Defense in Depth: The Secret to a Successful Security Strategy

For better or worse the digital transformation has changed the way we live and work. While the digital age has improved our productivity and connectedness, it has also opened up new avenues for attackers to steal from us, and spy on us. To combat modern-day threats like targeted ransomware and social engineering, we must look back to a defense strategy born in medieval times; the castle approach.

Defense in Depth Explained:

Illustrated castle with a purple roof

If you wanted to breach a castle, you would have needed to circumvent many layers of security. Moats, ramparts, towers, and fire breathing dragons all would’ve stood in your way. If one security measure failed to prevent the breach, there was another measure in place to halt your advance.

Today, the castle approach to security is known as defense in depth. In place of moats, towers, and dragons protecting a castle, defense in depth relies on physical controls, technical controls, and administrative controls to defend your organization’s network and critical assets.

What is Defense in Depth?

“[Defense in Depth] is the application of multiple countermeasures in a layered or stepwise manner to achieve security objectives. The methodology involves layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another.”

-NIST

Defense in Depth Controls

Physical controls are the security measures that prevent an attacker from physically accessing your networks, data, facilities, hardware, or software. Physical controls comprised mainly of access controls that ensure only authorized individuals can access certain areas, as well as surveillance tools to monitor your organization and detect any intrusions.


Technical controls are the security measures used to protect your network environment and digital data from theft, corruption, and unauthorized access. A mix of hardware and software tools such as firewalls, antivirus, email security, and VPNs are used to preserve your network and data.


Administrative controls are security measures directed at your personnel to ensure the safe handling, transmission, and storage of data as well as the promotion of good overall cyber-hygiene. These controls are less palpable than the first two controls because administrative controls are policies and procedures rather than a physical security device like a security camera or firewall.

How Does Defense in Depth Work?

Defense in depth works on all levels of information security, from the lone remote worker connecting to public Wi-Fi at their favorite coffee shop to the enterprise with their own servers and hundreds of employees on-site.  Even if one of their security layers fails or becomes compromised, defense in depth helps organizations protect network resources. It’s often described as an onion because an attacker will have to go through many layers to access your data. Since no single security measure is guaranteed to withstand every attack, it faces, combining multiple layers of security, such as security audits, data encryption, and intrusion detection will be more effective against attacks than any single security measure alone.

The key to protecting your information systems is ensuring that all components used in the defense-in-depth approach are up to date and your end users are following policies and procedures. Without adequate compliance to policies, it doesn’t matter what security measures are in place as the action of one individual can cause significant harm to your organization.

With the frequency and complexity of cyber attacks increasing every year, what is your organization doing to prevent attacks today and prepare for attacks tomorrow?

If you’re serious about maintaining and defending the availability, integrity, and confidentiality of your network and data, start with a defense in depth strategy.  For more information and assistance with your cybersecurity posture, feel free to contact us!