Defense-in-depth in practice

A long portion of my career in information security was spent as a security consultant. I would come into an engagement and either analyze data or an architecture and provide recommendations to the client on improvements they could make in their security posture. Maybe 9 times out of 10 I would be end up repeating a mantra that anyone in our field knows:

"Security is about defense in depth." Translated into non-consultant speak, the above sentence means that good security has layers upon layers of provisions against attack, with each layer assuming that the outer layer can and will be breached. An example of defense in depth in the physical world is the structure of your local bank. Money and valuables are first protected by a set of locked doors, then a security guard, then the bank vault door. Each of measures assumes that the defense technique before it has failed, and each measure attempts to provide some level of security that can slow down an attacker until help arrives.

In the electronic world, this principle translates into a data-centric view of security. Rather than asking how one could better protect their e-mail account, they should ask how they can protect their e-mail itself. From the outside view in, that means blacklists against IP addresses we know could threaten an account based upon previous behavior. Strong passwords and two factor authentication follows the blacklists. Individual critical e-mail messages should then be protected by cryptography. Finally, any e-mail that does not need to be at your fingertips should be taken offline.

This is how information security is practiced. It sounds burdensome because it is burdensome. Thankfully the majority of information that floats around does not need to be protected to a large extent. This is how security practitioners reduce the risk of an information leak where the impact of one would be devastating.