What Is Defense in Depth?
Defense in Depth is an IT security strategy asserting that individual defensive security measures cannot be relied upon to provide sufficient protection and that defensive security controls must be layered to mitigate risk effectively. The principle of Defense in Depth goes beyond IT security and applies to all types of security controls that protect against malicious attacks and natural disasters.
The Defense in Depth approach seeks to holistically reduce cybersecurity risk within complex IT environments consisting of hardware and software with interconnected dependencies. Defense in Depth seeks to provide a resilient IT security architecture for confidentiality, integrity, and availability, even if one or more components have been compromised.
Defense in Depth for Cybersecurity
A Defense-in-Depth Approach to Network Security
Network topography is typically conceptualized as internal and external network zones separated by a network perimeter that may include a demilitarized zone (DMZ). A DMZ is tasked with protecting internal network resources from unauthorized access via the public internet while permitting legitimate authorized access. Perimeter defenses are supported by security appliances such as next-generation firewalls and Intrusion Detection and Prevention Systems (IDPSs). However, Defense in Depth assumes that internal resources are inherently vulnerable despite the security offered by network perimeter defenses.
Some IT security controls that are often combined to form a Defense in Depth approach to network security include:
- Apply strong authentication and strict least privilege authorization to all internal and cloud systems and data
- Segregate internal networks with VLANs to isolate sensitive systems and data on a separate network domain
- Apply enterprise-level authentication mechanisms that use public key infrastructure (PKI) requiring certificates installed on each device
- Use network security best practices such as firewalls, MAC address accept-listing, static IP addresses, IDS and IPS, content filtering, and URL blocking technology for fine-grained internal network security
- Use encryption to protect the confidentiality of data as it transits over internal and external networks
- Maintain continuous vulnerability management activities to detect security weaknesses across the entire IT environment and mitigate any identified vulnerabilities as soon as possible
- Limit the applications and services on each endpoint to only those required and install and configure endpoint security products to detect and respond to any attacks that successfully reach an endpoint
Defense In-Depth Approach to Application Design
Defense in Depth applied to web and cloud application design uses a "Trust no one, validate everything" approach to strengthen authentication and authorization.
Some security measures that can be used to support a Defense in Depth approach to application design include:
- Have strong access security controls that require high password key space and ensure that passwords are changed periodically to reduce the potential impact of lost or stolen passwords
- Require multi-factor authentication MFA to protect accounts from a lost or stolen password
- Assess user contexts such as device user-agent, geolocation, and behavioral patterns
- Employ a Zero Trust principle to force users to re-authenticate when they perform sensitive actions such as purchase or account setting changes