Defence in Depth (DiD)


Defense-in-depth is a cybersecurity strategy that employs a multi-layered defense system to ensure maximum safeguards. If a layer of defense fails, the others will be there to block the attacks. The architecture of DiD consists of:
Administrative Controls (Policies & Procedures)
Technical Controls (Hardware, Software, and Networks)
Physical Controls
Assuming that we are a systems security analyst for an organization and want to deploy the new server, here is my checklist:
Ensuring the physical safeguards are in place following security policies and protocols.
Using NGFW (Next Generation Firewall) as the first line of defense. This device could include IDS/IPS, application-level monitoring and control, and WAFs.
Check the supply chain of the hardware used for the server.
Review and confirm the integrity of the components of the server.
Ensuring that IT technicians are following the security policies for hardening the out-of-the-box server procedures and changing all default settings.
Ensuring that all the updates and patches have been installed.
Appropriate anti-malware installed and properly configured.
Unnecessary ports are disabled.
Overseeing the testing process of server in DMZ or Screened Subnet as per security policies and protocols.
Reviewing the Active Directory, security policies, and logging/monitoring requirements have been met.
Ensuring remote access policies have been enforced.
DNS protection.
VPN and multi-factor authentication.
The server has been added to the inventory record, and its baseline configuration is well documented.
The server’s data is protected in-rest in-transit and has been set for redundancy based on the organization’s policies and protocols.
Ensuring all the updates and patches are current.
Installation of perimeter defenses such as IDS, IPS, and firewalls.
Added endpoint-related pieces of advice such as:
Installation of the preset OS by using a workstation installer or snapshots to keep a uniform endpoint in the organization.
Endpoint protection and installation of the latest version of the corporate licensed anti-malware.