resources are very rare in this subject, anyhow I managed few but they are very very bad.

https://ioesolutions.esign.com.np/n...rol,-Audit-and-Security-of-Information-System

https://drive.google.com/file/d/1mwM_FPdNQfQPHmx1RMFP7_3yT8i0kf0u/view
around page 48 of this slide

https://drive.google.com/file/d/1sAGdct8rQaz4kIPT6LtSzBUgi0GY-5R6/view?usp=sharing around page 130 of this slide

what is this thing? it is very contradictory. there are not even textbooks to study this subject, so this has left me with lots of confusions. which resource should I trust more?

 

”Layered Security” is not a thing in itself, it is a description of a comprehensive strategy. It’s just “doing it right” which leads to many different activities (they are calling “layers”) because the are many attack vectors, I think layers is a terrible name, it implies a hierarchy that isn’t there. If the needed something to make it seem special they’d have been better off with “comprehensive” or if they really needed to feel cool, maybe 360° Security.

 

If this is regarding networks...
I think the name "Layered Security" is exactly what it should be called because it implies defined logical/physical security boundary layers that need to be protected, and provides a "structured" approach to security. Potential attackers will need to recon and determine defense weaknesses before launching an attack, and will have much less chance of success if the defended boundaries are well defined, protected, and reviewed over time. Any "random" approach is a recipe for disaster.

 

If this is regarding networks...
I think the name "Layered Security" is exactly what it should be called because it implies defined logical/physical security boundary layers that need to be protected, and provides a "structured" approach to security. Potential attackers will need to recon and determine defense weaknesses before launching an attack, and will have much less chance of success if the defended boundaries are well defined, protected, and reviewed over time. Any "random" approach is a recipe for disaster.

It is true that a comprehensive security program takes account of all attack surfaces, which can be "layered" in some cases, there is nowhere near the rigor of something like the OSI model that uses layers to described a set of things to be traversed.

You can map layers onto some measures in a "layered" model, but the term is misleading (as it is used).

To be clear, my complaint is not with the idea, it's with the application I have seen. People conflate and confuse certain practices with "layered security" apparently not realizing the term doesn't describe particular practices but a way of evaluating the completeness of a strategy.

My particular gripe with it has to do with personal experience with some security "professionals" who make systems less useful and no more, or ironically even less, secure.

So, I would say you are right, so long as it is not misused. Unfortunately, I have had to deal with people who did not really understand it, and used it as a bludgeon to demand unhelpful measures.

@terabaaphoonmein what @eetech00 is talking about is what layered security should be about. But any explanation you find that talks about it without enumerating the layers and mapping the practices to them is probably what I was talking about.