Different Layers of Cyber Security
Cyber security represents all of the below efforts and lengths an organization will go to to prevent themselves from cyber attacks. This onion is a good representative of the relationships each level has with the one above it. We are going to start from the outside: the sort of fragile, crinkly bit and head towards the middle, where your tool or application lives.
A couple things to think about as you go through this, especially if this it new to you. First, as you configure your defenses you have to avoid inherited access to deeper levels: limit the blast radius.
Second, most of these defense techniques revolve around the human element: devices we access with, passwords we use, networks we log in to, etc. Only at the end do we really get to the software you are building. Why? Unfortunately our decision making abilities are the biggest vulnerability when it comes to being infiltrated by an attacker.
Last, this certainly isn't everything. It is just a start. But it should help your visualize a more clear picture when these terms are more often than not thrown around interchangeably.
What is Infrastructure Security?
Infrastructure security is where we begin to see responsibilities shared between IT and SecOps teams. Typically, infrastructure security focuses on the hardware, software, network resources and services required for keeping your operation going. It is the crinkling outside of the the onion that the rest of the layers live within.
Also, admittedly withheld for the purposes of this article, but infrastructure security can also be in reference to the critical components of keeping life as we know it going day to day: roadways, airports, government agencies, etc. That is a bit broader than where we are going but probably important to recognize.
What is Information Security?
Information security is how organizations protect their important, often critical information, from unauthorized access, use, disruption, modification or destruction. Information can range from company to user information, both personal or aggregated. Information differs from data, which is coming up shortly on its own, in that information is data that has been processed or organized in a format in which conclusions or sense can be made. Put in practical terms, after downloading piles of XML files of user behavior (the data), you sort, filter and even plot the behavior to derive some key takeaway (the information).
Take everything we just said about information above and trim the last bit of the process. Data security encompasses protecting the raw, aggregated and even disorganized data your organization stores. A breach of data is just as detrimental as information as attackers are often able to piece together a vivid picture.
What is Cloud Security?
Cloud security encompasses policies, procedures, controls, tools and technologies used to protect data, applications, and the associated infrastructure of your cloud environment.
When people think about cloud security, one of the common threads is security of the cloud versus in the cloud; the most common example of this is Amazon's shared responsibility model, where Amazon ensures the infrastructure that runs all of the different services offered are secure, as well as the facilities. In the same model, your organization is responsible for the data, applications, access management, OS, encryption, etc. in the cloud.
What is Network Security?
Network security is the process your team takes for implementing preventative measures, both physical and software, to protect the underlying networking infrastructure from unauthorized access, misuse or destruction. Successful network security is measure via having created a secure environment for computers, users, applications, etc. to perform the required critical functions.
Network security encompasses firewalls, VPNs, anti-malware and other tools that essentially control who has access to the network.
What is Endpoint Security?
Endpoint security takes security your network access controls to deeper level. The focus is on securing the various endpoints (duh!) on a network. End-points are traditionally what is connecting your teams to the network: mobile devices, laptops, tablets and desktop PCs. The goal for endpoint security is to address the risks associated with giving access to the devices outside of your network that are knocking on the door to get in.
To manage endpoints, organizations use firewalls, antivirus, encryption, device management tool and more.
What is Application Security?
Application security is leveraging different tools, technologies, procedures and policies to protect the application you are making. This is one of the first times we are talking about the software that is core to your business making money versus many of the other forms of security are related to the network, the people or the devices that would give an attacker almost inherited access to the application itself.
How to Avoid Getting Sliced Up and Deep Fried
I will happily own up to my affinity for Outback Steakhouse's Bloomin' Onion. It has been 10 years since I last ate one but the presentation (and taste) still sticks with me.
Attackers are agnostic when it comes to looking for vulnerabilities in your digital environment. Each of these levels pose a risk but the greatest issues arise when malicious actors can gain inherited access to your whole onion (see, the metaphor came back) just by breaking through the top level. Be intelligent.
Read more in our DevSecOps ebook but a couple key things to remember: no one should have keys to the entire kingdom, security responsibilities and ownership belong to everyone in the organization (not just security) and always think about the blast radius for when (not if) things go wrong.
