1.2. Defense in Depth: Layered Security

Why do banks have vaults inside buildings with security guards, cameras, and locked doors? Because no single control is foolproof. Defense in depth applies this same principle to cloud security—layering multiple controls so that if one fails, others still protect your assets.

💡 First Principle: Each security layer should be independently valuable, not dependent on other layers working. Imagine an attacker who bypasses your firewall—they should still face identity verification. An attacker who steals credentials should still be blocked by network segmentation.

Think of it like a medieval castle. It has walls (perimeter), but also a moat (network segmentation), guards at the gate (identity verification), locks on the treasury (data protection), and sentries watching for threats (monitoring). An attacker who crosses the moat still faces the walls. An attacker who scales the walls still faces the guards. Each layer slows the attacker and provides time for response.

What breaks without defense in depth? Single points of failure. A misconfigured firewall rule exposes your database directly to the internet. A compromised admin credential grants access to everything because there's no secondary verification. A single vulnerability becomes a complete breach because nothing slows the attacker's progress.