Defence in Depth: A layered approach to security

9 December 2021

While the creation of the term “Defence in Depth” is not something we at NetSpeed can claim, the adoption of the term most certainly is. Defence in Depth has become the NetSpeed Mantra when it comes to IT Security and indeed forms the foundation for the NetSpeed Security offering.

NetSpeed Managed IT Services

From Perimeter to Edge and everything in between, at NetSpeed we’re focused on building layers of Security Controls around our clients’ critical resources. These layers are designed to work together and protect the organisation as a whole.

However, the abundance of IT Security Vendors and seemingly never ending, ever-changing buzzwords and technical jargon often lead to two main questions: “What do I need?” and “What does that mean?”

For an answer to the “What do I need?” question, reach out to one of the NetSpeed team for a chat about our Managed IT Services (yes, a chat, no obligation, no hard sell).

For an answer to the “What does that mean?” question we’ll be taking some of today’s buzzwords and jargon and simplifying them.

Introduction to Authentication

Most of us will have heard the term MFA which stands for Multi Factor Authentication, or perhaps you’ve heard the term 2FA which stands for, yes you guessed it, Two Factor Authentication.

Simply put, a ‘Factor’ of Authentication is a piece of proof a user must provide in order to prove they are who they say they are. As the name suggests, MFA requires a user to provide multiple pieces of proof in order to prove they are who they say they are. These pieces of proof are often defined as ‘Something you know’, ‘Something you have’ and ‘Something you are’. More about these later.

We have all used the traditional username and password combination to access resources such as email, websites, shared folders etc. With this model, the username is you saying who you are and the password is you providing that piece of proof (Factor of Authentication). This is also referred to as the ‘Something you know’.

So, what’s wrong with this model? The answer is nothing. Technically nothing is wrong, it does exactly what it’s supposed to do. The problem is that it’s no longer fit for purpose from an IT security standpoint. Passwords and Password Management are a topic in and of themselves, but suffice to say that most of us are not very good at choosing strong, complex passwords. Why? Because they’re hard to remember!

We often choose passwords that are easy to remember and have direct ‘relationships’ with our lives: Family members’ names, something on your desk, birthdays, pets’ names. The problem here is that all of these are easy to guess as the information is more than likely out in the public domain already. We also tend to find a password we like and use it across multiple logins, so one compromised password can lead to multiple exposures.

So why not force the use of complex passwords? Good question. The answer comes back to the age-old struggle of Security versus Convenience. If we make the security so secure that it ‘inconveniences’ us, the end user, we will find ‘workarounds’. A popular workaround is writing the password on a Post-it.

So, let’s assume passwords are no longer enough. What now?

Factor Authentication at a glance

So, with 2FA as well as the Password (Something you know), you now must provide an additional piece of proof: the ‘Something you have’. This is an added layer of security and one which most of us probably already use in our daily lives.

Withdrawing money from an ATM you must have your PIN (Something you know) and your bank card (Something you have).

Amazon, Google and Apple also provide 2FA functionality for account login, account changes and purchases among other things. Again, you login in with your username and password (Something you know) and you receive a verification code or approval request to your email or phone (Something you have).

So based on this additional step, surely 2FA is sufficient. Why has it evolved to MFA? Each layer of security is just that, a layer. There is no silver bullet that protects us completely. As Authentication methods evolve, so too does the bad guy’s ability to get around it. So, while 2FA is better it still has weaknesses. Your email account can be compromised therefore your approval request can be intercepted. Your phone or device may be stolen or lost. The list of other potential issues goes on!

MFA: An extra layer of defence

MFA provides an additional layer of security and introduces the ‘Something you are’ concept. This is designed to uniquely identify the person or device requesting the access.

While most of us are familiar with this concept in our personal lives, using fingerprint or facial recognition to access our smartphones, how does this translate to business? Does my boss now need a copy of my fingerprint? Do I need to have my face in a database? While this might be a valid security measure, the answer in most cases is no.

In business the ‘Something you are’ part of MFA is often done by looking at what device is sending the request, what time it is sending the request at and from where the request is being sent. One or all of these conditions, and indeed additional ones we won’t go into now, form the ‘fingerprint’ that identifies the user.

For example, let’s say that the following three conditions form the fingerprint:

  • Joe is provided with a company laptop that has a particular unique identifier, and
  • Joe needs to log into to an application during working hours, and
  • Joe needs to log in from a particular location, let’s say Dublin

Once Joe has successfully passed the ‘Something I know’ and ‘Something I have’ tests, the fingerprint is examined. Joe will only be admitted if the fingerprint meets the rest of the requirements too. For example, if Joe is logging in at a different time or from a different location, the security systems can be configured to block or restrict access.

While MFA is an additional layer of security, it’s often built in such a way that is invisible to us. As a result, it doesn’t have us looking for the workarounds mentioned earlier.

Protect your business & secure the future

So, do you need MFA in your organisation? The short answer is yes. Financial and reputational damage suffered as part of a security breach can be devastating and often extremely difficult to recover from. Organisations owe it to their staff and customers to ensure they have made every effort to secure their data.

MFA is proven to drastically reduce the potential for security breaches and should be treated as a key component of a Defence in Depth IT strategy for all organisations regardless of size.

Reach out to learn how NetSpeed’s Managed IT Services can deploy and manage an MFA solution that can help secure your business.

Back to news