Friday, May 11, 2007

Access Control in a Layered Environment

No single access control mechanism is ever deployed on its own. In fact, combining various types of access controls is the only means by which a reasonably secure environment can be developed. Often multiple layers or levels of access controls are deployed to provide layered security or defense in depth. This idea is described by the notion of concentric circles of protection, which puts forth the concept of surrounding your assets and resources with logical circles of security protection. Thus, intruders or attackers would need to overcome multiple layers of defenses to reach the protected assets. Layered security or defense in depth is considered a more logical approach to security than a traditional fortress mentality. In a fortress mentality security approach, a single giant master wall is built around the assets like the massive rock walls of a castle fortress. The major flaw in such an approach is that large massive structures often have minor weakness and flaws; are difficult if not impossible to reconfigure, adjust, or move; and are easily seen and avoided by would be attackers (i.e., they find easier ways into the protected area).

In a layered security or concentric circles of protection deployment, your assets are surrounded by a layer of protection provided for by administrative access controls, which in turn is surrounded by a layer of protection consisting of logical or technical access controls, which is finally surrounded by a layer of protection that includes physical access controls. This concept of defense in depth highlights two important points. First, the security policy of an organization ultimately provides the first or innermost layer of defense for your assets. Without a security policy, there is no real security that can be trusted. Security policies are one element of administrative access controls. Second, people are your last line of defense. People or personnel are the other focus of administrative access control. Only with proper training and education will your personnel be able to implement, comply with, and support the security elements defined in your security policy.