It is 100 years since the start of the Great War. The war to end all wars triggered innovation in terms of the armoured tank, the Vickers machine gun, the gas mask, and sound ranging. It also refined the military strategy of defence in depth.
Early on in 1914, trench warfare on the Western front soon reached stalemate with each side digging into fairly static positions. On defence, a soldier was relatively protected from gunfire and artillery whilst in his trench, but very vulnerable when going “over the top” on attack. This asymmetry between attack and defence quickly resulted in the stalemate positions.
Around 1915 the concept of defence in depth evolved at the German Army High Command at Mézières in France. The idea was to maintain a lightly-manned front line with reinforcements kept behind the front line beyond the range of enemy artillery. If the front-line was overwhelmed by the enemy, the reinforcements could quickly attack and regain lost ground.
Reinforcements from behind the front line could attack an enemy weakened by lengthened supply lines, and they could also often outflank an advancing enemy. This defence in depth strategy was successfully deployed at the battle of Arras and the battle of Passchendaele. Once the strategy was adopted by the Allies it resulted in further stalemate positions, where a small acreage of land could only be gained at enormous cost of lives. An interesting summary of the evolution of WWI defensive strategies is here. If you are interested in learning more about the First World War, I found this account informative.
Today, InfoSec professionals know defence in depth as a cornerstone strategy of information security. The concept involves multiple layers of protection. If one layer is compromised, the next layer becomes the frontline. An example is a system protected by access control, a firewall, anti-virus, perhaps sandboxing, and/or data hashing. Failure of any one layer does not necessarily expose data. As InfoSec solutions are seldom 100% infallible, defence in depth is a core strategy to effective protection against digital attack.
In InfoSec, defence in depth owes it’s adoption also to the asymmetry between attack and defence. While defence was far easier than attack during World War I, in information security it is the other way around – IT defence is much more difficult as an attacker only needs to find one weakness in the defences to succeed.
Some have advocated that defence in depth is a flawed approach and that organisations are more vulnerable if attackers know they employ the strategy. SANS advise a Sustained Cyber-Siege Defence approach is more suitable.
Defence in depth is a concept also used in other areas such as in fire protection and nuclear plant safety.
Next time you deal with an InfoSec issue, spare a thought for those who gave the ultimate sacrifice 100 years ago, enabling us now to create defence in depth in a less bellicose environment.