Defence in Depth is a cybersecurity strategy that uses a series of security controls and countermeasures at multiple layers to protect an organisation’s assets. Instead of relying on a single security measure (like a firewall), this approach assumes that any single control might fail and therefore builds redundancy. The goal is to create multiple, overlapping barriers that an attacker must overcome, slowing them down and increasing the chances of detection.
Layers & Examples
- Physical Layer: Securing the physical premises with fences, guards, and CCTV cameras.
- Network Layer: Using firewalls and intrusion detection systems to protect the network perimeter.
- Host Layer: Hardening individual servers and workstations with endpoint protection, patches, and strong passwords.
- Application Layer: Implementing secure coding practices and access controls within applications themselves.
- Data Layer: Encrypting sensitive data to protect it even if a breach occurs at another layer.
ISO 27001 Context
While not a specific clause in the ISO 27001 standard, Defence in Depth is a foundational concept that underpins many of its controls. Implementing a layered security approach is essential for meeting the standard’s requirements for risk mitigation and ensuring the confidentiality, integrity, and availability of information.
