Defense in Depth

Layering security measures is called Defense in Depth. Though zero trust is the phrase of the day, defense-in-depth can be a complementary approach to security.

Preventive measures can prevent breaches of confidentiality, for example, measures such as file encryption, TLS encryption for websites, or protecting a certificate key.

Detective measures include intrusion detection/prevention systems (IDS/IPS) or other measures that alert you when there is an unauthorized intrusion on the network.

Recovery measures include backups and other measures to maintain resource availability. Whether daily, incremental, or full, you need a backup plan.


Layer 1 = Policies, Procedures, Awareness
Layer 2 = Physical Security
Layer 3 = Perimeter Security
-Border Routers, Firewalls, DMZs, IDS/IPS,
Layer 4 = Network Security
-Access control(NAC), network-based firewalls, anti-malware gateway, network segmentation, wireless security
Layer 5 = Host Security
-Anti-malware, host-based firewalls, host-based IPS, patch management, backups
Layer 6 = Application Security
-Application layer firewalls
-Application Configuration Baselines
-Input validation(server-side/client-side)
Layer 7 = Data Security



–Implemented through policies, procedures and guidelines
–Implemented through technology
–Firewalls, anti-malware, IDS/IPS
-Physical(Objective 5.7)
-Preventative(Objective 5.7)
–Any controls that stop something from happening
–Locks, biometric devices, mantraps
-Deterrent(Objective 5.7)
–Any type of control that warns an attacker to stay away and not attack
Lighting, Security Guards, strobe lights, security cameras
-Detective(Objective 5.7)
–The purpose is to uncover violations
–Anti-malware, IDS/IPS, motion sensors
–Alarms triggered when a door is opened
-Corrective(Objective 5.7)
–Restores a system or systems to the state prior to the event
–They seek to minimize the impact on the company
–Backup software, backups, snapshots, OS upgrades
-Compensating(Objective 5.7)
–These controls come to the assistance of controls that fail
–Signs are deterrents, but alarms compensate for signs
–Emergency exit with sign(both are deterrents, however if and alarms are triggered then the alarm is a compensating control)
–UPS, DR Sites

User training is part of defense.

One thought on “Defense in Depth”

Leave a Reply

Your email address will not be published. Required fields are marked *