Onion vs. Crown Jewels. Which one is the best?
As we think about cybersecurity risk management for enterprises, what is the best approach? “Onion” or “Crown Jewels”? And are these the only two?
Onion, or defense in depth, approach is the time honored approach. Many layers of defense that when combined fortify an enterprise from various threat actors or reduce the likelihood of a risk event. Defense in depth is primarily focused on external threats. E.g., creating challenging layers for an external attacker to break through before they can get to the high value asset inside.
Do you go wide or deep?
Crown Jewels is more focused on wrapping security controls around the most critical assets (processes, systems, data, etc.) and focusing our ever decreasing budgets on protecting what matters most to the enterprise. But that raises a question, what matters most?
A few years ago I was working for a global company that had a very focused mission for its customers. We conducted an exercise to find the most important systems where we should focus our resilience efforts. Core business apps, sure… email? Maybe not. However, email was quickly raised by business associates as the most important TO THEM and their customers. Not important to security folks who can communicate out of band, but CRITICAL to many in the business. Lesson learned.
Like most things (including my wardrobe), there is no one-size-fits-all. I think a combination of the two approaches is required. A baseline posture and guardrails to operate freely between, as well as focused efforts around the most critical assets is a balanced approach.
Zero Trust and Least Privilege are great paradigms, but can be complex to implement and maintain. On the flip side, treating everything with the same prophylactic controls can be very expensive and unnecessarily wasteful in an age when security budgets are being reduced and teams are being asked to take on more responsibilities.
The thing that keeps popping into my mind as I write this is, what are the most important things to your business? Systems, data, third parties, staff, facilities? Do you know enough about how your business operates to define the right approach to making sure they are able to function during a risk event?
Contrary opinion alert!! I think these are slightly different things.. Some focus on "wholistic security" vs a "crown jewels" approach and as you rightly pointed, that comes down to the budget and risk appetite.. however the "Onion" strategy which is a traditional "Castle and moat" approach compares well against a Zero Trust or "identity as perimeter" approach. One is Asset focussed and the other is a defense tactic. thoughts?