Castles defence in depth

Last year ( 2021) I managed to visit a number of castles in Wales. It got me thinking how much the medieval castles were designed with defence in depth and how similar it is to applying defence in depth when using Google Cloud.

A medieval castle has layers of defences here’s a list of some of them ( and yes I am aware I have left some parts out but if this post entices you to learn more about medieval castles there are plenty of great posts that dive into the detail.) :

Inhospitable terrain - They were often built in terrain which would slow down attacks from invaders . Surrounded by hills were a common location.

Traps- Traps hidden in the terrain heading towards the castle would also be a feature that could be found in some castles

Towers & Turrets - used to look out for invaders approaching the castle. Towers were built from the ground up while turrets were built on top of the walls

Watch towers - The name is pretty explanatory. Used to look at the surrounding terrain and used as an early warning system of approaching invaders

Moat - Many castles were surrounded by moats - a body of water that surrounded the castle . In some cases there could be an inner most surrounding the keep.

Drawbridge - The bridge over the moat. This bridge could be drawn up to make it harder for invaders to breach the castle

Portcullis - Defensive gate for the main entrance to the castle

Ramparts - These are the defensive walls that surround the main castle ( battlements are ramparts built at the top of castle walls )

Arrow slits - Archers would use these to fire arrows at approaching invaders while keeping themselves protected behind the big stone walls of the castle

Keep - The main living area of the castle located within the main walls of the castle.

Murder holes - Strategically built holes that can be found in the ceiling of the gateway or built into the outside walls used to throw large objects and hot stuff such as tar and boiling oils onto invaders

This photo I took of Caerphilly castle has some of the defenses I listed .

alt_text

You may now be asking that is all very interesting and probably thinking that murder holes were aptly named but how do medival castle defences map to using Google cloud? Well let’s look at each of the defences I mentioned and see what that looks like when designing your defences when using google cloud. There are variations on my mappings that you can easily make though and as everything overlaps you can place some controls against other Castle controls.

Inhospitable terrain - Cloud Armor to provide Denial of Service and Web Application Firewall (WAF) protection for applications and services hosted on Google Cloud.

Towers & Turrets - Detect anomalous activity . Cloud Audit Logs ; Cloud IDS to help detect network-based threats such as malware ; Security Command Center to aggregate and monitor for adverse activities , Use ETD to monitor for dubious activity; Chronicle to retain, analyze, and search massive amounts of security and network telemetry that provides the ability to correlate, and analyze data to provide instant analysis and context on risky activity

Watch towers - Detect anomalous activity . Cloud Audit Logs ; Cloud IDS to help detect network-based threats such as malware ; Security Command Center to aggregate and monitor for adverse activities , Use ETD to monitor for dubious activity ; Chronicle to retain, analyze, and search massive amounts of security and network telemetry that provides the ability to correlate, and analyze data to provide instant analysis and context on risky activity

Moat - VPC Service Controls to provide a perimeter around your GCP resources. Use Organization policy constraints to configure restrictions on how your organization’s resources can be used . To Define and establish guardrails

Drawbridge - BeyondCorp Implement zero trust techniques , Cloud Armor to provide Denial of Service and Web Application Firewall (WAF) protection for applications and services hosted on Google Cloud

Portcullis - Cloud IAM to implement least privilege. BeyondCorp to Implement zero trust techniques

Ramparts - Hierarchical firewall to create and enforce a consistent firewall policy across your organization.

Arrow slits - I know I may be stretching it a bit here but humour me. Here we are using controls that provide a way to reverse or prevent anomalous behaviour. Use Binary Authorization to sign images by trusted authorities during the development process and then enforce signature validation when deploying. Use cloud functions or Cloudrun via eventarc to react to events identified in audit logs. Cloud Armor WAF rules

Keep - Cloud IAM to implement least privilege, Implement VPC firewall rules patching , container scanning

As for traps & Murder holes there isn’t anything directly that I could map to and tbh I am glad there isn’t as planning traps and murder holes is a very dubious practice.