3. Defense in Depth

Defense in Depth

Defense in depth is a security approach that uses multiple layers of protection instead of relying on just one control. It combines physical, technical, and administrative safeguards so that if one layer fails, other layers still protect the system.

It can include controls over buildings, server rooms, networks, applications, and data access. The goal is to prevent or slow down attacks, though it cannot guarantee complete protection.

Examples include multi-factor authentication, where a password is combined with a phone verification code, and the use of multiple firewalls to protect sensitive data. The most sensitive information is often placed behind the strongest and most layers of security.

Security Control Layers

Assets are protected by multiple layers of controls in a defense-in-depth model.

Administrative Controls

These are policies, procedures, rules, and management actions that guide security.

Logical / Technical Controls

These are system-based protections such as passwords, firewalls, access controls, and software security measures.

Physical Controls

These are physical barriers that protect assets, such as locks, doors, guards, and secure facilities.

Main Idea

The controls surround the assets in layers, so protection does not depend on just one safeguard.

Simple Meaning

Defense in depth means using several security layers so one weakness does not expose everything.