Multi-layered security

Multi-layered security definition

Securing your organization’s data using multiple security measures is called a multi-layered security approach. The idea is that if hackers want to access the data, they have to break through multiple layers of security (e.g., physical, administrative, and technical), making it much more difficult to gain access. In a multi-layered security approach, the layers may overlap, but they should never interfere with the functioning of security operations.

Why use a layered architecture?

A layered architecture sometimes referred to as defense-in-depth, helps protect each touchpoint using tools purposefully built for that touchpoint. For example, a laptop in your organization may have a VPN for securely accessing the company’s resources and antivirus software to continuously scan the laptop for potential malware and other threats. Redundancy is a key aspect of multi-layered security. Data on the laptop may be encrypted and it may be backed up for redundancy and to support multiple recovery points.

What are the 3 elements of multi-layered security?

Physical — This element involves using physical devices or mechanisms to secure data access touchpoints. Safeguards such as fingerprint scanners on a laptop and mobile, employee cards used to enter or leave the office premises, and CCTV cameras in the server room, belong to this category. For example, employees working from home are using a host of devices to access their organization’s data. In such a scenario, physical elements ensure that access to the device is restricted to the authorized user. 

Administrative — The policies and protocols used to secure data form the administrative element of multi-layered security. Good examples are employee cyber security training, using least-privilege access methodology when granting access to a network, building a cyber incident response plan, and so on. 

Technical — Perhaps the most important of all elements, the technical part consists of hardware and software used to secure data. Multi-factor authentication, data backup and recovery systems, antivirus, web content filtering, firewalls, antivirus software, and so on form part of the technical element.

Are there disadvantages to multi-layered security?

In ideal circumstances, a multi-layered security approach is the best way to protect your organization from cyber attacks. However, if not carefully monitored, the benefits of layered security can become its disadvantages.

  • Complexity — The most common problem with a layered approach is complexity. In an attempt to make things more secure, organizations often deploy a plethora of security tools. Jason Brvenik, principal engineer in the Cisco Security Business Group, mentions that he’s seen organizations using 80 different technologies in between layers¹. This leads to overspending, operational challenges, and tools interfering with each other, creating security gaps. 
  • Trying to stay relevant — Potential customers often demand adherence to new security protocols and processes. Such requirements make an organization invest in security technologies to close the deal without considering long-term impact. Often, such short-term decisions are forgotten about. Later, it becomes difficult to accommodate such tools in the entire security stack that a company uses.
  • Integrations — Tighter integration between layers helps information pass seamlessly from one layer to the next. This ensures that layers have more than sufficient information to improve their defense. However, this is easier said than done. Not all tools use the same data taxonomy. Infosec teams have to deal with multiple kinds of information, making extracting meaningful insights from the data difficult. A lot of manual effort is wasted in integrating security tools with one another.

Cloud and multi-layered security

The cloud has transformed how businesses look at multi-layered security. It brings all the advantages of a multi-layered security approach, minus the operational and financial overhead. 

Cloud providers specialize in the storage and transmission of data. Their storage systems comply with several security and compliance standards, such as PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA. Their systems are regularly audited and they have the best security certifications, such as SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1.

When you adopt and use cloud-based applications or store data in the cloud, you auto-comply with such standards. This reduces the operational and financial overhead that comes with strong data security managed by your company. 

However, it’s important to note that protecting the data stored in the cloud is your responsibility. The notion that cloud storage is impervious is incorrect. Most cloud applications and platforms clearly state that you are responsible for securing the data stored in the cloud. After all, if someone gets escalated privileges to a cloud account they can change or delete that data. For example, here’s an excerpt from Microsoft Azure’s shared responsibility in the cloud article²: 

Quote:

For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).

Even if you are using the cloud, you need other layers of security to ensure that your data is safe. 

Multi-layered security with Druva

Security is critical to everything we build at Druva. We bake security into each and every layer of our product. Being a 100% SaaS-based platform helps us leverage the advantages that come with the cloud. 

Druva ensures data integrity and availability of data, with air-gapped, immutable backups in object-based storage with built-in, zero-trust security

Any data backed up with Druva is fully secure and immutable. In fact, we are so confident about the security of data backed up with Druva, that we give customers a $10 million data resiliency guarantee

Visit the security and trust page of the Druva site to learn more about the key security features. Explore Druva’s ransomware recovery page and Druva’s solutions to improve security posture and observability to learn more. And watch this webinar from our cyber resilience summit for data protection and recovery best practices in the age of ransomware.

¹CSO, “The dark side of layered security,” Published November 2015.

²Microsoft, “Shared responsibility in the cloud,” Published August 2022.