Is your business and Egg or an onion?

Is your business an egg or an onion? This is the question that you need to ask in order to determine what actions your organisation should take to improve the protection of its information assets. The egg vs. onion analogy relates to how you have protected the information assets within your business from accidental or malicious leakage.

The Egg
If your business is an egg, you have put into place a hard layer of protection on the perimeter of your organisation to protect your information assets from the hostile outside world. This is a simple, easy to manage approach. You've probably got a solid, well managed firewall through which all of your traffic flows. You may even have content filtering or a DLP solution to stop your information leaking out. However, there is an issue. If someone were to crack your hard exterior, they may gain full access to your information assets. This could be an external attacker or even a disgruntled employee who is already inside your network.

The Onion
If your business is an onion, you will have put into place multiple layers of security around your information assets. This may restrict both physical and logical access to your corporate information and will probably be layered in a way that ensures that they most important assets are placed deeper into the onion (i.e. is stored behind more layers of security). A well-managed onion approach gives your business a great degree of flexibility in who can access what information and may even include controls determining when specific data can be accessed.

What should I do?
The onion approach definitely seems like the ideal approach. The downside is that these additional layers of security also bring with them additional overhead in terms of cost, processes, operational activity and governance. It is important that the number of layers of security that are put into place are appropriate for the information being protected. To be able to put into place the appropriate layers of defence, some of the questions that you need to ask are:

·         What information do I actually have?
·         Have I classified this information in relation to its sensitivity?
·         Do I know who needs access to what and when?
·         How do I manage access to the information in a consistent manner?
·         Do I handle my customer's information and what is their expectation?
·         Is there any legislation/regulation that I need to consider (e.g. PCI-DSS)?
·         Do I need to think about controlling physical access to areas within my offices?

On the upside, it is quite unlikely that your business isn’t truly an egg. You have likely already put into place layers of security through logical access control (e.g. usernames/passwords) or physical access restrictions (e.g. swipe cards). However, does your current security implementation really protect your information? It may seem like a good idea to implement a whole host of security controls to provide more layers of security, but you also want to run a profitable business. Every additional security control comes with an associated financial and resource cost. Asking some of the above questions will provide a starting point from which you can begin securing your organisation in a way that considers what you want to protect and how you can begin identifying the risks that you need to consider. Once you understand what your risks are, you can work more effectively in protecting your information.

If you are taking forward a business case to implement layers of security within your organisation, then a more formalised name for the Onion Approach is Defence in Depth.

Want to know more?  Call us on 0845 519 6138 or email

Published 4 December 2014
Hitesh Kargathra

Related Content