Defense in depth is a security strategy that deploys multiple layers of defensive controls throughout an information system. Rather than relying on a single security mechanism, this approach assumes that any individual layer can be breached and ensures that additional layers continue to provide protection. The concept originates from military strategy, where multiple defensive lines slow an advancing force and increase the likelihood of stopping the attack.
How It Works
A defense-in-depth architecture typically includes layers at the network, host, application, and data levels. At the network perimeter, firewalls and intrusion detection systems filter malicious traffic. Network segmentation isolates sensitive systems from general-purpose networks. Host-level defenses include operating system hardening, endpoint detection, and patch management. Application-level controls encompass input validation, authentication, authorization, and secure coding practices. Data-level protections include encryption, access controls, and backup systems.
Each layer addresses different threat scenarios and provides redundancy for the others. If an attacker bypasses the web application firewall with a novel encoding technique, the application's input validation might still catch the malicious input. If input validation fails, parameterized queries prevent SQL injection. If the database is somehow accessed directly, encryption at rest protects the data from being read. No single layer is expected to be impenetrable; the combination of layers makes successful exploitation exponentially more difficult.
The strategy also includes non-technical layers: security policies that define acceptable behavior, training that helps employees recognize threats, incident response plans that enable rapid containment, and monitoring that provides visibility into attacks in progress.
Why It Matters
Organizations that rely on a single security control, such as a firewall or a web application firewall alone, face catastrophic failure when that control is bypassed. Security assessments evaluate the depth and effectiveness of each defensive layer, identifying where gaps exist and where a single point of failure could allow an attacker to reach critical assets without encountering additional resistance.
Need your application tested? Get in touch.