Security-in-Depth (also known as the Onion model), is a diagram and conceptual model designed to protect an organisation and its interest through a multi-faceted approach. It is applicable for firms of any size or industry.
“Imagine, the jewel of the crown of any organisation is at the centre of the framework. On the outside, there are multiple layers of barriers protecting unauthorised personnel from reaching or stealing it. Each layer is fortified with unique functions and features to only allow the right personnel to enter.
The exact mechanism of each barrier would have been determined during the earlier Risk Management stages. The bottom line is, there must be a good balance between Security, Threat and Freedom (as highlighted in our Security Triangle article).
Deep diving into the Security-in-Depth model
Right at the outside of the Security-in-Depth model is the ‘Boundary’. The ‘Boundary’ is the gateway into a firm’s premise or the perimeter of its territory. It consists of building infrastructures, technology and people. The guards on patrol, physical fences, motion detectors, security lightings etc. are all considered barrier elements. The intention of these elements is to deter unauthorised personnel from even attempting to trespass the premise. In some cases, firms with car parks (ground level or basement) would also have barrier elements in terms of physical vehicle gantry or security guards to authorise or deny vehicular entries.
The ‘Boundary’ should not be too close in physical proximity to the ‘First point of contact’, which is the next layer in the Security-in-Depth model. Why? This is for the purpose of delaying potential threats. For example, if the fences are located far away from the single entrance to the building, it buys time for the security team to apprehend any trespasser before he/she reaches the entrance.
“Apart from serving its purpose to make it difficult for unauthorised personnel from trying to enter your premise, the presence of the ‘Boundary’ makes people think twice about trespassing. Why bother when they know they cannot succeed?
2. ‘First point of contact’
The first point contact often refers to the security officer situated at the guard post – the main entrance to the building/premise. The security officer’s responsibility is to monitor and control the access of individuals based on internally-aligned security protocols like SOPs or special instructions.
3. ‘Pre-centre layer’
The receptionist counter is often known as the pre-centre layer. There are often 2 of such layers for firms situated in a building – one in the main lobby of the building and the other right at the front of the office itself. The receptionist should ideally be trained or well-versed with security so they know how to spot for suspicious characters and only allow authorised personnel from entering the firm’s premise.
One common technique receptionists deploy to guard visitors and protect the firm’s interest would be to issue visitor or vendor tags. These tags must be worn by visitors at should be provided to visitors and it must be visible at all times so they cannot go wherever they want – they can only use certain elevators or open selected doors. Moreover, the receptionist would be alerted whenever someone tries to pass the centre point turnstile gantry without a pass. Those unauthorised will be technically directed to the receptionist or security concierge.
Once an individual gains access beyond what is called the centre point, they would have access to the workplace of employees. Not every visitor should be allowed beyond the centre point as there may be confidential or proprietary information lying around. The more access the visitor gets, the closer he/she is to the crown jewel of the firm.
The more layers of barrier designed between the ‘Boundary’ and the centre point, the safer the ‘crown jewel’ is from an unauthorised party. At the same time, however, too many layers of barriers can be cumbersome, hostile or even inefficient for visitors with no ill-intentions. This is why it is imperative for firms to go back to the Security Triangle and find the right balance between Security, Threat and Freedom.
Additional turnstile gantries are often found at the entrance of where valuable assets such as data centres are located.