3.2 Defense-in-Depth Strategy

3.2.1 People

People aspects include such things as (1) the development, implementation, and enforcement of policies and procedures; (2) conduct of training and awareness programs to increase awareness of IA safeguards in an organization; (3) implementation and oversight of physical security measures and personnel security policies and measures; (4) implementation and enforcement of a strong, disciplined system security administration effort; and (5) implementation of facilities countermeasures. Interorganizational relationships and technical partnerships are also very important. Without the successful give and take of these relationships, the best security programs and plans are destined to fail. All of these aspects have people as the common "weak link," and they address specific measures or safeguards to overcome that particular weakness.

3.2.2 Operations

Operational aspects of particular concern in the Defense-in-Depth strategy include (1) creation, implementation, and enforcement of strong security policies; (2) institutionalizing certification and accreditation programs; (3) conducting frequent and recurring readiness assessments; (4) implementing strong security management to include key management, attack sensing, and warning response actions; and (5) development of recovery and reconstitution procedures in the event that a security breach occurs.

3.2.3 Technology

The component of prime concern in the Defense-in-Depth strategy is technology. This includes IA architecture framework areas, criteria (i.e., security, interoperability, and PKI), acquisition integration of evaluated products, and system risk assessments.

Adopting a strategy of layered protections does not imply that IA mechanisms are needed at every possible point in a network architecture. By implementing appropriate levels of protection in key areas, an effective set of safeguards can be tailored according to each organization's unique needs. This tailoring process permits application of lower-assurance solutions when appropriate, which may be lower in cost. It allows for the judicious application of higher-assurance solutions at critical areas (e.g., network boundaries). The Defense-in-Depth strategy organizes these requirements into the same four categories as are found in the IATF discussed in the previous section. It is no coincidence that these four areas of the Defense-in-Depth strategy parallel the IATF. Defense-in-Depth is designed to work hand in hand with the IATF. We discuss each of these four categories in more detail in the following sections.

3.2.4 Defend the Network and Infrastructure

This process entails implementation of processes specifically designed to protect an organization's LAN and WAN environments from attacks such as the Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack. It requires the use of encryption and traffic flow security measures in order to resist passive monitoring activities. The organization must ensure that all data exchanged over a WAN is protected from unauthorized disclosure. This means WANs supporting mission-critical and mission-support data must provide appropriate protection mechanisms against denial-of-service attacks. Additionally, organizations must protect themselves against things such as the delay, misdelivery, or nondelivery of protected information. Organizations must develop means to protect themselves from unauthorized traffic flow analysis of all user traffic and corresponding network infrastructure control information. In accomplishing all of these goals, the security administrators must also ensure that these protection mechanisms do not interfere with daily operations of the organization. Likewise, these activities must not interfere with other authorized backbone and enclave network traffic that traverses the network system infrastructure.

3.2.5 Defend the Enclave Boundary

In order to defend enclave boundaries, an organization must deploy firewalls and intrusion detection systems to resist active network attacks. Security staff must ensure that physical and logical enclaves are adequately protected.

3.2.6 Defend the Computing Environment

To accomplish this task, an organization must provide access controls on hosts and servers to resist insider, close-in, and distribution attacks. It is important to ensure that clients , servers, and applications are adequately defended against denial of service, unauthorized disclosure, and modification of data. The confidentiality and integrity of data processed by the client, server, or application, both inside and outside of the enclave, must be maintained . This requires organizations to defend against the unauthorized use of a client, server, or application. They must ensure that clients and servers follow secure configuration guidelines and have all appropriate patches applied. Organizations must maintain configuration management of all clients and servers to track patches and system configuration changes. They must ensure that a wide variety of applications can be integrated into a desktop environment with no reduction in applicable levels of security. Finally, the organization must take steps to provide adequate defenses against subversive acts by trusted persons and systems, both internal and external.

3.2.7 Supporting Infrastructures

The supporting infrastructures are a set of interrelated activities and infrastructures providing security services to enable IATF solutions. Currently, the Defense-in-Depth strategy defines two supporting infrastructures: KMI/PKI and detect and respond infrastructure.