Defense in Depth
A layered security approach using multiple protective measures so failure of one doesn't compromise the system
Also known as: Layered Security, Defense in Layers, Defence in Depth
Category: Principles
Tags: security, strategies, architecture, resilience
Explanation
Defense in Depth is a security strategy that employs multiple layers of protection, so if one defense fails, others remain to protect the system. Borrowed from military strategy, it recognizes that no single security measure is impenetrable and that attackers who breach one layer should face additional obstacles.
The approach typically includes: physical security (locks, badges, cameras), network security (firewalls, intrusion detection, network segmentation), host security (antivirus, patch management, hardening), application security (input validation, secure coding, authentication), and data security (encryption, access controls, backups). Each layer addresses different attack vectors and threat types.
For example, protecting a database might involve: a firewall blocking unauthorized network access, an intrusion detection system monitoring for suspicious activity, application-level authentication and authorization, encryption of data at rest and in transit, and regular backups stored offsite. An attacker would need to bypass all these layers to fully compromise the data.
Defense in Depth provides resilience against unknown vulnerabilities and zero-day attacks. When a new exploit is discovered, other layers continue providing protection while the vulnerability is patched. It also supports the principle of least privilege by compartmentalizing access at each layer. The strategy requires ongoing investment but significantly increases the cost and difficulty for attackers, often deterring all but the most determined adversaries.
Related Concepts
← Back to all concepts