Layered Security: Self Defense or Self Delusion? By Dr. Roger Johnston

Read the article by Dr. Roger Johnston and the LANL team.


Security in Depth is a good thing: 4 layers of security trumps 1 layer of security every time, right? Well, not so fast! Layered security can be a useful tool, but it also holds lots of hidden dangers.

Almost every vulnerability assessor is familiar with the following scenario, which the author has personally witnesses at least 2 dozen times (including at nuclear facilities): A security manager is shown a simple, successful attack on a security device or system, or a portion of the overall security program. Then he/she is shown an inexpensive countermeasure, or at least a partial fix that is relatively painless. The instant response: “Well, yes, that is all very interesting, but we have multiple layers of security, so a failure in one layer does not mean that our overall security has failed. Thus, we don’t need to be concerned with this vulnerability, nor do we need to implement the recommended countermeasure(s).”

Is this the correct decision? Ultimately, maybe it is and maybe it isn’t. But to knee-jerk the decision not to explore the possibility of improving a given layer or portion of a security program based solely on the idea that there are additional layers is certainly not the right response.