Defense in Depth
Multiple independent barriers: if one falls, the others hold. The opposite of "one very thick wall we pray won't fall".
Problem
Resting security on a single defence (perimeter firewall, antivirus, IPS) creates a single point of failure: its compromise exposes the whole system. No defence is infallible (0-day CVE, misconfiguration, social engineering). How to limit the impact of a discovered flaw?
Forces
- Every isolated defence eventually falls (0-day CVE, social engineering, supply chain).
- The attacker needs only one flaw; the defender must close every door.
- Stacking too many redundant defences burdens operations and hides real incidents.
- A breach at layer N must trigger detection at layer N+1 (early alert).
- Regulatory constraints (PCI-DSS, HDS, ISO 27001) often require multiple layers.
Solution
Stack several independent control layers — each protecting against the failure of others. The principle comes from military doctrine (successive defensive lines) and applies to information security: network (firewall, IDS), application (WAF, input validation), identity (MFA, RBAC), data (encryption, classification), monitoring (SIEM, anomaly detection), response (IR plan, backups). Each layer should use different mechanics (not 3 firewalls from the same vendor sharing the same CVEs).
Typical layers
Internet
│
▼
┌──────────────────────────────────────────┐
│ Layer 1: Edge — DDoS, WAF, CDN │
├──────────────────────────────────────────┤
│ Layer 2: Network — Firewall, segmentation │
├──────────────────────────────────────────┤
│ Layer 3: Endpoint — EDR, OS hardening │
├──────────────────────────────────────────┤
│ Layer 4: Identity — SSO, MFA, RBAC │
├──────────────────────────────────────────┤
│ Layer 5: App — Input validation, WAF L7 │
├──────────────────────────────────────────┤
│ Layer 6: Data — Encryption, masking │
├──────────────────────────────────────────┤
│ Layer 7: Monitoring — SIEM, audit logs │
└──────────────────────────────────────────┘ EDI implementation
An EDI hub accepts inbound AS2 INVOICs. Successive layers: (1) WAF / DDoS at the edge (Cloudflare, Akamai); (2) AS2 endpoint with mTLS and IP allow-list; (3) S/MIME signature verification in the app — partner cert verified against a dedicated CA and CRL/OCSP; (4) strict EDIFACT parsing rejecting any invalid structure; (5) business validation (consistent totals, known partner); (6) encrypted archive (AES-256, KMS); (7) immutable audit log with anomaly alerting. A layer-3 breach (compromised cert) is caught at layer 5 (abnormal volumes or patterns).
Anti-patterns
- Redundant but homogeneous layers — 3 Cisco firewalls sharing the same CVEs.
- Single "ultimate" layer without plan B — risky bet.
- Multiplied controls without monitoring — attacker probes quietly.
- Perimeter-only layers without internal controls — Zero Trust philosophy ignored.
- False sense of security after stacking — overhead hides misconfigured layers.
Related patterns
- Zero Trust Architecture — modern instance of Defense in Depth.
- Least Privilege — reduces the blast radius of a compromised layer.
- Bulkhead — equivalent for resilience.
- Secrets Management — identity layer protected separately.
Sources
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems. NIST SP 800-53r5 PDF
- NSA — Defense in Depth: A practical strategy, Information Assurance Solutions Group.
- OWASP Cheat Sheet — Defense in Depth. cheatsheetseries.owasp.org