Defense-in-depth
A security strategy based on multiple overlapping layers of protection. The failure of one layer does not lead to compromise of the entire system.
What is defense-in-depth?
Defense-in-depth is a security strategy based on deploying multiple independent layers of controls, so that breaching one layer does not give the attacker access to protected assets. The concept originates from military doctrine and has been adapted for cybersecurity.
In practice, defense-in-depth covers several layers: physical (building and room access control), network (firewalls, segmentation, IDS/IPS), host (system hardening, EDR, application control), application (authentication, data validation, encryption), data (encryption, backups, DLP) and organisational (policies, training, incident response procedures).
In OT environments, defense-in-depth is particularly important because many industrial devices lack built-in security mechanisms. The IEC 62443 standard formalises this concept through the zones and conduits model, where each zone has an assigned security level and communication between zones is controlled.
Why does it matter?
No single security mechanism is infallible. Firewalls have configuration errors, EDR may fail to detect a new threat, and an employee may click a phishing link. Defense-in-depth ensures that a single failure does not lead to catastrophe - the next layer takes over the protective function.
Implementing defense-in-depth requires a holistic view of organisational security and a balanced investment across different layers. Focusing solely on the network perimeter (firewalls) while neglecting the host layer (EDR) or the organisational layer (training) creates a false sense of security.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.