Defense in-depth

When I became Chief Technical Officer of Freedman Healthcare a year ago, I took over information security for the company’s data analytics work. We’ve enhanced our sophisticated data center, and in the process, I learned a lot about security strategy. My security work in the past was based on websites and their associated servers, which is mostly a matter of having a well configured firewall, and using software tools to block a denial of service attack. When running servers in the cloud, you let the webhost worry about the threat of someone picking up your server and walking out the door.

When storing healthcare data for analytics in our office, I had to adjust to consider many types of cyber and physical threats, and came to appreciate the value of “defense in-depth,” or as I think of it, “boxes within boxes.” I’ll describe the security details of our data center in a future post. For today, since I’ll be applying the “defense in-depth” strategy to much of the technology work at Freedman that I describe on this blog, I thought I’d start with a general overview.

“Defense in-depth” is called a layered approach. Instead of just putting a massive lock on the door and calling the data center secure, you apply multiple layers of both physical and cyber security. It’s easiest to visualize with its other common name, a castle approach. Back in the day, if an attacker got across the moat, they still had to overcome the portcullis, and then get past the boiling oil poured down from the battlements. The very sight of a massive, fortified castle signaled potential attackers that they should consider the unprotected farm down the road instead.

In modern terms, a maintenance worker visiting our office might be tempted to pocket a USB drive lying on a desk, but getting past our keypad locked door with physical means, and then facing a series of password logins would take far too long for a casual theft. In another post, I’ll discuss the safeguards we put in place if a more determined attack is attempted.

It’s a mistake to think of a series of security measures as a chain only as strong as its weakest link. Overcoming one layer, such as guessing a keycode for the door, doesn’t mean that you can open the safe where an encrypted USB drive is stored, and then crack the additional layer of software encryption applied to the data on that drive. The cumulative effect of a multi-layer defense is far more powerful than the collection of individual parts.

Multiple, overlapping security measures solve the problem of unanticipated weakness, especially in the case of human error.  A massive steel door may seem sufficient, but what if it is left open accidentally at the end of the day? With multiple layers of passwords and encryption within the data center, a single security failure doesn’t leave you defenseless.

There is also the psychological aspect of a multi-layered defense when describing a secure datacenter to a potential client. Most RFPs in the healthcare world include a security checklist. This list, which seems to be largely identical among state healthcare agencies, is a way of quantifying the intangible, “How secure are you?” It transforms a binary, “We are secure,” into a more realistic, “We meet 90% of your security requirements.”  The checklist lines up perfectly with a layered security plan.

The biggest weakness of multiple security mechanisms is the proliferation of passwords. Our data center presents at least 6 password challenges, depending on the data you want to reach. Each password must be unique, of course, or the layers are effectively collapsed. This is beyond the ability of normal human memory, creating the need for a software tool to manage these passwords, which in turn must be protected with another password, and run on a device with its own password. Every time one box is opened, there’s another one ready to protect.