defense in depth

"The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, prevent initial

observations of the whole position by the enemy, and [enable] the commander to maneuver the reserve." [JP1]

Tutorial: In information systems, defense in depth means constructing a system's security architecture with layered and complementary security mechanisms and countermeasures, so that if one security mechanism is defeated, one or more other mechanisms (which are "behind" or "beneath" the first mechanism) still provide protection.

This architectural concept is appealing because it aligns with traditional warfare doctrine, which applies defense in depth to physical, geospatial structures; but applying the concept to logical, cyberspace structures of computer networks is more difficult. The concept assumes that networks have a spatial or topological representation. It also assumes that there can be implemented -- from the "outer perimeter" of a network, through its various "layers" of components, to its "center" (i.e., to the subscriber application systems supported by the network) -- a varied series of countermeasures that together provide adequate protection. However, it is more difficult to map the topology of networks and make certain that no path exists by which an attacker could bypass all defensive layers.