Zaq Mughal

Brighton (UK) based software engineer with over a decade of industry experience focussing on building robust and scaleable applications for mission driven organisations.

Head of Engineering at Genius Within CIC.


Defence in Depth - The multilayered approach to digital security

Published on:

The concept of Defence in Depth (DiD) is a fairly simple one; layer multiple levels of security throughout your digital architecture with the aim that if one mechanism fails, you have a number of others set up and ready to protect your system, therefore reducing the risk of a single point of failure.


Implementation of these security levels, on the other hand, can be a complex task; however, it can be made easier by the use of cloud-based architecture like AWS.


This article highlights key security layers I've encountered when working with cloud-based infrastructures.


Network Security


Network security processes often act as your front-line defence, blocking suspicious activity from even reaching your infrastructure.


A basic example of this is only accepting HTTPS connections into your system, thus ensuring that data is encrypted in transit, both into the system and out.


A secondary network defence mechanism is the use of firewalls.


In a nutshell, firewalls monitor traffic into and within your network and use a set of security criteria to decide whether to block or allow the activity.


For example, when working within an AWS system, you can configure the AWS Web Application Firewall (WAF) to restrict suspicious traffic, or you can look at implementing a firewall through Cloudflare to mitigate DDoS attacks. Both serve as reliable ways to reduce the chances of malware entering your network.


Application Security


Although no two applications are the same, there are some common security practices that can be applied to the majority.


One example, in the case of an application that allows users to register and login, is the use of secure authentication and authorisation:


  1. Authentication - ensuring that you have a robust password format enforced, coupled with encrypting passwords in the database, helps to keep personal data secure. For more details on password security, see OWASP's Authentication Cheat Sheet.
  2. Authorisation - using a role-based access control (RBAC) system along with applying the principle of least privilege helps to restrict user access to only the data and features that they require.

Another example is the use of .env files to securely store secrets like API keys, database credentials, and tokens.


By storing sensitive secrets in .env files and correctly adding .env to your .gitignore file, you ensure that this information is not committed to the repository, thereby preventing it from being accidentally exposed.


Since .env files are not committed to the repository, they become isolated to the different environments your application runs on (e.g., dev, staging, production). This ensures that secrets specific to production do not get shared with non-production environments.


Data Security


To increase security at a data level, you should aim for full encryption coverage of data in-transit and at rest.


As mentioned above, enforcing the use of TLS/HTTPS protocols helps to ensure that sensitive information, such as user credentials and personal data, remains encrypted during transmission. This encryption protects data from eavesdropping and tampering, ensuring its integrity during transfer.


Encryption at rest is equally important. This ensures that any data stored within your system remains protected even if an attacker gains access to the underlying storage.


For example, AWS S3 and RDS offer encryption at rest, allowing you to securely control who has access to the encrypted data via the Key Management Service (KMS).


Moreover, regular backups of your data should be encrypted too. It's vital to have robust backup procedures in place, with encryption ensuring that even if backup data is compromised, it remains unreadable to unauthorised parties.


Scheduling automated and encrypted backups is an effective approach to ensure data redundancy and disaster recovery while maintaining security standards.


Monitoring and Incident Response


Security mechanisms aren’t just about preventative steps; it’s also about how your system responds to potential breaches.


Implementing comprehensive logging and monitoring systems helps you spot suspicious activity in real-time, allowing for swift responses to potential threats.


In a cloud environment like AWS CloudWatch, you can monitor activities within your infrastructure.


These tools help you track API calls, log user activities, and set up alarms for unusual events such as unauthorised login attempts or unexpected network traffic spikes. By actively monitoring your infrastructure, you can rapidly identify and mitigate threats before they cause significant harm.


Conclusion


Defence in Depth is an essential strategy in modern digital security, providing multiple layers of protection to safeguard against a variety of threats.


Whether through robust network security measures like firewalls, strong application security practices such as secure authentication, or rigorous data encryption at rest and in transit, a multilayered approach significantly reduces the likelihood of a security failure.


In today’s cloud-based environments, services like AWS make it easier to implement these layers effectively by providing built-in tools and services to secure your infrastructure.


By leveraging these tools and integrating best practices across all aspects of your system, you create a more resilient digital environment capable of defending against even the most sophisticated attacks.