Quiz Entry - updated: 2026.06.01
What is the defense-in-depth principle in access control, and why is it called "layered security"?
Multiple independent layers of defence — if one fails, the next one still protects the asset.
A medieval castle is the classic analogy:
- Moat — outermost barrier
- High hard walls — first physical layer
- Limited entry points — chokepoints for inspection
- Guards check identity — authentication
- Inner walls — second physical layer
- Watch towers — monitoring/detection
Mapped to information security:
- Network: perimeter firewall + internal segmentation + host firewalls.
- Authentication: password + 2FA token + device certificate.
- Authorisation: role check + per-request server-side ACL check + database row-level security.
- Monitoring: endpoint EDR + SIEM correlation + manual review.
Why one layer is never enough:
- Any single control will eventually fail (zero-day, misconfiguration, social engineering).
- Defence-in-depth assumes failure of each layer and asks: if this one is bypassed, what stops the attacker next?
- The attacker has to defeat all layers; the defender only needs one to hold.