Over at the Matasano Chargen blog, Thomas Ptacek challenges the conventional wisdom of Defense in Depth by taking to task the comparison of InfoSec and war strategies. Analyzing the analogies we use is an excellent exercise to better refine when and where they truly apply. Defense in depth is a very useful analogy, but as with any trite saying can become diluted and useless when overused.
The best point made in Thomas’ post has to be from Eric Monti:
“It irks me when vendors talk about ‘defense in depth’,” he says, but “I generally take it as good sign when customers do.”
BINGO. The depth mindset is great for implementers, as it shows an honest assessment of the situation. When used correctly, depth shouldn’t be for depth’s sake though.
Why go deep? Generally we recognize a weakness and add another layer to help compensate for the weakness in the first layer. Followed logically, we should be shooting for as shallow a depth as possible while adding something meaningful at each layer. Also logically, we can say that the need for deep layering may represent crappy raw materials. Hence the agreement with Eric’s assertion about vendors.
So, go deep, but not one layer more than absolutely necessary. And if you find yourself getting really deep in it, maybe you need to wonder just what “it” is.