Multi-layered security refers to securing your organization’s data using a variety of security measures. The idea is that if hackers want to access the data, they have to break through multiple layers of security (e.g., physical, administrative, and technical), making it much more difficult to gain access. In a multi-layered security approach, the layers may overlap, but they should never interfere with the functioning of security operations.
A layered architecture sometimes referred to as defense-in-depth, helps protect each touchpoint using tools purposefully built for that touchpoint. For example, a laptop in your organization may have a VPN for securely accessing the company’s resources and antivirus software to continuously scan the laptop for potential malware and other threats. Redundancy is a key aspect of multi-layered security. Data on the laptop may be encrypted and it may be backed up for redundancy and to support multiple recovery points.
Physical — This element involves using physical devices or mechanisms to secure data access touchpoints. Safeguards such as fingerprint scanners on a laptop and mobile, employee cards used to enter or leave the office premises, and CCTV cameras in the server room, belong to this category. For example, employees working from home are using a host of devices to access their organization’s data. In such a scenario, physical elements ensure that access to the device is restricted to the authorized user.
Administrative — The policies and protocols used to secure data form the administrative element of multi-layered security. Good examples are employee cyber security training, using least-privilege access methodology when granting access to a network, building a cyber incident response plan, and so on.
Technical — Perhaps the most important of all elements, the technical part consists of hardware and software used to secure data. Multi-factor authentication, data backup and recovery systems, antivirus, web content filtering, firewalls, antivirus software, and so on form part of the technical element.
In ideal circumstances, a multi-layered security approach is the best way to protect your organization from cyber attacks. However, if not carefully monitored, the benefits of layered security can become its disadvantages.
The cloud has transformed how businesses look at multi-layered security. It brings all the advantages of a multi-layered security approach, minus the operational and financial overhead.
Cloud providers specialize in the storage and transmission of data. Their storage systems comply with several security and compliance standards, such as PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA. Their systems are regularly audited and they have the best security certifications, such as SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1.
When you adopt and use cloud-based applications or store data in the cloud, you auto-comply with such standards. This reduces the operational and financial overhead that comes with strong data security managed by your company.
However, it’s important to note that protecting the data stored in the cloud is your responsibility. The notion that cloud storage is impervious is incorrect. Most cloud applications and platforms clearly state that you are responsible for securing the data stored in the cloud. After all, if someone gets escalated privileges to a cloud account they can change or delete that data. For example, here’s an excerpt from Microsoft Azure’s shared responsibility in the cloud article²:
“For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).”
Even if you are using the cloud, you need other layers of security to ensure that your data is safe.
Security is critical to everything we build at Druva. We bake security into each and every layer of our product. Being a 100% SaaS-based platform helps us leverage the advantages that come with the cloud.
Druva ensures data integrity and availability of data, with air-gapped, immutable backups in object-based storage with built-in, zero-trust security.
Any data backed up with Druva is fully secure and immutable. In fact, we are so confident about the security of data backed up with Druva, that we give customers a $10 million data resiliency guarantee.
Visit the security and trust page of the Druva site to learn more about the key security features. Explore Druva’s ransomware recovery page and Druva’s solutions to improve security posture and observability to learn more. And watch this webinar from our cyber resilience summit for data protection and recovery best practices in the age of ransomware.
¹CSO, “The dark side of layered security,” Published November 2015.
²Microsoft, “Shared responsibility in the cloud,” Published August 2022.