Defense in Depth: A Sanity Check

Defense in depth means multiple layers. Audit yours.

Layers

Defense in depth is the security principle that protection should not depend on any single control. If one layer fails, others contain the damage. The defense-in-depth check is the periodic exercise of confirming that the layers actually exist, are independent, and would each catch the kind of attacker the team expects.

What the layers actually are:

• Network layer.: Firewalls, security groups, network ACLs, VPC segmentation. The layer that controls who can reach what. An attacker who is on the wrong side of the network controls cannot reach the application at all.
• Identity layer.: Authentication, MFA, IAM policies, role-based access control. The layer that controls who is who. An attacker who lacks valid credentials cannot authenticate; an attacker with limited credentials cannot escalate.
• Application layer.: Input validation, authorization checks, output encoding, session management. The layer that controls what authenticated users can do. An attacker who has authenticated still cannot perform actions outside their authorization.
• Data layer.: Encryption at rest, encryption in transit, field-level encryption, tokenization. The layer that protects the data itself. An attacker who has reached the data store still cannot read sensitive fields without keys.
• Each layer independent.: The layers do not share failure modes. A compromise of network controls does not automatically compromise identity. A compromise of identity does not automatically grant data access. The independence is what makes defense in depth work.

The layered model is the conceptual framework. The check is the verification that each layer actually exists and works.

Audit

Auditing defense in depth is per-layer: for each layer, what is the specific control, how do we know it works, when was it last tested? The audit produces a structured assessment that the team and auditors can both reference.

• For each layer: what's the control?: Document the specific control at each layer. Not "firewalls" but "AWS security groups configured per service with default deny, exceptions reviewed quarterly". The specificity matters; vague controls are unauditable.
• Tested?: When was the control last tested? What did the test find? Were the findings remediated? The test is what distinguishes real controls from paper controls. A control that has never been tested is unproven.
• Per-layer verification.: Each layer is verified independently. The network layer test does not verify the application layer; the application layer test does not verify the data layer. The independence of testing matches the independence of layers.
• Documented evidence.: The audit produces evidence: configuration snapshots, test results, runbook references, change logs. The evidence is preserved so future audits can build on it rather than starting over.
• Cadence aligned with risk.: Higher-risk layers are tested more frequently. Identity controls (MFA enforcement, privilege boundaries) might be tested monthly. Network controls might be tested quarterly. Data controls (encryption configurations) might be tested annually. The cadence reflects the rate of change.

The audit is the discipline that converts "we have defense in depth" from belief into demonstrated fact.

Gaps

The check inevitably surfaces gaps. Layers that exist but are not tested. Layers that depend on a single control that could fail. Compensating layers that exist on paper but not in practice. Closing gaps is the value the check produces.

• Single-layer protection is fragile.: A surface protected by only one layer is one failure away from compromise. The check identifies these surfaces; the closure plan adds layers.
• Add layers where missing.: The closure is concrete: add a WAF in front of the application, add MFA on the admin tier, add field-level encryption on PII. Each addition is a tracked piece of work with an owner and a target date.
• Defense in depth real, not theatrical.: Theatrical defense in depth has many controls on paper but few that actually work. Real defense in depth has independent, tested, effective controls at each layer. The check is what catches the difference.
• Document compensating controls.: When a layer cannot exist for technical reasons, the compensating control is explicit. "We do not have field-level encryption on this column because it is searchable; we compensate with strict access logging and quarterly review." The compensation is reviewed alongside the missing control.
• Track gap closure.: Gaps are tracked through to remediation. The list does not become a static document; it is a living queue of work. Closed gaps stay closed because the check verifies them on the next cycle.

The defense-depth check is the discipline that prevents security architecture from drifting between audits. Nova AI Ops integrates with security tooling across all layers, surfaces gaps automatically, and produces the per-layer audit report that compliance and engineering both reference.