What is Defense in Depth? Defined and Explained | Fortinet (2024)

Defense in depth is a strategy that leverages multiple security measures to protect an organization's assets. The thinking is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Defense in depth addresses the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach.

Today’s cyber threats are growing rapidly in scale and sophistication. Defense in depth is a comprehensive approach that employs a combination of advanced security tools to protect an organization's endpoints, data, applications, and networks. The goal is to stop cyber threats before they happen, but a solid defense-in-depth strategy also thwarts an attack that is already underway, preventing additional damage from taking place.

Antivirus software, firewalls, secure gateways, and virtual private networks (VPNs) serve as traditional corporate network defenses and are certainly still instrumental in a defense-in-depth strategy. However, more sophisticated measures, such as the use of machine learning (ML) to detect anomalies in the behavior of employees and endpoints, are now being used to build the strongest and most complete defense possible.

Defense in depth is needed now more than ever as more employees work from home and as organizations increasingly rely on cloud-based services. With employees working from home, organizations must address the security risks associated with employees using their own devices for work and their home Wi-Fi connection to enter the corporate network.

Even with IT resources in place, vulnerabilities are inherent in devices used for both work and personal use—vulnerabilities exploited by cyber criminals. Further, with more companies using cloud-hosted, Software-as-a-Service (SaaS) applications, many of which are mission-critical, the privacy and security of an increasing amount of data entered through websites remain difficult to manage.

The concept of defense in depth is no different from physical security, such as that used for a building or to start work in an office environment. Building security has many layers, some of which may be considered redundant:

1. An employee uses a key card to enter the building.
2. A security guard keeps watch in the lobby.
3. Security cameras record all movements in the lobby, on each floor, and in the elevator.
4. Once arriving at her floor, an employee must use her key card to open the door to the office floor.
5. Once at her desk, the employee turns on her computer and enters her password and temporary four-digit code (two-factor authentication) to log in to the company network.

These are, of course, just a handful of security steps that the employee must take to begin work for the day. Some of these may seem unnecessary and some measures may seem stronger than others, but taken together, they are analogous to a defense-in-depth strategy in place within organizations.

The following are some common issues organizations have to deal with when implementing acybersecurity strategy:

1. Anti-malware software has not been updated or is not installed on all devices.
2. Employees have not been trained and are falling victim to phishing schemes.
3. Software patches are not being updated or are ignored.
4. Security policies are not enforced or even known by employees.
5. Missing or poorly implemented encryption.
6. Remote employees are connecting to unsecured networks, such as the public internet.
7. Physical security flaws, such as unsecured server rooms.
8. Business partners, such as cloud service providers, are not fully secure.

Imagine allof these issues taking place at once. The only way for an enterprise to defend itself from vulnerabilities is with a solid, comprehensive defense-in-depth strategy. If one measure fails, another measure is on standby ready to take action.

The multi-tiered approach to security in a defense-in-depth system incorporates elements from the following areas:

1. Physical controls: Examples include key cards to enter a building or scanners to read fingerprints.
2. Network security controls: This is software that authenticates an employee to enter the network and use a device or application.
3. Administrative controls: This authorizes employees, once authenticated, to access only certain applications or parts of the network.
4. Antivirus: This is the tool that stops malicious software from entering the network and spreading.
5. Behavioral analysis: Algorithms and ML can detect anomalies in the behavior of employees and in the applications and devices themselves.

By layering and even duplicating security processes, the likelihood of a breach is minimized. Most organizations recognize that a single layer of security or a single point product (e.g., a firewall) does not go far enough to protect the enterprise from the increasing sophistication of today's cyber criminals.

For example, if a hacker successfully infiltrates an organization's network, defense in depth gives administrators time to launch countermeasures. Antivirus software and firewalls should be in place to block further entry, protecting the organization's applications and data from compromise.

Redundancy in security may, at first glance, seem wasteful. However, a defense-in-depth strategy prevents threats because when one security product fails, another security product is in place to take over.

Though used interchangeably (and incorrectly), the term "layered security" is not the same as defense in depth.

Layered security is having multiple products in place to address one single aspect of security. The products may be very similar and aim to do the same job, but in a layered security strategy, they are both necessary. Using seemingly redundant products strengthens the enterprise's defense against threats.

For example, a gateway and a firewall both determine which data should be allowed to enter the network. There are certainly differences between the two—a gateway is hardware while a firewall is both hardware and software—but they both aim to restrict access to certain websites and applications. Once the gateway and firewall have done their jobs—an employee has been allowed to visit a particular website, for example—another security product or service will have to take over if the employee wants to enter a password to log in to that website.

The next security product can be multi-factor authentication (MFA), which prevents access to a website unless multiple credentials are provided. In other words, layered security only addresses one dimension of security or one vector of attack while defense in depth is broader, multi-faceted, and more strategic in scope. It can also be said that layered security is a subset of defense in depth.

A layered security strategy is evaluated in three different areas: administrative, physical, and technical. Administrative controls include the policies and procedures needed to restrict unauthorized access, such as role-based access control (RBAC) or employee training to protect against phishing scams. Physical controls incorporate physically securing access to the IT system, such as locking server rooms, while technical controls include the mix of products and services the organization selects to address security.

Core layers to carry out a defense in depth strategy should include:

1. Strong, complex passwords
2. Antivirus software
3. Secure gateway
4. Firewall
5. Patch management
6. Backup and recovery
7. The principle of least privilege, or giving a user the minimum access level or permissions needed to do his or her job

As companies grow and the number of devices, applications, and services used across the organization increases, these serve as important security layers in a defense-in-depth strategy:

1. Two-factor authentication (2FA) or multi-factor authentication (MFA)
2. Intrusion detection and prevention systems
3. Endpoint detection and response (EDR)
4. Network segmentation
5. Encryption
6. Data loss prevention
7. VPNs