Hyland Connect

Imagine standing in the courtyard of a medival castle. Imagine angry hordes of all sorts of ancient world bad guys. Huns, Pictis, Vikings, even dragons are outside the wall trying to get in. You feel pretty secure. You've got stone walls many feet thick, which extend above an below ground, you have a huge moat, twenty feet wide and forty feet deep. You have an army of knights, archers, and footsoldiers. Sure it's scary outside the walls, past the moat, but inside, behind those layers, everything is pretty calm.

This is a very simple explanation of what defense in depth really means. If your enemies build bridges, the moat is just a pretty bit of water. You'll still have walls and soldiers. If your enemies breach the walls, you'll still have your soldiers. Together these defenses create a substantial barrier to protect your valuables. Even if one layer fails, the other layers still function.

In the world of information security, your enemies can take many forms. Competitive businesses, hackers looking for a quick paycheck, bored internet denizens trying to be hackers, even employees trying to be more efficient. All of these can be a threat to your data or your processes. Understanding defense properly requires at least a familiarity of what threats exist, and how they might threaten your data.

So that's a great story about the castle, and it's fun to know that there are a lot of people after my data, but what can one do to build this layered defense? Protecting sensitive data is as much about verifying controls as enacting them. In our best practices document we discuss how to encrypt data, enforce user security, verify user group settings, encrypt communications. These protections are not simple on/off mechanisms. They'll need to be configured to match the security policies and posture of your unique environment. Like the individual security settings, defense in depth is not a simple binary state. You must understand where you can control access and permissions, where you can turn on encryption, where you can block access.

You can use these ideas to build a fortress of your own. Build unique freestanding defenses. Your moat and walls are the infrastructure and greater organizational environment you operate within. These are things like firewalls, IDS/IPS, TLS. Things that should need some maintenance, but are mostly setup and leave working. Your army is the software controls and your users. These you can customize, train, and mold into an effective force that protects against all threats. Can your shipping and receiving users see HR data? Work with the teams and departments you support to test your security. Give an HR manager a sample account to try and get to inappropriate data. Do the same thing as many managers that are willing or able to help. Once you feel like you have technological defenses, software settings working to protect your data, you can move further. Engage your user base. Start with small teams, discuss with them the implications of errors or misconfigurations, both on your side and theirs. Reach out to advanced users or groups with great privileges. Explain to them that you want to help. Be willing to listen to their problems with the system, don’t just limit these conversations to security. Increasing security may cause changes to throughput or working habits. Be flexible and attentive. If your userbase knows you're trying to help them, they will become the most effective layer of defense in depth.