Defense with Inadequate Depth: More Vendors, More Security?

Welcome to the third blog in our special series, Mitigating Gartner’s Network Security Worst Practices. In this post we’ll discuss Gartner’s “Defense with inadequate depth” [1] worse best practice.

We know that for several years now, security teams have looked at defense in depth network security strategy as akin to building castle walls, with each wall providing an additional layer of protection. In theory multiple protective layers should make a network more secure—if they’re done right.  But somewhere along the line, confusion has developed over what a “layer” really means, with many companies thinking that using multiple vendors for the same type of task provides an additional layer of security. Not only do redundant layers that provide the same kind of protection from different vendors not increase your security, they may actually impair it.

You may think that by using firewalls from two or more vendors  you’ll have overlapping protection and each firewall will protect against different vulnerabilities – i.e.,  the weaknesses of one will be compensated for by the strengths of the other. However, industry research shows that the vast majority of firewall-related incidents are not caused by vulnerabilities introduced by the firewall vendors: they are caused by administrator misconfigurations.

Your real risk with using multiple vendors comes from your staff, or more specifically their skills and time. If your staff have to work with multiple vendor solutions it will likely make things less secure. With two (or more) vendor solutions, the networking and security staff needs twice the training. Yet in real life, they usually receive the same amount of training regardless of the number of vendor solutions, so they have less competence than they would if they focused on just one solution. Less familiarity leads to more mistakes when configuring and managing devices, which leads to greater vulnerability and risk. In addition, a diversity of vendors increases costs by eroding volume discounts. As a result, the company suffers a double whammy—less security and higher costs. Therefore it’s actually much more efficient, cost effective and secure to standardize on one vendor for each specific function.

For real defense in depth, each layer must do something functionally different. If behind the firewall you have a DLP solution or a web filter, you now have two different dimensions and additional security that’s structured in a tiered way. You can also achieve true defense in depth protection through network segmentation, using just one vendor solution. In this scenario, you could have outer and inner firewalls plus specialty firewalls that protect high security data, and a variety of internal “choke points” to protect access to this data.

Whichever way you go, security policy management solutions can provide the critical visibility and automation needed to achieve your defense in depth goals.  It can help with defining and enforcing network segmentation, defining the correct network paths (whether you chose to go with multiple vendors or not), automating firewall change management processes, and maintaining compliance. From AlgoSec’s perspective we’re vendor agnostic, and can support your environment however many vendor solutions you use or however you structure it. But for your sake, keep the number of vendor solutions down so you stay more secure.

About the Mitigating Gartner’s Network Security Worst Practices Blog Series

In this special blog series we’re taking a deeper dive into the network security worst practices identified by Gartner, and are examining how each of the 9 worst practices that we specifically address can be mitigated using automated security policy management.