Explain defense in depth and give a concrete example of applying it.
Short answer
Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. No single control is assumed perfect, so you stack preventive, detective, and responsive measures across the network, host, application, and data layers.
Defense in depth is the recognition that every control eventually fails or gets bypassed, so security should never rest on a single point. Instead you layer independent controls so an attacker has to defeat several of them in sequence to reach what matters.
Why one layer is never enough
A firewall can be misconfigured. A patch can be missed. A user can be phished. If your entire posture depends on one control, that control becomes a single point of failure — and attackers are very good at finding the one thing you assumed was solid. Layering buys you resilience and time: even a partial breach gets contained or detected before it becomes total.
A concrete example
Consider protecting a customer database:
- Perimeter: a firewall and WAF filter inbound traffic.
- Network: segmentation isolates the database subnet so a compromised web server can't reach it freely.
- Host: the database server is hardened, patched, and runs endpoint detection.
- Application: input validation and parameterized queries block SQL injection.
- Identity: least-privilege accounts and MFA limit who can touch the data.
- Data: the records are encrypted at rest, so a stolen disk image is useless.
- Detective + responsive: logging, alerting, and backups catch and recover from what slips through.
An attacker who beats the firewall still faces segmentation, then host hardening, then access controls, then encryption.
The subtle point
Layers must be independent. Two controls that share the same weakness (say, both trusting the same SSO token) collapse together and don't actually add depth.
What interviewers look for
A good answer states the principle — assume any control can fail — and then demonstrates it with concrete layers spanning network, host, app, identity, and data, ideally noting that the layers should fail independently.
Likely follow-ups
- How does defense in depth differ from zero trust?
- Give an example of a detective control versus a preventive control.
- What is the risk of redundant controls that aren't truly independent?