Using Multiple Controls or Countermeasures for Information Security

In this post I would like to talk about using multiple controls or countermeasures for information security purposes. To begin, consider a castle in the Middle Ages. You may have noticed that many castles were built in locations that leveraged natural obstacles in order to protect the castle during an attack. A castle, for example, might be built on the edge of a cliff such that there are fewer points of attack. Further, castles often had a surrounding moat -- that is, a man-made band of water surrounding the castle -- which would help to further protect it from attackers. Additional controls might have included a drawbridge, heavy crenellated walls, strong gates, towers, or guards who use passwords. When considered together, it quickly becomes obvious that the defensive strategy used for castles in the Middle Ages was to rely on a multilayered defense, and a similar strategy should be used to defend information assets today.

Whereas castles used controls such as walls, moats, guards, and so forth, information security personnel can use controls such as encryption, software controls, hardware controls, societal and organizational policies and procedures, physical controls, and so forth in order to protect information assets. Just as with the castle, using a single control or countermeasure would almost certainly be insufficient to establish an adequate defense for information assets. Instead, information security personnel should adopt a multilayered approach.