ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

Defense in Depth

Multiple independent barriers: if one falls, the others hold. The opposite of "one very thick wall we pray won't fall".

Problem

Resting security on a single defence (perimeter firewall, antivirus, IPS) creates a single point of failure: its compromise exposes the whole system. No defence is infallible (0-day CVE, misconfiguration, social engineering). How to limit the impact of a discovered flaw?

Forces

  • Every isolated defence eventually falls (0-day CVE, social engineering, supply chain).
  • The attacker needs only one flaw; the defender must close every door.
  • Stacking too many redundant defences burdens operations and hides real incidents.
  • A breach at layer N must trigger detection at layer N+1 (early alert).
  • Regulatory constraints (PCI-DSS, HDS, ISO 27001) often require multiple layers.

Solution

Stack several independent control layers — each protecting against the failure of others. The principle comes from military doctrine (successive defensive lines) and applies to information security: network (firewall, IDS), application (WAF, input validation), identity (MFA, RBAC), data (encryption, classification), monitoring (SIEM, anomaly detection), response (IR plan, backups). Each layer should use different mechanics (not 3 firewalls from the same vendor sharing the same CVEs).

Typical layers

Internet
   │
   ▼
┌──────────────────────────────────────────┐
│ Layer 1: Edge — DDoS, WAF, CDN           │
├──────────────────────────────────────────┤
│ Layer 2: Network — Firewall, segmentation │
├──────────────────────────────────────────┤
│ Layer 3: Endpoint — EDR, OS hardening    │
├──────────────────────────────────────────┤
│ Layer 4: Identity — SSO, MFA, RBAC       │
├──────────────────────────────────────────┤
│ Layer 5: App — Input validation, WAF L7  │
├──────────────────────────────────────────┤
│ Layer 6: Data — Encryption, masking      │
├──────────────────────────────────────────┤
│ Layer 7: Monitoring — SIEM, audit logs   │
└──────────────────────────────────────────┘

EDI implementation

An EDI hub accepts inbound AS2 INVOICs. Successive layers: (1) WAF / DDoS at the edge (Cloudflare, Akamai); (2) AS2 endpoint with mTLS and IP allow-list; (3) S/MIME signature verification in the app — partner cert verified against a dedicated CA and CRL/OCSP; (4) strict EDIFACT parsing rejecting any invalid structure; (5) business validation (consistent totals, known partner); (6) encrypted archive (AES-256, KMS); (7) immutable audit log with anomaly alerting. A layer-3 breach (compromised cert) is caught at layer 5 (abnormal volumes or patterns).

Anti-patterns

  • Redundant but homogeneous layers — 3 Cisco firewalls sharing the same CVEs.
  • Single "ultimate" layer without plan B — risky bet.
  • Multiplied controls without monitoring — attacker probes quietly.
  • Perimeter-only layers without internal controls — Zero Trust philosophy ignored.
  • False sense of security after stacking — overhead hides misconfigured layers.

Sources

  • NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems. NIST SP 800-53r5 PDF
  • NSA — Defense in Depth: A practical strategy, Information Assurance Solutions Group.
  • OWASP Cheat Sheet — Defense in Depth. cheatsheetseries.owasp.org