Ocelot Docs
1-Ocelot
1.1-What is Ocelot?1.2-Tools and Building Blocks1.3-About Defense in DepthTechnical Controls
2-Getting Started
3-Tutorials
4-How-Tos
5-Technical Reference

About Defense in Depth

Ocelot's core philosophy revolves around the concept of defense in depth. Instead of relying on a single layer of security, our solution provides multiple layers of protection at every stage of your microservices communication, from the application layer down to the network layer. This multi-layered approach ensures that even if one layer is compromised, your entire system remains resilient.

Defense in Depth is a comprehensive approach to information security conceived by the National Security Agency (NSA). The main idea behind this approach is to defend a system through a set of independent security mechanisms, each organized and protecting a specific layer of the IT Landscape. Quoting directly the SANS Institute on a security assessment of the Department of Defense (DoD):

Defense in depth is an age-old military strategy. The most thought visualization is a castle during the Middle Ages. The castle did not necessarily depend on its walls to protect itself. It was surrounded by a moat, guard towers, and a bridge with controlled access to the castle amongst other things. If an enemy would want to defeat this, it would have to take into account all these defensive measures put into place. Thus, DoD uses this strategy to defend its information networks.

Three main areas need to be covered to adopt effectively the Defense in Depth approach, namely:

  • Physical controls: not in the scope of this document, but you can find at this layer all security controls in place to physically defend a data center location from unauthorized access. The Cloud Service Provider (CSP) implements these kinds of controls and is responsible for this layer of protection;
  • Technical controls: These controls focus on protecting resources and systems through the specific combination of hardware and software;
  • Administrative controls: A set of policies and processes within an Enterprise enforce these controls. These can also be executed and automated through specific technical controls.

For obvious reasons, our focus is on technical controls and, in this document, we will not cover the other two areas.

Technical Controls

Within the technical conrtols area, we can find the following layers:

Technical Controls

  • Process and Policy: The first layer of defense is having a well-defined and comprehensive set of security processes and policies to ensure the security of our customers’ data and users.
  • Infrastructure: Secure east-west traffic and extend and fortify infrastructure security components such as Web Application Firewall (WAF) and API Gateways, permeating authorization checks beyond the edge.
  • Application: Allow teams to easily define in detail which service is allowed to communicate to each other, the security requirements for each operation and API call, and secure the whole application layer by rejecting all not authorized traffic.
  • User: Enforce and ease RBAC controls on users and current sessions, enabling the team to efficiently extend and granularly control the security level required for each specific operation. Ocelot can dynamically require extra factors, ensuring the fulfilment of specific business requirements.
  • Data: The teams need to be able to assign specific scopes to the different types of data owned by their applications, to ensure data access to sensitive data exclusively to specific workloads and under specific conditions.