What is the principle of "defense in depth"?

The principle of "defense in depth" is centered around the strategy of employing multiple layers of security controls to safeguard information systems. This approach recognizes that relying on a single security measure may not be adequate to protect against various threats and vulnerabilities. By implementing a variety of controls at different layers, organizations can create a more robust security posture. This includes not only technical controls, such as firewalls and intrusion detection systems, but also administrative controls like policies and procedures, as well as physical security measures.

The rationale for this layered approach is that if one control fails or is bypassed, other controls will still be in place to continue protecting the system. This redundancy reduces the risk of a successful attack significantly, as it would require an attacker to overcome multiple barriers instead of just one. Thus, employing defense in depth increases the overall resilience of the security framework within an organization.