Defense in Depth: Everything to Know About the Cybersecurity Model

The COVID-19 pandemic altered the business world and upended the way businesses operate. While the first two years in the post-COVID era marked unplanned reinvention for survival, organizations have now set about making intentional transformations to thrive in the new normal. The increasing adoption of digital technologies and tools, the transition of the workforce from on-site to remote and hybrid, and the expansion of data footprint from on-premises network perimeters to hybrid cloud infrastructures are all indications of the way forward for businesses in this new age.

While this evolving landscape provides many advantages for businesses in terms of efficiency, productivity and customer experience, it also has its fair share of challenges. As the business world gets increasingly digital and interconnected, it is simultaneously subject to ever-growing cyberthreats. Even before the global pandemic, organizations faced a dynamic threat environment while trying to innovate and extract value from digital technologies. However, the urgency to adapt to the evolving digital world in the post-COVID period and the resulting accelerated digital transformation have made the threat landscape all the more intimidating for organizations, and alarmingly, they are often not prepared to tackle these new threats. According to ThoughtLab’s Cybersecurity Solutions for a Riskier World report, 41% of executives think their security initiatives have not kept up with their digital transformation.

Against this backdrop, the significance of the defense-in-depth (DiD) model becomes all the more relevant for organizations. Based on the core belief that a single layer of defense mechanism is inadequate to defend an organization against various threats, it leverages multiple layers of sometimes redundant defensive measures.

What is defense in depth?

Defense in depth is a cybersecurity strategy that utilizes multiple layers of security to holistically protect the confidentiality, integrity and availability of an organization’s data, networks, resources and other assets. The National Institute of Standards and Technology (NIST) defines defense in depth as an “Information security strategy integrating people, technology and operations capabilities to establish variable barriers across multiple layers and missions of the organization.” In this approach, if one layer fails, the next one steps in to thwart the attack. Thus, a cyberthreat that exploits a specific vulnerability will not become successful, in turn enhancing an organization’s overall security against many attack vectors.

An effective DiD strategy may include these (and other) security best practices, tools and policies:

  • Firewalls
  • Intrusion detection/prevention systems (IDS/IPS)
  • EDR (Endpoint detection and response)
  • Network segmentation
  • Principle of least privilege
  • Strong passwords and/or multifactor authentication (MFA)
  • Patch management

Where did defense in depth originate?

Defense in depth is originally a military strategy devised to delay the advance of an intruding force rather than retaliating with one strong line of defense, buying time for the defending troops to monitor the attacker’s movements and develop a response. Over time, it has become a classical defensive strategy used in different industries, like nuclear, chemical and information technology.

While the cybersecurity approach has a similar name, it doesn’t correspond to the military strategy, where one line of defense is sacrificed to stall the enemy troops. Instead, defense-in-depth strategy in IT means leveraging multiple layers of security controls and solutions together to keep multiple threats at bay.

What is another term for defense in depth?

Defense in depth is also called the “castle approach” since it mimics the layered defenses in the medieval castle, like moats, drawbridges, ramparts, towers, bastions and palisades. Defense in depth utilizes conventional corporate network defenses as well as advanced and sophisticated measures to build the most robust and comprehensive security possible.

A castle representing the defense in depth cybersecurity model.

How does defense in depth compare to other security models?

Today, IT security and risk management teams have different security frameworks or philosophies to choose from. There are instances when they must choose one over the other. In other cases, they can utilize multiple frameworks to focus on different aspects of an organization’s security posture. However, these frameworks overlap in terms of many principles and technologies. Let’s see how defense in depth stacks up against or compares to two other prominent cybersecurity standards.

Defense in depth vs. layered security

While the terms “defense in depth” and “layered security” are often used (incorrectly) interchangeably, they are two different cybersecurity standards. However, they are not two competing concepts and have a lot of overlap with each other.

According to Techopedia, “the central idea behind layered security or defense is that in order to protect systems from a broad range of attacks, using multiple strategies will be more effective. Layered security can involve security protocols at the system or network levels, at the application level, or at the transmission level, where security experts may focus on data in-use over data at-rest.”

The layered security approach focuses on protecting endpoints and networks entirely by putting in multiple security controls that can cover the failings of any individual ones. It implements different kinds of controls at different levels, hardening the security of each level. For example, if an intruder manages to get past the firewall, they will still be required to authenticate before proceeding further. Layered security thus assumes that a comprehensive strategy, which is more than the sum of its individual components, can secure the entire network. However, it has a singular focus on threat origins and doesn’t consider a broad range of possibilities, which can breach parameters like incidental threats that are part of dangers not explicitly targeted at protected systems.

Contrary to this, defense in depth assumes that any collection of security solutions can never achieve complete security. While defense in depth leverages most of the security practices used in layered security, it also goes one step further to implement a broader range of controls and tactics, adding as many hurdles as possible to slow down attackers trying to break into the network. Defense in depth can be called a multifaceted strategic plan where layered security is just a subset. It assumes a broader range of threat possibilities and delivers a more robust defense.

Defense in depth vs. zero trust

Zero trust and defense in depth are two comprehensive cybersecurity strategies that complement each other. TechTarget defines the zero trust security model as “a cybersecurity approach that denies access to an enterprise’s digital resources by default and grants authenticated users and devices tailored, siloed access to only the applications, data, services and systems they need to do their jobs.” Zero trust model is based on the concept of “never trust, always verify,” which requires users and devices to continually undergo authentication and authorization to access applications, data, services and systems.

The focus of the zero trust model is to prevent attackers from the outset by necessitating continuous verification of users and devices. Meanwhile, defense-in-depth strategy relies on multiple layers of defense mechanisms to prevent attackers from getting into the security perimeter. In fact, zero trust environments leverage defense-in-depth security principles to enhance the security posture. Combining defense in depth and zero trust frameworks makes your organizational security strategy even more potent.

What is the purpose of defense in depth?

In today’s ever-evolving cyberthreat landscape, a single security layer or a single product cannot completely safeguard a network from every threat it might face. Adding multiple security solutions and practices can help organizations on that front to effectively mitigate a whole range of threats. Defense in depth’s layered defensive mechanisms thus greatly aid enterprises in reducing vulnerabilities, containing threats and mitigating risks.

What is an example of defense in depth?

Consider the security measures in your workplace. Even if you get authorized to enter the office building, you might need another authentication to enter your floor. Similarly, even if security guards are there for surveillance, your office would have CCTVs at every nook and corner to monitor what has missed their eyes. Also, you need specific passwords and authentications to log in to your system, office suite and networks. The defense-in-depth model uses such a series of seemingly redundant defensive measures to protect an organization’s data and network.

What is the benefit of a defense-in-depth approach?

The major advantage of the defense-in-depth model is its efficiency in thwarting a diverse range of threats. As enterprises scale their users, systems and networks, their threat landscape also burgeons. If a threat actor infiltrates the network, the multiple security layers that defense in depth put in place, like firewalls, antimalware and antivirus software, intrusion prevention or detection systems, and physical controls, give IT teams ample time to devise countermeasures.

Another advantage of defense in depth is redundancy. While redundancy may seem wasteful in security at first glance, it closes the gaps created by individual solutions and effectively mitigates the damage to the entire network.

What are some drawbacks of defense in depth?

Since defense in depth involves multiple layers that must be implemented, managed and maintained, it can be difficult to coordinate them. Another disadvantage of defense-in-depth strategy is its cost. It can get more costly over time with licensing fees of multiple security products.

What are the 3 key layers of defense in depth?

Defense-in-depth model can vary according to an organization’s requirements and resource availabilities. Nevertheless, every defense-in-depth layered security architecture has three core parts — administrative controls, physical controls and technical controls — that are designed to protect your network’s administrative, physical and technical aspects.

Administrative controls

Administrative controls are security measures that consist of policies and procedures directed at an organization’s employees. System administrators and security teams set these policies and practices to restrict permissions to users and guide them on how to enhance security. It includes control access to corporate assets, internal systems and other sensitive data and applications. Examples of administrative controls are information security policies, third-party risk management frameworks, information risk management strategies and cybersecurity risk assessments.

Physical controls

Physical controls are security measures that defend data centers, IT systems and other physical assets from threats like unauthorized access or data thefts. Measures like security guards, CCTVs, ID card scanners and biometric security that prevent physical access come under physical controls.

Technical controls

Technical controls encompass security measures that protect network security and IT assets using different types of hardware and software. Examples are intrusion protection or detection systems, web application firewalls, two-factor or multifactor authentications, biometrics, virtual private networks and encrypted backups.

How does defense in depth prevent attacks?

Defense in depth leverages an array of security products, policies and practices to limit the risk to network and resources. It implements different measures at different levels to bolster network security against various threat vectors.

Let’s look at some of the ways in which the defense-in-depth model thwarts cyberthreats.

Monitoring and prevention

Defense in depth implements different policies and tools to proactively detect cyberthreats and data breaches and protect corporate networks. The monitoring and prevention of cyberthreats involve various measures, including auditing and logging, vulnerability scanning and sandboxing. Security awareness training is also a significant step as it aids users and employees in understanding their role in preventing data breaches.

Meanwhile, organizations can leverage leading-edge technologies like artificial intelligence, machine learning and big data analytics to do a behavioral analysis of users and devices. This will help security teams identify anomalies and prevent attackers from executing their plans. Patch management is also a critical step in that regard since it fixes the vulnerabilities in applications and software.

Authentication

The defense-in-depth model implements different authentication tactics to provide users and devices access to applications, systems and data. In addition to strong password security and biometrics, it implements two-factor or multifactor authentications and single sign-on. While multifactor authentication requires users to provide two or more verification factors to gain access to an asset or data, single sign-on empowers users to securely authenticate with different applications and platforms with just a single set of credentials.

Access controls

The defense-in-depth model also implements different access controls for users and devices. Timed access control enables IT teams to control traffic to their network based on time periods. Similarly, least privileged access is an access control that provides devices and users only the access rights required to do the job.

Network security

Network segmentation, firewalls, VPNs, and intrusion detection systems (IDS) and intrusion prevention systems (IPS) are a few measures defense in depth takes to limit the exposure of applications and data within the network to outside users. Through setting up different wireless networks for internal and external users, network segmentation enables organizations to better protect sensitive data from unauthorized users. Similarly, firewalls are hardware or software appliances that control access to a network through policies and rules. VPNs create a secure tunnel for external users into a network and IDS and IPS alert and prevent malicious activities on networks.

Endpoint security

Securing entry points or endpoints of user devices is also critical in the defense-in-depth model. Antivirus and anti-spam software, endpoint detection and response, and endpoint privilege management are different ways organizations can bolster their endpoint security.

Data protection

Data encryption and data hashing to secure data from unauthorized users are also ways defense in depth enhances security. Notably, backup also has a critical role to play in an organization’s defense-in-depth strategy. Having a reliable backup and restore solution helps businesses recover business-critical data in the wake of an unfortunate event. A delay in recovering mission-critical data could drastically impact a business. A backup solution, especially one where data is stored securely on the cloud, empowers accurate and swift recovery, enabling enterprises to recover their data in minutes.

Support the defense-in-depth security model with Spanning 360

Spanning 360 is an enterprise-class, end-to-end protection for Microsoft 365 and Google Workspace that combines multiple layers of defense to strengthen data security. Spanning 360 helps prevent, anticipate and mitigate account compromise and data loss through a layered strategy.

Spanning 360 includes:

  • A powerful phishing defense platform that leverages AI and machine learning to detect and block even the most sophisticated email threats.
  • Spanning Dark Web Monitoring that scans the dark web for compromised or stolen credentials.
  • Spanning Backup that provides comprehensive, automated backup of critical data.

To learn more about how Spanning 360 can enhance your defense-in-depth strategy, request a demo today.

Request a Demo