Defense in depth broadly defines that security controls need to be deployed in all the layers of the OSI model, such that the vulnerabilities, which may surpass the security controls in one layer, do not transcend in to the other layers.
Well, the understanding of the above sentence largely depends on how well one understands the ISO OSI Model. Further citation on this can be found at – en.wikipedia.org/wiki/OSI_model
Implementation of Defense in Depth like many other “ Brush your teeth” theories, has been neglected by industry experts world wide, whereas, a thorough understanding makes implementation of information security controls very effective. The relative understanding Defense in Depth warrants with respect to the OSI Stack is astounding.
One of the most exciting arguments during customer engagements has always been why would an IPS implementation be required when there, already is a firewall. Many of them still subscribe to applying a screen protector on their Octa-Core phone, which has military grade scratch resistant glass for screens, the ones you might find on a 777 jetliner. Like when were two cores on processors, not enough?
An interesting comparison can be drawn from the Tenth Man theory, which is highlighted in a movie – World War Z.
For every unanimous decision taken by 9 people on national security policies, the tenth man is required to disagree and prepare for an eventuality, which might occur. They go on, to show how Israel adopted this technique to fend zombies, by building a wall, and were able to hold out an invasion, whereas other countries were entirely overtaken.
The part coming next, is the best – Zombies climb the wall and breach into the city.
Defense in Depth is very much founded on a fundamental assumption that any security control deployed can be breached. This calls for unique security controls to be deployed in each layer of the ISO OSI model.
A vulnerability, an IPS is intended to address, a firewall will not. An application needs security in code review and security test cases. Deploying a WAF alone may not be a compensating or a more powerful control. Thus it turns out we will have to deploy relevant controls in the each layer of the ISO OSI Model.
Working both ways on an open ended straight, would be one of the best ways for teams to bridge the relation between the OSI Model and information security controls. The common ground that needs to be identified is the protocols and device implementations, as categorized by the OSI model.
Every layer could be addressed with respect to the protocol/implementation that is categorized unto it and an associated secure alternate can be defined.
The higher layers of the OSI stack already hold a profuse sanctity, which makes many information security controls focus on the higher layers. In certain cases there could be security controls, specially catered to address the vulnerabilities in more than one layer of the OSI model.