Last week I was down at Pace University in New York City where I gave the opening keynote talk for a high school computer forensics competition. I had a very attentive audience for my talk but I also I really enjoyed seeing/hearing the presentations the students did for the competition. There was clearly a lot of work and a lot of learning going on. One of the things I talked about in my talk, which was generally about defensive actions to protect software in general and operating systems in particular, was Defense in Depth. I only spent a short time on it but it was clear to me that I could have spent a lot more time on it. As regular readers know I believe that students in computer science should start learning about security early.

Just by coincidence, this week, I received the regular security newsletter that Microsoft sends out and there was a reference to an article by Kai Axford, a Senior Security Strategist with the Microsoft Trustworthy Computing Group, on this very topic. In this article Kai talks about Seven Layers of defense in depth:

  • Layer 1 Policies, Procedures, and Awareness (All Bark and No Bite)
  • Layer 2: Physical Security (Gates, Guards, and Guns)
  • Layer 3: Perimeter Security (Living on the Edge)
  • Layer 4: Network Security (Protecting Your House)
  • Layer 5: Host Security (Save the Box, Save the Network)
  • Layer 6: Application Security (If You Build It…Securely, They Won't Come)
  • Layer 7: Data Security (If Your Terabyte Falls in the Middle of the Active Directory Forest…)

It’s not a long article but there is a lot of good information and a good start to a serious discussion about software as part of a complete system and what it means to keep things safe. And if you want more, you can find Kai’s highly rated on-demand videos here.