• Gabriela Marcos

What is ‘Defense in Depth’?

The digital world has reformed the way we live, work and spend our free time. However, the digital world is constantly open to attack, and because of that, we need to ensure that we have the right security in place to prevent networks and systems from being compromised. Sadly, there is not a single method that can successfully protect the network against every type of attack. Here is where defense in depth comes into place.


Defense in Depth, commonly known for its initials as DiD, is a concept in cybersecurity in which there are multiple layers of security controls, or defenses, placed throughout an IT system. The idea behind this strategy is that the other layers will hopefully prevent a full breach from happening in the case of one layer failing.


One of the best examples of this on a day-to-day basis would be bank security. Why is a bank more secure than a convenience store? Well, a bank has more redundant security measures for protection, and the more measures there are, the more secure it is.


The first security layer for the bank would be security cameras, they alone can be a deterrent for some, but for the people who may not care about them, there is usually an armed security guard to physically apprehend the person. Add another guard to the equation and the security increases even more. In the case that both guards are prevented from doing their job, the next security layer would be a wall of bulletproof glass and electronically locked doors. Still, there is always the chance of the robbers guessing the code for the doors, or kicking the doors in, in that case, the robbers would only be able to get to the teller’s registers as everything of big value is protected by a vault. Hopefully, the vault has several locks, and can only be opened by two individuals who are rarely in the bank at the same time. And the teller registers can have another layer of protection by having dyed-emitting bills stored at the bottom, so the money can be identified as robbed.


Now, having all of these layers is not a fail-safe way to ensure that the bank is never robbed efficiently. Bank robberies still happen, even to the most secure banks. Nonetheless, having all of these layers of security proves much more effective than any singular measure ever could.


All of these layers of protection can be translated into the cybernetic world as firewalls, malware scanners, data encryption, intrusion detection systems, integrity auditing solutions, and more. By using two or more of these measures, you are effectively minimizing the chances of a breach by closing the gaps that are created by relying on a sole security solution.


Defense in Depth Architecture


The Defense in Depth structure is designed around controls to protect the network's physical, technical, and administrative parts. It follows the next architecture:

  • Physical Controls: These are the controls that include the security measures preventing physical access to the IT systems, namely security guards, fences, CCTV systems or locked doors.

  • Technical Controls: The technical controls include the security measures that protect the systems or resources of the network by using specialized hardware or software, like firewall appliances, fingerprint readers, or antivirus programs. Technical and physical controls differ in that the technical controls prevent access to the contents of a system, while the physical controls prevent the physical access to the system themselves.

  • Administrative Controls: Administrative controls are security measures that consist of policies or procedures directed towards the organization’s employees, such as instructing the users to label sensitive information as confidential, data handling procedures, and security requirements.


Additionally, to help protect individual facets of the network the following security layers can be used.


  • Access Measures: Includes authentication controls, biometrics, VPN, and timed access.

  • Antivirus Software: Critical to protecting against viruses and malware.

  • Data Protection: This includes data encryption, hashing, encrypted backups, and secure data transmission.

  • Behavioral Analysis: If activated, it means the firewall has failed. This security layer can pick up the slack and can either send alerts or execute automated controls to prevent a breach from going any further.

  • Perimeter Defenses: including firewalls, intrusion detection systems, and intrusion prevention systems.


All in all, Defense in Depth is the best option to maintain your business information as secure as possible, by guaranteeing that there is more than one layer of security to it, not only on the digital side but also on the physical one.