Defense in depth (computing)

Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited.^[1]

Background

The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods.^[2] It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.^[3][4]

The onion model of defense in depth

Defense in depth is sometimes thought of as forming the layers of an onion, with data at the core of the onion, people the next outer layer of the onion, and network security, host-based security, and application security forming the outermost layers of the onion.^[5]

Tiers

Defense in depth can be divided into three overarching areas: Physical, Technical, and Administrative.^[6]

Physical

Physical controls are anything that physically limits or prevents access to IT systems. Examples of physical defensive security are: fences, guards, dogs, and CCTV systems.^[3]

Technical

Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls include disk encryption, file integrity software, authentication,^[7] network security controls, antiviruses, and behavioural analysis software.^[8]

In the event that one layer of defence fails, defense in depth aims to ensure network security via a second-line of defence.^[3] For example, if an attacker penetrates a computer system at a given OSI layer (e.g. Layer 3), a redundancy should exist at another layer (Layer 7) to ensure layered defense.^[3]

• Authentication, authorization, and accounting
• Confidentiality, integrity, and availability
• Authentication and password security

• Encryption
• Hashing

Application security

• Application security
• Web application firewalls^[7]

Host security

• Vulnerability scanners
• Sandboxing
• Endpoint detection and response^[7]

Network security

• Logging
• Intrusion detection systems^[7]
• Firewalls^[7]
• Demilitarized zones
• Network segmentation^[9]
• Virtual private network

Administrative and operational

Administrative controls are the organization's policies and procedures and govern the organisation's human resources, technology, and operations.^[3]

People

• Multi-factor authentication^[9]
• Password policies^[9][3]
• Internet Security Awareness Training^[7][3]

Technology

• Patch management^[9]
• Risk assessment^[3]
• Information assurance^[3]

Operations

• Principle of least privilege^[9]

Regulatory alignment

Defense in depth principles align with multiple regulatory frameworks that require layered security controls rather than reliance on single protective measures.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule implicitly mandates a defense in depth approach by requiring covered entities to implement administrative safeguards (45 CFR 164.308), physical safeguards (45 CFR 164.310), and technical safeguards (45 CFR 164.312) as complementary layers protecting protected health information."Summary of the HIPAA Security Rule". U.S. Department of Health and Human Services. Retrieved April 1, 2026. The December 2024 HIPAA Security Rule notice of proposed rulemaking (90 FR 898) would further codify layered defenses by simultaneously mandating network segmentation, encryption, multi-factor authentication, anti-malware deployment, and continuous monitoring as distinct but overlapping security controls."HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information". Federal Register. January 6, 2025. Retrieved April 1, 2026.

NIST Special Publication 800-53 organizes security controls into 20 control families spanning management, operational, and technical domains, providing a comprehensive defense in depth framework for federal information systems."NIST SP 800-53 Rev. 5: Security and Privacy Controls". National Institute of Standards and Technology. September 2020. Retrieved April 1, 2026. The NIST Cybersecurity Framework 2.0 similarly structures protective measures across the Identify, Protect, Detect, Respond, and Recover functions, reinforcing the layered security approach."NIST Cybersecurity Framework 2.0". National Institute of Standards and Technology. February 2024. Retrieved April 1, 2026.

See also

• Defense strategy (computing)
• Swiss cheese model

References

1. "Secure Product Design - OWASP Cheat Sheet Series". cheatsheetseries.owasp.org. Retrieved 2025-10-02.
2. "Security in the Cloud". Schneier on Security. 2006-02-15. Retrieved 2025-10-02.
3. National Security Agency, Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments.
4. OWASP CheatSheet: Defense in depth
5. "Security Onion Control Scripts". Applied Network Security Monitoring. Elsevier. 2014. pp. 451–456. doi:10.1016/b978-0-12-417208-1.09986-4. ISBN 978-0-12-417208-1. Retrieved 2021-05-29.
6. Stewart, James Michael; Chapple, Mike; Gibson, Darril (2015). CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. John Wiley & Sons. ISBN 978-1-119-04271-6.
7. "What is defense in depth? | Layered security". www.cloudflare.com. Retrieved 2025-10-02.
8. "What is Defense in Depth? Defined and Explained". Fortinet. Retrieved 2025-10-02.
9. "Cybersecurity Spotlight - Defense in Depth (DiD)". CIS. Retrieved 2025-10-02.