Defense-in-Diversity

Via the Ncircle Blog -

For years now, one of the principles in IT design has been Defense-in-Depth. The term is misleading and I propose we scrap it for a more accurate term: Defense-in-Diversity. As IT operations and information security principals become intermixed, the proper understanding of this term is critical. Higher levels of redundancy in the same pattern does not significantly increase a systems defenses when faced with a well motivated adversary.

The term Defense-in-Depth is a misleading term to someone who is not an expert in the security domain and centers around the interpretation of the word 'depth'. To most, this is the extent of a particular unit like the depth of water, a shelf, or a cookie jar. It is in this context that the term can be dangerous as an information security design principal.

Lets take an example from a great movie Ocean's Eleven (the original or the remake). On one hand, the casinos in this movie could afford and in fact had implemented a great deal of Defense-in-Depth. On the other hand, the casino's adversary did not see Defense-in-Depth, he saw patterns that revealed a lack of diversity that he and his team could exploit. The lack of diversity in both systems and processes raised the predictability and in turn, the certainty of the adversaries execution plan to rob the casinos. In order to raise the cost to the adversaries, the casinos should have been focused on raising the diversity of the processes and systems and not the depth.

----------------------------------------

Will the new term catch on? I don't know. Once the media starts to use a term, it is hard to turn it around. However, I think TK is definitely on to something here. Good stuff.