Security

The Checklist: Build Your Defense-in-Depth Strategy

To help higher education IT teams establish a more organized full-stack defense-in-depth cybersecurity approach, here are three key focus areas for enhancing your DiD design.

Lauren Glenn Manfuso

Lauren Glenn Manfuso is a journalist and editor in the Washington D.C. metro area. Her work has appeared in Prevention magazine online, the Miami Herald and USA Today.

Shortly after COVID-19 forced postsecondary institutions to close campuses and move instruction online, an uptick in cyberattacks was seen across higher education. Universities large and small found themselves subject to ransomware, hacked videoconference classes and data leakage.

Meanwhile, with the vast majority of their users connecting from home, higher ed IT teams find themselves trying to secure a more complex network landscape than ever before. Enter defense in depth.

“Traditional, ‘monolithic,’ approaches to cybersecurity are becoming less reliable,” Richard Rudnicki, a Deloitte security specialist with 15 years of experience delivering cyber risk and regulatory compliance solutions to higher education, tells EdTech. “To address evolving risks, institutions should adopt multilayered approaches that involve people, process and technology.”

With its focus on layered security and comprehensive fortification, many refer to defense in depth as a “castle approach” to cybersecurity.

In medieval times, castles often housed hundreds of people — not just kings and lords, but also servants, soldiers, clergy, blacksmiths and countless others, along with their livestock, weapons and other valuables. The more valuable the contents and residents of that castle, the more alluring the site might be to attackers.

With so much area to protect, those charged with designing the castle’s defenses understood that no single measure would suffice to stop an invasion. So, castle defenses depended largely on an interwoven system of protections — the gate, the towers, the moat, the guards — to deter would-be invaders.

MORE ON EDTECH: Learn more about effective incident response.

The same is true of an effective defense-in-depth strategy. No single cybersecurity solution is enough to protect your university’s network or the troves of valuable data inside it. Protecting your data from constantly evolving and increasingly aggressive threats requires a full-stack, defense-in-depth security approach, with your access control, identity management, firewall, anti-virus and other solutions fully integrated and working together.

Type the term “defense in depth” into a search engine and you’ll get countless articles attempting to explain what it means and what its most crucial components are. The most agreed-upon definition focuses on three defense categories: physical, technical and administrative.

But what do those categories mean, and what elements are required to protect them? This checklist offers an overview of what you need to build a solid defense-in-depth strategy.