Defence-in-Depth is an extremely popular security and risk management expression that rarely achieves the universal,unassailable and reliable safety or security outcome the concept evokes or it fails to effectively deliver on the promise of a shroud of multi-layered protection for people,data or assets. That is, many ‘defence-in-depth’ assertions are symbolic statements or in name only as the various layers and measures are not synchronised nor required because ‘once you’re in…you’re in!’.
“Although the concentric circles in a defense-in-depth diagram evoke an image of strict segregation
, in many financial services networks, the inner circle authentication mechanisms are all available on the same network (referred to as a “flat” network). So once a user is connected to the network (the outer-most layer), no firewall or other network control prevents the user from attempting direct authentication to other platforms and/or scanning for vulnerabilities on other platforms within the network. Where application users are expected to require access to multiple defense-in-depth layers, the infrastructure is also typically engineered to allow authenticated users in one infrastructure component to send commands to other components via automated “pass-through” mechanisms, commonly known as software services or microservices.”