Defense in Depth – CompTIA Security+ SY0-401: 1.3

One of the fundamental foundations of information security is the concept of defense in depth. In this video, you’ll learn about defense in depth and some of the technologies used to implement defense in depth.

<< Previous Video: Cloud ComputingNext: IPv4 and IPv6 >>


When you’re planning a security strategy for your organization, you never want to rely on any one thing. You want to have security throughout the organization protecting you at every step along the way. This layered security is something we call in the industry defense in depth.

Let’s look at a number of different layers that we can add to this defense in depth. This is in no way a comprehensive list. But it should give you a pretty good idea of what you could put in your environment.

Obviously, a firewall comes to mind, something that we can put at the edge of the organization as people are going in and out to the internet. Many organizations will put their firewall on the inside, either protecting different floors of a building from each other and, in some occasions, protecting different devices inside the data center. It’s a good way to make sure that only the data flows that you want are going to be running inside of your network.

Another methodology that is really associated with many firewalls is implementing a demilitarized zone, or a DMZ. A DMZ is a bit of a middle ground between the inside of your network and the outside so that people who need to access resources in your organization don’t come all the way to the internal parts of your network. They go into this middle ground called the DMZ. And it’s just another way to have that layering of security in your environment.

We often take authentication for granted as a security strategy. We obviously need to authenticate people. We usually do this by using a username and a password.

But, of course, you can have multifactor authentication that might layer on additional security. You could require someone provide the random or pseudo-random message from a separate multifactor authentication key. Maybe you would provide someone with cards that they would use to be able to provide the additional factors. But every single one of those adds another layer to the defense in depth.

If you can add an intrusion prevention system to your defense in depth that would be able to watch all of the traffic that’s traversing the network, and if somebody is trying to take advantage of a vulnerability on a server or workstation, this intrusion prevention system would be able to stop those traffic flows. It’s another way to sit behind the scenes, watch the traffic go by, and only stop the bad things while you’re allowing all of the good traffic to proceed.

If you’re connecting in to your network from the outside, then you’re probably using a virtual private network, or VPN. The VPN access encrypts all of the data as it’s going through the internet. And only once it gets inside of your network is that traffic decrypted and sent on its way in the clear.

This means that you could be in a relatively insecure location, like a coffee house. You could be a hotel where the wireless network is connecting you in the clear. But all of your traffic is going through this encrypted tunnel. So although the wireless network is one that people could access and listen to your data going by, your information is still secure as it’s passing through that insecure network.

We’ve become very accustomed to running anti-virus and anti-malware software on all of our workstations. And that makes sense because that’s the last possible place where you could stop the malicious software from executing on your workstation and infecting your machine. Another step in that layered defense-in-depth security strategy.

And as I mentioned earlier, this is just the beginning of a defense-in-depth strategy. In fact, it’s not unusual for medium to large organizations to be running every single one of these technologies in their environment. It’s one of those things that you’ll notice as you go through the Security Plus certification that you’ll start to see other strategies that you can implement to provide defense in depth in your organization.