What's the difference between "layered security" and "defense-in-depth"?
Explaining the similar (but different) concepts.
In the cybersecurity field, the terms "layered security" and "defense-in-depth" are used quite a bit. Don't believe me? Open up your favorite product brief and I suspect you'll see those terms at least once or twice (right up there with the obligatory reference to 'AI' 😄).
Let's pause for a second though and consider: what exactly do these terms mean? They're often used interchangeably. That's unfortunate. While they share similarities, "layered security" is actually quite different from "defense-in-depth". Let's discuss.
Layered Security
Are you sitting down? This may come as a shock: we're human. Despite fancy engineering processes and advanced assessment techniques like SAST, DAST, software composition analysis, etc, there's always going to be unpredictable flaws within the security controls we develop. The concept of layered security acknowledges this simple truth.
Don't fret though, there's hope. While any individual control may have flaws, different types of controls (working together for a common strategy) are MUCH stronger.
The emphasis on "different types" of controls is important to this whole idea. Think of it this way: three endpoint protection utilities installed together on the same workstation, isn't the same level of security as having an email filter + firewall + endpoint protection working independently to guard a user.
Defense-In-Depth
OK, so then that begs the question: how is the concept of "defense-in-depth" different? Well, in the previous section, we were talking about different controls protecting against a common attack theme/strategy (e.g. network based intrusion with lateral movement).
Here's the thing though: cybersecurity is HUGE field of study and spans a lot of different dimensions. Here are just a few examples:
- Incident response
- Business continuity
- Patch management
- Network intrusion detection
- Governance policy development
- Monitoring
...and the list goes on and on.
So, returning to the prior example, would the combination of an email filter + firewall + endpoint protection bring us any closer to solving the need for governance policy development? Nope. Not even close.
So in short, defense-in-depth acknowledges the need for a truly broader and comprehensive security strategy. Not all of the facets of a defense-in-depth architecture are going to stop the same thing.
So, what now?
After all of this rambling, what conclusions can we make? Well, ultimately "layered defense" and "defense-in-depth" are concepts with SOME overlap but they don't compete with one another. Both mindsets are absolutely necessary for effective security.
Interested in reading more about the topic? Fortinet has a really great article on the topic. Check it out here:
