly changing business environments.
 Adapting SABSA to growing or changing organizations can be complex and
resource-intensive.
 Some practitioners may view SABSA as too theoretical or abstract,
particularly the higher-level layers, which can be difficult to translate into
practical, actionable measures.
 Security Systems Development Life Cycle

The SecSDLC can be adapted to support the implementation of an information security

project.

Phase 1: Investigation
The investigation phase of the SecSDLC begins with a directive from upper management,
dictating the process, outcomes, and goals of the project, as well as its budget and other
constraints. Frequently, this phase begins with an enterprise information security policy
(EISP), which outlines the implementation of a security program within the organization.

Phase 2: Analysis
In the analysis phase, the documents from the investigation phase are studied. The
development team conducts a preliminary analysis of existing security policies or
programs, along with that of documented current threats and associated controls. This
phase also includes an analysis of relevant legal issues that could affect the design of the
security solution. Risk management also begins in this stage. Risk management is the pro
cess of identifying, assessing, and evaluating the levels of risk facing the organization,
specifi cally the threats to the organization’s security and to the information stored and
processed by the organization.

Phase 3: Logical Design

The logical design phase creates and develops the blueprints for information security, and
examines and implements key policies that influence later decisions. Also at this stage, the
team plans the incident response actions to be taken in the event of partial or catastrophic
loss.
The planning answers the following questions:
Continuity planning: How will business continue in the event of a loss?
Incident response: What steps are taken when an attack occurs?
Disaster recovery: What must be done to recover information and vital systems
immediately after a disastrous event?

Phase 4: Physical Design

The physical design phase evaluates the information security technology
needed to support the blueprint outlined in the logical design generates
alternative solutions, and determines a final design. At the end of this phase,
a feasibility study determines the readiness of the organization for the
proposed project, and then the champion and sponsors are presented with
the design.

Phase 5: Implementation
The implementation phase in SecSDLC is also similar to that of the traditional
Systems Development Life Cycle (SDLC). The security solutions are acquired
(made or bought), tested, implemented, and tested again.

Phase 6: Maintenance & Change

In information security, the battle for stable, reliable systems is a defensive

one. Often, repairing damage and restoring information is a constant effort
against an unseen adversary. As new threats emerge and old threats evolve,
the information security profile of an organization must constantly adapt to
prevent threats from successfully penetrating sensitive data.