Gartner Blog Network

How do you define “defense in depth”?

by Lawrence Pingree  |  August 29, 2013  |  1 Comment

I’ve had some recent conversations that lead me to believe there may be some misunderstanding of the term defense in depth. Some practitioners may propose that this is a simple architecture that translates into a specific finite set of products and architectures. In a note I wrote last year (which is currently being updated) I used the term to bolster the support that our clients (for example a security manager, engineer or architect) may need to be able to increase their security capabilities (see Best Practices for Mitigating Advanced Persistent Threats). When some practitioners hear this term (especially those that are senior) they cringe and sometimes have the reaction or believe that  its “old school” philosophy.  I disagree.  I’m saddened when I hear that some security practitioners seem to have abandoned this concept, in fact I feel it may need to be expanded.

  • Defense In Depth – Implement preventative controls as much as possible/affordable.

Should we expand the terms used to be (DDR):

  • Defend In Depth – Implement preventative controls as much as possible/affordable.
  • Detect In Depth – Implement detective controls as a final “last straw” approach.
  • Respond in Depth – Respond as quickly as possible to avoid the negative effects of security control failures.

Should practitioners expand their thinking and this new strategic approach to their security programs?

What are your own thoughts?

Category: security  

Lawrence Pingree
Research Director
2 years with Gartner
16 years IT industry

Lawrence Pingree's responsibilities include coverage of security technologies and the cloud security space. His main focus is on conducting research targeted at the security aspects of products in the data center… Read Full Bio

Thoughts on How do you define “defense in depth”?

  1. Doug Laney says:

    Response to my auto GBN RSS retweet of your blog:

    From @scmunk:
    “@Doug_Laney Changes are that you have more levels, also closer to and including the data, can’t assume outside to in.”

    FF to respond on Twitter.

    –Doug Laney, VP Research, Gartner, @doug_laney

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.