01
17 min read · 5 briefings

Defense in Depth & Zero Trust

One wall is a single point of failure. Build many, and trust none of them by default.

01 Why the castle and moat fell

For decades, security architecture had a comforting shape: a hardened perimeter — firewalls, a DMZ, a VPN — around a soft, trusting interior. Get inside the moat and the drawbridge was down; the internal network implicitly trusted you. This is the castle-and-moat model, and it worked when "inside" meant a building full of desktops and a server room down the hall.

Three shifts killed it. First, the perimeter dissolved: cloud workloads, SaaS apps, and remote work mean your data lives everywhere and your users connect from anywhere. There is no single wall left to defend. Second, attackers learned that the interior was undefended, so a single phished laptop or a compromised vendor became a skeleton key to everything. Third, the interior got enormous — thousands of services talking to each other, any one of which could be the beachhead.

Insight The lesson defenders drew is brutal and simple: a network you trust because a packet arrived from "inside" is a network you have already lost. Location is not identity, and being on the LAN proves nothing.

The response was not to abandon the perimeter — it still filters noise — but to stop treating it as the whole strategy. Modern defense assumes the wall will be breached and asks a harder question: once the attacker is inside, how do we make every single step cost them, slow them, and light them up?

02 Defense in depth: layers, not a wall

Defense in depth borrows its logic from military fortification: overlapping, independent controls so that when one fails, the next still holds. No single control is trusted to be perfect, because none is. The value is in the redundancy — an attacker must defeat a whole stack, not one gate.

Practitioners think in layers spanning the whole environment:

  • Perimeter/network — firewalls, IDS/IPS, segmentation, egress filtering.
  • Endpoint — EDR, host firewalls, application allow-listing, disk encryption.
  • Identity — MFA, conditional access, privileged access management.
  • Application/data — input validation, encryption at rest, DLP, tokenization.
  • People and process — awareness training, IR playbooks, backups tested for real restore.

A useful mental model is the Swiss cheese analogy from James Reason's safety research: every layer has holes, but if you stack enough imperfect layers, the holes rarely line up all the way through. Security's job is to keep adding slices and to notice when the holes start aligning.

Watch out Depth is not the same as redundancy of the same control. Ten firewalls from one vendor share one bug; a firewall plus EDR plus MFA plus segmentation fail independently. Diversity of control type is what makes the layers count.

03 Zero Trust: never trust, always verify

The phrase "never trust, always verify" is the slogan of Zero Trust, an architecture coined by Forrester analyst John Kindervag in 2010 and formalized by NIST in SP 800-207. The core move is to eliminate implicit trust based on network location. Every request to a resource is authenticated, authorized, and encrypted per session — whether it comes from the corporate LAN or a coffee-shop Wi-Fi.

NIST's model splits enforcement into a Policy Decision Point (PDP) — the brain that evaluates policy — and a Policy Enforcement Point (PEP) — the gate that grants or blocks the connection. Decisions are dynamic: they weigh user identity, device health, sensitivity of the resource, and behavioral signals, and they can be re-evaluated mid-session.

Access is a privilege granted per request, not a status you keep because you logged in once this morning.

Google's BeyondCorp is the best-known real-world implementation: after the 2009 Operation Aurora attacks, Google spent years removing the privileged corporate network entirely, so an engineer on the office LAN has no more inherent trust than one at home. Zero Trust is a journey, not a product — vendors selling a "Zero Trust box" are selling the label, not the architecture.

04 Microsegmentation and least privilege

If Zero Trust is the philosophy, microsegmentation and least privilege are how it lands in practice. Microsegmentation carves the network into tiny zones — ideally down to the individual workload — so that a compromised web server cannot freely reach the database, the domain controller, or the finance subnet. It attacks the thing attackers rely on most after landing: lateral movement.

The principle of least privilege (PoLP) says every user, service, and process should have exactly the access it needs to do its job — and no more. A related idea, just-in-time (JIT) access, grants elevated rights only for the moment they are needed and revokes them automatically. Standing admin rights are a gift to attackers; ephemeral ones are a moving target.

ModelTrust boundaryBlast radius of one compromise
Flat networkThe whole LANEverything reachable
VLAN segmentationSubnet / departmentOne segment
MicrosegmentationIndividual workloadOne host / service
Pro tip When you can, express segmentation as identity-and-workload policy ("the payments service may talk to the payments DB on 5432") rather than IP ranges. IPs change; the intent behind the rule does not, and reviewers can actually read it.

05 Assume breach and the NIST CSF

The unifying mindset is assume breach: design as if an attacker is already inside, because eventually one will be. This flips the goal from "keep everyone out" (impossible) to "detect fast, contain hard, recover clean." It is why detection and response earn as much investment as prevention.

The organizing framework most defenders reach for is the NIST Cybersecurity Framework (CSF). Its original five core functions form a lifecycle you can hang almost any control on:

  1. Identify — know your assets, data, and risks. You cannot protect what you cannot inventory.
  2. Protect — safeguards: access control, hardening, training, encryption.
  3. Detect — spot events fast: monitoring, logging, anomaly detection.
  4. Respond — act on incidents: containment, analysis, communication.
  5. Recover — restore capability and learn: resilience, backups, improvement.

In February 2024, CSF 2.0 added a sixth function wrapping all the others: Govern, which covers strategy, roles, and risk-management decisions at the organizational level. The framework is deliberately not a checklist — it is a common language for describing where your program is strong, where it is thin, and where the next dollar should go.

Field Glossary

Defense in depth
Layering multiple independent security controls so that the failure of any one does not lead to compromise.
Zero Trust
An architecture that removes implicit trust based on network location and verifies every request per session, per NIST SP 800-207.
Microsegmentation
Dividing a network into very small zones — ideally per workload — to limit an attacker's lateral movement after an initial compromise.
Least privilege (PoLP)
Granting each user, service, or process only the minimum access needed for its function, and nothing more.
Lateral movement
The techniques an attacker uses to pivot from an initial foothold to other systems inside a network.
Assume breach
A design mindset that treats compromise as inevitable and prioritizes fast detection, containment, and recovery over prevention alone.
NIST CSF
The NIST Cybersecurity Framework; its core functions (Identify, Protect, Detect, Respond, Recover — plus Govern in CSF 2.0) give programs a common language for risk.

Knowledge Check

Field Assessment

0 / 3

01 What core assumption distinguishes the Zero Trust model from the castle-and-moat model?

02 Which pairing best captures the purpose of microsegmentation?

03 Which sixth function did NIST CSF 2.0 (2024) add to the original five?

ESC
↑↓ navigate jack in