While watching television this evening I noticed a tweet come across twhirl (my Twitter client of choice) from Thomas Ptacek exclaiming that
Defense in depth is one of the great bills of goods the security industry has sold IT.
and that he believes
in any “defense in depth” situation, there’s one defense that’s doing all the work, and the rest are superfluous.”
Being a staunch supporter of a properly implemented defense-in-depth approach I couldn’t help but jump in (as did Amrit Williams). Amrit made a very good point:
To say defense in depth isn’t required for an environment that has both fixed and mobile assets is bordering on ridiculous/irresponsible.
Which is completely true. Defense in depth, if properly planned and executed, only increases the security of your environment. Also, to be perfectly clear, when I say defense in depth I’m not only referring to a “product” but rather the combination of the right products, plans, policies, and people to secure the environment.
I then posed a question to Thomas:
Woud you say that a sewer system is superfluous because the toilet is doing all of the work? What happens when the toilet overflows?
I agree, perhaps not the best analogy I could have come up with but I shot from the hip on this one (as I often do when using Twitter).
The bottom line is that claiming that defense in depth is superfluous becuase one defense is doing the work tells me that the strategy wasn’t planned well.