What is Defense in Depth? Best Practices for Layered Security
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.
Wiz Experts Team
8 minutes read
What is defense in depth?
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls. DiD involves a series of overlapping defense mechanisms (think security tools, procedures, and best practices) designed to keep systems resistant to full penetration. The idea is that if one defense layer is breached, other layers will prevent the attacker from advancing through the systems or reaching valuable assets.
The XZ Utils backdoor (CVE-2024-3094), which allowed remote code execution on affected Linux systems, shows the pressing need for defense in depth. After all, businesses who already have a defense-in-depth strategy were able to detect and respond to the vulnerability in real time. (How? With measures like agentless scanning and software bill of materials generation, in addition to downgrading to an uncompromised version—as suggested by CISA.)
Now that you understand the basics, let’s dig deeper into how a defense-in-depth strategy works, key benefits, and best practices.
Based on the assumption that everything inside the network is safe, perimeter-based security only protects enterprises from threats coming from outside the network. But the work-from-home model, where employees use PCs and network devices (that might be hacked or bugged), has shown that this assumption is wrong. With no way to gauge the security posture of employee devices, organizations can no longer depend on traditional perimeter-based security to completely secure their environments.
Cyberattackers are also getting more innovative, deploying tactics, techniques, and procedures (TTPs) that target internal systems through phishing and social engineering. These TTPs allow threat actors to easily slip through security tools and controls aimed at keeping the perimeter impenetrable. To truly secure enterprise environments resilient to cyberattacks, organizations must adopt layered security in addition to perimeter-based security.
Multilayered protection for cloud and hybrid environments
Cloud adoption has blurred traditional perimeters and created new attack vectors. Organizations now have to deal with cloud risks like misconfigurations, compromised credentials, unsecured APIs, and identity access management (IAM) issues.
Then there are the realities of hybrid and multi-cloud environments. Businesses with hybrid environments face the complexities of securing on-premises systems—particularly inconsistent security controls. The solution to these challenges is DiD, with its multilayered protection across endpoints, data storage, networks, and apps.
Think of defense in depth as offering the kind of security that kept medieval castles standing despite centuries of attacks. They were protected by a multilayered security architecture—from moats, high walls, archers, and soldiers, to secret tunnels, if all else failed.
Just like the medieval castle defense strategy, DiD implements complementary security measures and controls across layers of the IT stack. This creates redundancy, making your IT stack impervious to various attacks from within and without.
How defense in depth helps: Benefits and principles of DiD
The key components of a DiD strategy include:
Implementing multiple defenses at every layer using strategies like encryption, access controls, endpoint protection, and vulnerability management;
Building redundancy into security with measures like MFA, zero trust, and data backup and recovery;
Isolating critical assets such as networks and sensitive datastores;
Enforcing least privilege to protect sensitive data from unauthorized access and data breaches; and
Continuously monitoring the entire IT stack to detect threats early and improve enterprise security posture.
By following these DiD principles, you can ensure proactive security and risk management and protect yourself from common attack vectors like lateral movement and privilege escalation. DiD equally reduces the potential impact of attacks and ensures effective incident detection and response.
Imagine an attacker is trying to access your enterprise’s sensitive assets by using a keylogger or stolen credentials. Using a defense-in-depth (DiD) technique like MFA, you require them to enter their biometrics and an OTP in addition to the stolen credentials. The result is there’s no way for them to get in.
Or let’s say that an attacker somehow manages to gain access to a critical asset like your Kubernetes environment, mechanisms like principle of least privilege (POLP) and zero-trust architecture (ZTA) can prevent them from carrying out state-changing actions like deleting resources or changing security configurations.
Continuous monitoring will also expose intruders in real time before they can do significant damage, limiting the blast radius of the attack, minimizing the cost of the breach, and ensuring business continuity.
Another important benefit of DiD is regulatory compliance. By definition, DiD meets compliance with standards like NIST, GDPR, PCI DSS, and HIPAA, which mandate the use of layered security controls like encryption, IAM, and continuous monitoring.
How defense in depth works: Key components
The effectiveness of DiD stems from its ability to identify various components of IT environments and provide protection to tackle the vulnerabilities associated with each. Here's a closer look at the key components and how they work.
Physical security
Protecting physical assets—servers, networking devices, and data centers—is the only way to keep sensitive infrastructure and data safe. With physical security measures in place, enterprises can control access to (and prevent tampering with) sensitive infrastructure and data. DiD measures at the physical layer include restricting access to facilities via security/e-cards and monitoring access and activities using surveillance systems.
Perimeter and network security
Perimeter defense protects external networks from malicious access and activities, and network layer security protects systems, devices, and resources from insider threats and threats that crop up from a successful external perimeter breach. Protective measures include web application firewalls (WAFs), intrusion detection systems (IDSes), secure web gateways, and network segmentation.
Host and endpoint security
Hosts and endpoints (such as servers, laptops, and mobile devices) are access points into the network. DiD measures may include enforcing strict access controls via account lockout and MFA, using IDSes, deploying endpoint detection and response (EDR) solutions, and leveraging antivirus and antimalware software.
Application security
Application security focuses on securing software applications from SQL injection, cross-site scripting (XSS), distributed denial-of-service (DDoS), and other attacks. DiD measures at the application layer include secure coding practices throughout the SDLC, input validation and output encoding, authentication and authorization, and more.
Data security
Implementing DiD at this layer involves protecting sensitive data in storage during processing and transmission. Measures adopted here include data classification by sensitivity, data encryption in transit and at rest, data masking, and data security posture management.
Security operations
This layer includes policies, best practices, and procedures adopted for consistent and effective security across multi-cloud and hybrid cloud environments. DiD measures include risk assessment and prioritization, security policy development and distribution, policy review and approval, and continuous monitoring.
In DiD, the security of each of these layers are consolidated, rather than isolated, allowing the failure of one security measure or tool to be counteracted by the next. Say an attacker bypasses your WAF and conducts packet sniffing attacks: Data encryption prevents them from deciphering packet contents, endpoint security prevents ransomware injection, and continuous monitoring allows for swift detection and response.
Defense in depth in cloud environments
The idea behind DiD remains the same for traditional, self-hosted, and cloud infrastructures. No matter the architecture, DiD is still about layers of interconnected controls. But the shared responsibility model of the cloud and the unique features of various cloud models introduce certain differences when it comes to DiD in the cloud.
For one, DiD at the physical layer becomes the responsibility of the cloud service provider (CSP). Data security remains the cloud customer’s responsibility but is facilitated by CSPs via built-in encryption mechanisms, IAM, and secrets management solutions. Network and app security become either a shared responsibility (as in SaaS models) or the customer’s responsibility, requiring CSPM and CNAPP solutions.
Another wrinkle is that the cloud’s dynamic nature becomes a major concern in DiD implementation, with misconfigurations, identity access management, and rapidly emerging threats taking center stage. Plus, the use of third-party code, APIs, libraries and frameworks is on the rise. This means that an ideal DiD solution must consider third-party vulnerabilities (hello, SBOM!). And DiD implementation in the cloud must also involve implementing API protection measures like authentication and authorization, rate limiting, throttling, and input validation.
Defense in depth vs. similar security approaches
DiD is often confused with other similar security techniques. Let’s take a look at their differences.
Defense in depth vs. layered security
DiD integrates multiple security measures and tools across various layers of the IT stack, and layered security uses varied security measures for each layer. While DiD consolidates layered defense for effective protection, layered security protects various layers without integrating the controls, often resulting in siloed security.
Defense in depth vs. zero trust
As Forrester notes, DiD and zero trust are complementary approaches to security. In fact, one of the ways to implement DiD is to enforce zero trust. DiD protects IT stacks from full penetration and zero trust continuously authenticates users before granting access to sensitive assets. Together, they improve the overall security posture of IT environments.
Defense in depth vs. defense in breadth (DiB)
DiD protects IT stacks, one layer after the other, using a series of coordinated security measures. On the other hand, DiB safeguards a single layer using multiple security tools and measures (e.g., using EDRs and zero-day threat analysis tools for a single endpoint device).
Defense in depth vs. layered countermeasures
Layered countermeasures address specific security issues by deploying multiple security solutions, but DiD safeguards the entire stack, preventing a broader range of security risks.
How to implement defense in depth: DiD challenges and best practices
A major challenge with implementing DiD is that if it isn’t carefully planned out, enterprises may end up securing some aspects with multiple defenses but ignoring others entirely, leaving security gaps that could have devastating consequences.
There are no shortcuts to implementing DiD. Organizations can’t simply lump a variety of tools and techniques together and call it a day. A successful DiD implementation should include best practices outlined by CISA:
Discover key assets and layers to secure. This will allow you to prioritize the most critical and high-risk assets and apply the right security controls for each.
Understand the relationship between threats, vulnerabilities, attackers, and the security measures you’re implementing. These insights will empower you to understand how attackers breach IT stacks despite the security measures in place so you can develop countermeasures to repel attacks.
Use security solutions that integrate multiple layers to minimize blind spots.
Enforce standards and policy compliance by implementing relevant security measures.
Apply essential security practices like encryption, least-privilege access, and zero trust.
Continuously monitor all layers. This will require using tools such as data security posture management, cloud security posture management, and threat detection and response solutions.
Stay ahead of threats by auditing and updating your security tools and policies from time to time.
How Wiz facilitates defense in depth
Wiz offers a comprehensive defense-in-depth strategy through its integrated solutions: Wiz Code, Wiz Cloud, and Wiz Defend. Each component addresses specific layers of security to ensure robust protection across the entire cloud environment.
1. Wiz Code: Secure Cloud Development
Code Security: Identifies vulnerabilities, exposed secrets, and misconfigurations within the codebase, preventing risks from reaching production.
Infrastructure as Code (IaC) Scanning: Analyzes IaC templates for misconfigurations and validates them against over 1,000 rules for platforms like Terraform, CloudFormation, and Kubernetes.
Developer Integration: Provides real-time security feedback directly within Integrated Development Environments (IDEs) and pull requests, enabling developers to address issues promptly.
2. Wiz Cloud: Manage Security Posture
Agentless Visibility: Offers comprehensive visibility into multi-cloud environments without the need for agents, facilitating efficient risk assessment.
Risk Prioritization: Utilizes the Wiz Security Graph to correlate vulnerabilities, misconfigurations, and identity risks, enabling effective prioritization and remediation.
Compliance Monitoring: Continuously assesses compliance against frameworks such as PCI, GDPR, and HIPAA, providing automated reporting to ensure adherence to regulatory standards.
3. Wiz Defend: Respond to Cloud Threats
Runtime Protection: Employs the Wiz Runtime Sensor to monitor running processes, network connections, and system activities in real-time, detecting and responding to malicious behaviors.
Customizable Detection Rules: Allows the creation of custom runtime rules and response policies, enabling tailored threat detection and automated responses to high-confidence threats.
Threat Intelligence Integration: Incorporates insights from the Wiz Threat Center, providing up-to-date information on emerging cloud-native attacker tactics, techniques, and procedures.
By integrating these solutions, Wiz delivers a layered defense-in-depth approach, securing the entire cloud-native application lifecycle from development through deployment and runtime.
A single platform for everything cloud security
Learn why CISOs at the fastest growing organizations choose Wiz to secure their cloud environments.
Data access governance (DAG) is a structured approach to creating and enforcing policies that control access to data. It’s an essential component of an enterprise’s overall data governance strategy.
Cloud data security is the practice of safeguarding sensitive data, intellectual property, and secrets from unauthorized access, tampering, and data breaches. It involves implementing security policies, applying controls, and adopting technologies to secure all data in cloud environments.
SaaS security posture management (SSPM) is a toolset designed to secure SaaS apps by identifying misconfigurations, managing permissions, and ensuring regulatory compliance across your organization’s digital estate.
Data risk management involves detecting, assessing, and remediating critical risks associated with data. We're talking about risks like exposure, misconfigurations, leakage, and a general lack of visibility.
Cloud governance best practices are guidelines and strategies designed to effectively manage and optimize cloud resources, ensure security, and align cloud operations with business objectives. In this post, we'll the discuss the essential best practices that every organization should consider.