The onion theory of data security layers

Computer security is like a cake. No, a parfait. No, it is definitely like an onion – a plain, rather boring-looking vegetable. But that’s just an illusion.

Just as an onion is nothing special from the outside, a good security system doesn’t look like much. But once you bite into it, you sink your teeth into layers upon layers of stinging flavor while tears run down your cheeks.

Properly securing your business or home computer network should not be an ogre, then. That is, if you employ effective data security layers and cover all your bases by creating a protective onion.

The idea behind layered security

When you’re trying to protect something delicate – like data, for example – relying on just one single security method is irresponsible, to say the least. Putting up simple defenses means that once hackers get past them, your data will be completely exposed.

The solution is to create a security onion – a shield of defensive layers that support each other. If one fails, the next one is there to jump in and back it up, and so on and so forth. The more layers there are, the safer the system.

Layered security is also called defense in depth or the castle approach. Medieval castles were pretty much a physical prototype for data security, with moats, gates, walls, and archer towers providing different kinds of protection against invaders and attacks of all kinds. Modern data security uses the same principals.

The layered approach was originally put in practice by the National Security Agency, while the term “defense in depth strategy” was coined by the US military. This strategy involves prolonging defeat while the defendant prepares a counter-attack. So, while this has a different approach, the ultimate goal is the same.

Main security layers

There are three main data security layers to consider:

Physical defense

A nice house should have a fence, and maybe even a guard dog to bark at intruders. The same thing goes for data protection.

Let’s say you’re in charge of securing your company’s server. Of course, you’ll keep it under lock and key, closed off in a room with as few access points as possible. You’ll probably install a CCTV camera, or two. Some companies introduce ID cards as an additional precaution. Even security officers roaming around the building are considered physical aspects of your layered defense.

For larger companies with international offices, keeping track of inventory is also a form of physical security. Monitoring every piece of hardware can save your business from getting compromised. Forbidding employees from connecting their personal USB devices to company computers might sound harsh, but that also ties into the second part of our security onion.

Human factor

We can’t really talk about the multi-layered network security without mentioning Dave. Dave can be anyone in your company. There’s nothing wrong with Dave, really. He’s a hard worker. He always arrives on time and he’s great company during lunch breaks. But sometimes Dave clicks on the shiny banners on websites, or opens an email informing him that he won a million dollars. Dave is, you guessed it – a human error.

Accounting for the human factor is often the most difficult task when it comes to data protection. An incredibly high number of data breaches are caused by human error. Therefore, properly educating staff about risks when dealing with sensitive data, and hiring a risk-assessment team and other experts in the field greatly increases the overall security of your company. These administrative controls along with detailed policies and tests keep everything in tip-top shape.

Technical security controls

TechSec is pretty much everything that goes “under the hood” of your computer system: all the additional methods of protecting your data from malicious use. There are several methods and sub-layers from a technical standpoint, but for the sake of brevity we’ll bundle them all under this category. They are all equally important and should be used in conjunction with each other.

First and foremost, we need a secure network. We don’t want intruders barging in through the data stream, so we install firewalls and Virtual Private Networks. Virtual Machines are also becoming popular, especially among system admins when testing new protocols. Other network security risks include data packets, so a monitoring software is highly recommended for complete network protection.

Software is the next layer of technical security. We’ll say it again and again – install an antivirus software on your system! Even the “basic” protection provided by Windows Defender is better than nothing. Malware comes in many different shapes and forms. Some are able to destroy computer systems from the inside, while others can even lock you out of your computer until you pay a hefty sum to the hackers. Ransomware has been especially rampant in the past several years, costing small businesses millions of dollars.

Final layers of security concern the data itself. Starting from passwords on files themselves, followed by permissions set up for users and apps, an authorization system solves a lot of problems here. Multi-tiered user policies for different employee levels and a strong password system requiring two-step verification both prove to be effective security measures. And, of course, don’t forget to make regular backups. A backup is inexpensive and brings everything up to speed.

Application of data security layers in consumer and commercial systems

Naturally, not all of these methods apply to every single computer system…especially not in this day and age where, for millions of people, their main computer is their smartphone. These principles, however, can be applied on a smaller scale even if you’re just looking into buffing up your home LAN.

For home use, the focus is mostly on the software side of things. Your layered security strategy should consist of a router with an integrated firewall, passwords, anti-malware tools and similar services. Smart browsing and educating yourself and your housemates about potential dangers on the internet is always a plus. And, of course, lock the door of your home, but hopefully that goes without saying.

On the flipside, companies big and small need to work much harder to stay safe from hackers and data breaches. Following detailed security programs is a great way to start. There is no one-size-fits-all solution here, as different companies operate with different types of data. However, computers can be turned into workstations with remote desktops. Additional logins, encryption and anti-malware is often custom-built for the needs of the company, and networks should employ several network security levels.

The bottom line

Just as an attack needs a plan, so does the proper defense. The more complex the computer system is, the more you’ll time you’ll need to prepare, so a roadmap is usually the best solution before you start employing any security measures. Working smart here will always be better than working hard, or worse, crossing your fingers that a ransomware attack skips your computer in particular.

And, if you setup your data security layers just right, there won’t be a need for a “Get out of my swamp!” sign. Attackers won’t even get the chance to approach it.