August 8, 2018 by Siobhan Climer
“Ogres are like onions,” Shrek proclaims in the 2001 computer-animated children’s comedy film of the same name.
How so, you might ask?
“Layers! Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers”.
But bad-tempered ogres aren’t the only ones that have a lot in common with onions. Parfait, 7-layer dip, and data security all share an affinity for layers.
Today, instead of onions or ogres, we’re peeling back data security layers to better understand how to create, maintain, monitor, and expand a strategic data security strategy.
The Three Main Data Security Layers
The onion metaphor is not new. Most cybersecurity courses teach a layered security model. This strategy of examining data security layers and defense is sometimes called defense-in-depth. The three main control areas are: physical, technical, and administrative.
Often a second thought, these are the defense mechanisms used to provide physical protection. Fences, guards, CCTV systems, and door locks. Physical security has become more challenging; the rise of BYOD (bring-your-own-device) policies and remote work offer an increase in the number of devices that store critical data, and where those devices go. Given the rise of the digital transformation, many organizations focus on technological countermeasures; unfortunately, physical security is often disregarded, despite its importance.
Sometimes referred to as TechSec, technical security controls are the tools and techniques used to secure data through authentications. Of the three main data security layers, it is this one that provides security to the contents of a system. So, if someone steals an employee laptop, these are the controls you have in place so that the thief does not gain access to your entire system. Encryption, access controls, regular patching, biometric scanners, and Windows Active Directory are examples of technical controls.
In every field there are best practices, and administrative controls implement these best practices in the form of policies or protocols that typically work to protect against the most severe threat: human error. Most data security breaches are the result of people, due to either intentional maliciousness or just plain ignorance. Hiring practices, risk management assessments, data handling procedures, and the security requirements are examples of administrative controls.
Is a biometric eye scanner at a door entrance a physical or technical control? If you are required to wear an ID on your lanyard, and that card is stolen and used to access the network, is that a failure of administrative or physical controls? As you can see, it isn’t always simple to break down security into layers.
That is why some researchers peel the layers a little differently. Instead at looking at control elements, let’s take a moment to examine threat elements. This looks at data security layers in the view of threats. There are six:
As you can see, many of these fall under the components of control layers; however, by looking at security in this manner, you can begin to focus in on particular threats that may affect your business more than others. This is especially beneficial to chief information officers (CIOs), who are charged with managing the technology strategy within the business.
Everybody Likes Parfait
And there are still other methods. Instead of threats or control areas, some security experts focus on the critical information to be protected and build a strategy from there. This way of examining data security layers is slightly different because it not only breaks up security strategy development into three main categories (objective(s), layers, and strategies), but it then breaks down the layer element into different TechSec control areas. This hybrid layered security model is effective for those tasked with strategic operational development.
Layer 1: Data Security
Layer 2: Application Security
Layer 3: Endpoint Security
Layer 4: Network Security
Layer 5: Perimeter Security
Strategy 1: Proactive Policy Management
Strategy 2: Reactive Monitoring and Response
The Ogre Problem: A Missing Piece
There’s more than one way to dice an onion. Data security layers are important to understand, but they do not capture the whole picture. Part of creating a secure system is developing a data security strategy. Breaking your security infrastructure into manageable pieces is just the first step in identifying what needs to be protected. Then, you need to determine the tools you will use to protect those data security layers, whether it’s a firewall, fingerprint scanners, or a locked door. Finally, you need to develop a strategy that denotes responsibility. Performing an infrastructure optimization roadmap is one way to strategically complete this task.
We started out by stating we wanted to better understand how to create, maintain, monitor, and expand a strategic data security strategy. Data security layers are the foundation on which one performs these tasks. Knowing the layers alone isn’t enough. As you can see, the number and definition of each layer varies from model to model.
Download our free eBook to learn more about how to create a technology roadmap.
Backups, Disaster Recovery, And Data Security Plans
Start with a data security policy that comprehensively ensures each of the layers of your security network are secure. Then, create a data backup policy and disaster recovery strategy so that if the worst happens, you are prepared. 60% of businesses without a disaster recovery plan go bankrupt within 6 months of a disaster event. Don’t be one of them.
You have data you need to protect. There are lots of ways for data to get out, and there are lots of ways for threats to get in. You are responsible for finding the right expertise to protect each of those components. For many businesses, an expert partner that can both create, implement, and maintain a data security strategic policy is the next step. It’s important to find the right tools – and sometimes those tools are people or experts – to support the operational security of your business.
The missing piece could easily be a managed service provider, like Mindsight. We’re not ogres, just smart people with an honest desire to help you develop a comprehensive IT strategy that protects your business and the data that keeps it running.
Like what you read?
Contact us today to create a comprehensive data security policy for your business.
Mindsight, a Chicago IT consultancy and services provider, offers thoughtfully-crafted and thoroughly-vetted perspectives to our clients’ toughest technology challenges. Our recommendations come from our experienced and talented team of highly certified engineers, and are based on a solid understanding of our clients’ unique business and technology challenges.
About The Author
Siobhan Climer, Mindsight’s Staff Technology Writer, writes about technology trends in education, healthcare, and business. She previously taught STEM education programs in the classroom and at The New England Aquarium in Boston, MA. Siobhan writes extensively about disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. Find her on twitter @techtalksio.