The concept of Security has been around for centuries. One of the oldest concepts of physical denial of access is building a wall. A physical barrier that acts as a prevention and deterrent for restricting access by those not permitted to gain entry. Examples include the Great Wall of China, the Berlin Wall, the Israeli West Bank Barrier Wall, and Sacayhuaman in Peru. The majority of these walls protected against unauthorized entry for that period of time. But a single boundary defense such as a wall is not adequate in modern times because of the advanced tactics and technologies used by those wishing unwarranted entry.
In a computing environment, a using only a wall for defense would be the equivalent of only using a username/password for complete protection. Thus a modern physical defense utilizes defense in depth, which too is not a modern concept.
Even the phrase, "Guards, Gates & Guns" shows how different physical controls can be used to prevent entry. Again, these are both preventative and deterrent controls which can be used in conjunction with a physical wall to limit access. Here are a few other security controls which could be added to a wall to add defense in depth to a stationary barrier:
Motion sensors
Electrified fences
Additional patrols
Air Surveillance via plane or satellite
When there is a large threat vector (such as a 500 mile border) then a physical barrier in addition to other natural deterrents provides the best total security solution.
In reality the use of a wall as a single physical security control is about as ridiculous as expecting to have the enemy pay for it's installation.
The other option would be to allow entry but then control access once inside. So not everything inside a network is attractive to the enemy, so knowing how to be selective about how to protect critical data and configurations may be a better defense than a single external boundary defense.
The moral of this post is that using archaic security controls to deter and protect against external entry is wasteful and ineffective. A smart approach would be embracing defense in depth by utilizing physical, technical and administrative controls specific to the threat landscape and attack vectors, resulting in a controlled managed risk environment.
If you're thinking this could be applied to non-IT-related current events, you're right.
No comments:
Post a Comment