since 1999


4 minutes estimated reading time.

Defense in Depth

I had no fewer than three separate conversations yesterday about the importance of Defense in Depth in the context of building out a comprehensive plan to secure a web application and its environment. In light of that, I wanted to share with you the basic concept and point out some places to read about this big idea in security.

A combination door lock is one possible countermeasure in a layered security approach Photo: A combination door lock is one possible countermeasure in a layered security approach, but there is so much more to defense in depth.


At its core, a Defense in Depth strategy is not relying on a single security measure or feature (called a technical control in security lingo) to protect or defend an information asset. Start by asking yourself (and your client) “what is the worst case scenario if ______ is compromised?” Then based upon that answer, set up two or more security measures.

Some common practical security measures

Practical risk management

These are but a few of a large number, escalating security measures that can be brought forward to defend your application. You do not have to use all of the measures and nor should you use measures where the cost of the security controls outweighs the cost associated with a breach of the protected information.

Guards and dogs are great for controlling access to a building, but if the database can be breached from the internet then it may not be an effective tool anyway, though crypto cards may stop an attacker in his tracks if the data is encrypted such that it cannot possibly be accessed without the physical card.

Insider risk

It’s important to remember that the insider threat is real. It’s not just that an employee in your company has to go rogue either.

If an attacker gains access to a team member’s password, he can maliciously gain access to the information that that employee had access to. If there are not additional security measures to prevent the access other than the compromised password then there is a data breach. Restricting information based on the principle of least privilege and having two-factor authentication would be two layers in a defense to protect the sensitive information that a customer service agent has access to.

Additionally, anything that the customer service agent has access to is something that a Social Engineering attack can talk that employee into divulging inappropriately. It was just this sort of attack that Kevin Mitnick was famous for. His Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker [Kindle Edition] is a great read to learn how he did it. In the end, he compromised major companies as a conman, not through Hollywood movie plot technical attacks.

Takeaway, it’s about layering

Defense in Depth is also know is layering. It is an important security architecture concept. If you remember nothing else from this post, I ask that you memorize this. Always use several concurrent mechanisms to protect the information that must be protected.

Further reading