Defense in depth refers to a cyber security strategy in which multiple products and practices are used to safeguard a network.
"Defense in depth" (DiD) is a cyber security strategy that uses multiple security products and practices to safeguard an organization’s network, web properties, and resources. It is sometimes used interchangeably with the term "layered security" because it depends on security solutions at multiple control layers — physical, technical, and administrative — to prevent attackers from reaching a protected network or on-premise resource.
Originally, defense in depth described a military strategy in which one line of defense was sacrificed in order to stall opposing forces. Despite the similar name, that approach does not parallel this security strategy, in which multiple products work together to keep attackers and other threats at bay.
The guiding principle of a defense in depth strategy is the idea that a single security product cannot fully safeguard a network from every attack it might face. However, implementing multiple security products and practices can help detect and prevent attacks as they arise, enabling organizations to effectively mitigate a wide range of threats. This approach becomes increasingly important as organizations scale their networks, systems, and users.
Another advantage of layered security is redundancy. If an external attacker takes down one line of defense or an insider threat compromises part of an organization's network, other security measures can help limit and mitigate the damage to the entire network. By contrast, using only one security product creates a single point of failure; if it becomes compromised, the entire network or system can be breached or damaged as a result.
While defense in depth strategies vary according to an organization’s needs and available resources, they commonly include one or more products in the following categories:
Physical security controls defend IT systems, corporate buildings, data centers, and other physical assets against threats like tampering, theft, or unauthorized access. These may include different types of access control and surveillance methods, such as security cameras, alarm systems, ID card scanners, and biometric security (e.g. fingerprint readers, facial recognition systems, etc.).
Technical security controls encompass the hardware and software needed to prevent data breaches, DDoS attacks, and other threats that target networks and applications. Common security products at this layer include firewalls, secure web gateways (SWG), intrusion detection or prevention systems (IDS/IPS), browser isolation technologies, endpoint detection and response (EDR) software, data loss prevention software (DLP), web application firewalls (WAF), and anti-malware software, among others.
Administrative security controls refer to the policies set by system administrators and security teams that control access to internal systems, corporate resources, and other sensitive data and applications. It may also include security awareness training to ensure that users practice good security hygiene, keep data confidential, and avoid exposing systems, devices, and applications to unnecessary risks.
In addition to security products and policies, organizations need to implement strong security practices to limit the risk to their networks and resources. These may include one or more of the following:
Least-privilege access is the principle of granting users permission to access only the systems and resources they need for their role. This helps minimize risk to the rest of the network if a user’s credentials are compromised and an unauthorized user attempts to carry out an attack or access sensitive data.
Multi-factor authentication (MFA), as its name suggests, requires multiple forms of authentication in order to verify the identity of a user or device before allowing access to a network or application. MFA typically includes practicing strong password hygiene (i.e. passwords that are complex, difficult to guess, and changed often), establishing strict controls for devices, and verifying identity via external devices and tools (e.g. entering a verification code from a mobile device).
Encryption protects sensitive data from being exposed to unauthorized or malicious parties. Information is concealed by converting plaintext (information that is readable by humans) to ciphertext (randomly generated combinations of letters, numbers, and symbols).
Network segmentation helps limit the exposure of internal systems and data to vendors, contractors, and other outside users. For instance, setting up separate wireless networks for internal users vs. external ones enables organizations to better protect sensitive information from unauthorized parties. Network segmentation can also help security teams contain insider threats, limit the spread of malware, and adhere to data regulations.
Behavioral analysis can help detect abnormal traffic patterns and attacks as they occur. It does this by comparing user behavior against a baseline of normal behavior that has been observed in the past. Any abnormalities can trigger security systems to redirect malicious traffic and prevent attacks from being carried out.
Zero Trust security is a security philosophy that bundles many of the above concepts, with the assumption that threats are already present inside a network, and no user, device, or connection should be trusted by default.
These are just a few of the practices that should be employed in a layered security approach. As attack types continue to evolve to exploit vulnerabilities in existing security products, new products and strategies must be developed to subvert them.
An effective defense in depth strategy requires not only layered security controls, but integrated security practices as well. Although these terms sound similar, they carry slightly different meanings:
Think of layered security as a suit of armor that has been sourced from multiple sellers. Some pieces of armor might be newer or higher quality than others; although the wearer is protected from many types of physical harm, there may be gaps between different pieces of armor or weak spots where the wearer is more vulnerable to attack.
By contrast, integrated security is like a custom suit of armor. It may consist of different pieces (security controls), but they are each inherently designed to work together to protect the wearer — without leaving gaps or weak spots.
When configuring cyber security solutions, however, purchasing multiple security products from a single vendor does not always guarantee that an organization is receiving the benefits of an integrated approach. For more on this topic, see "The future of web application security."
Cloudflare's integrated security suite is designed to learn from and operate seamlessly with other security and performance products. For example, Cloudflare Bot Management effectively blocks malicious bot activity on its own, but gains additional capabilities when combined with the Cloudflare WAF, which enables customers to dynamically block requests that look automated and triggers other identifiers.
Shared threat intelligence is also a crucial component of Cloudflare's approach to defense in depth. With millions of Internet properties on its vast global network — spanning over 250 locations — Cloudflare can glean insights from traffic patterns and improve defenses against new and developing threats.