Defense in depth (also known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system’s life cycle.
The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security. Defense in depth is originally a military strategy that seeks to delay rather than prevent the advance of an attacker by yielding space to buy time.
Examples
Using more than one of the following layers constitutes defense in depth:
- Antivirus software
- Authentication and password security
- Biometrics
- Demilitarized zones (DMZ)
- Data-centric security
- Encryption
- Firewalls (hardware or software)
- Hashing passwords
- Intrusion detection systems (IDS)
- Logging and auditing
- Multi-factor authentication
- Vulnerability scanners
- Physical security (e.g. deadbolt locks)
- Timed access control
- Internet Security Awareness Training
- Virtual private network (VPN)
- Sandboxing
- Intrusion Protection System (IPS)