Which of the following statements are true about defense-in-depth strategy?
A.
It saves money by allowing organizations to remove costly perimeter security Infrastructure.
B.
It is a strategy designed to win the battle by attrition. It consists of multiple security measures at
various levels as opposed to a single barrier.
C.
It includes security measures for the network, the operating system, the application, and data.
D.
Due to network overhead issues, it should not be used in a distributed computing environment
such as SOA or cloud computing.
E.
It is a good strategy to protect an organization from insider threats.
Explanation:
Defense in depth is a security strategy in which multiple, independent, and mutually
reinforcing security controls are leveraged to secure an IT environment.
The basic premise is that a combination of mechanisms, procedures and policies at different
layers within a system are harder to bypass than a single or small number security
mechanisms. An attacker may penetrate the outer layers but will be stopped before
reaching the target, which is usually the data or content stored in the ‘innermost’
layers of the environment. Defense in depth is also adopted from military defense
strategy, where the enemy is defeated by attrition as it battles its way against several
layers of defense.
Defense in depth should be applied so that a combination of firewalls, intrusiondetection and prevention, user management, authentication, authorization, and
encryption mechanisms are employed across tiers and network zones.
The strategy also includes protection of data persisted in the form of backups and
transportable/mobile devices. Defense in depth should take into account OS and VM
hardening as well as configuration control as means of preventing attackers from
thwarting the system by entering via the OS or by tampering with application files.
Reference: Oracle Reference Architecture,Security, Release 3.1