2.2 Defense in Depth and the CIA Triad
Key Takeaways
- Defense in depth uses multiple overlapping layers of controls so that if one layer fails, another limits the damage — it does not rely on a single perimeter.
- Microsoft's seven layers, outer to inner, are physical, identity and access, perimeter, network, compute, application, and data.
- The CIA triad defines the three security goals: confidentiality (only authorized parties read), integrity (data is accurate and unaltered), and availability (systems are reachable when needed).
- A single control can serve multiple CIA goals, but SC-900 scenarios usually have one primary cue — encryption -> confidentiality, hashing -> integrity, redundancy/DDoS protection -> availability.
- Defense in depth and Zero Trust complement each other: layers protect resources while Zero Trust verifies every request.
Layered security: assume any control can fail
Defense in depth is a security strategy that uses multiple overlapping layers of controls rather than depending on one perfect wall. The premise is that any single control can fail — through misconfiguration, an unpatched vulnerability, stolen credentials, or a deliberate business exception — so the design must ensure another layer limits the damage. If an attacker defeats one layer, the next layer should slow, detect, contain, or reduce the impact of the attack.
Microsoft describes the strategy as a set of concentric layers that move from the outside (physical) inward toward the most valuable asset (data). Importantly, defense in depth is not synonymous with firewalls. A firewall is one control in one layer; the broader strategy combines identity controls, segmentation, endpoint hardening, application security, encryption, monitoring, and recovery planning.
The seven Microsoft layers
| Layer (outer -> inner) | What it does | Example control |
|---|---|---|
| Physical security | Restricts physical access to facilities and hardware | Badge access, guards at datacenters |
| Identity and access | Authenticates and authorizes users | Multifactor authentication, least privilege |
| Perimeter | Protects the external boundary from bulk attacks | DDoS protection, perimeter firewalls |
| Network | Segments and controls internal traffic | Network segmentation, deny-by-default rules |
| Compute | Hardens VMs, containers, and hosts | Patching, restricting admin access, endpoint protection |
| Application | Reduces software vulnerabilities | Input validation, secure development, vulnerability testing |
| Data | Protects the information itself | Classification, access control, encryption |
Know the order — physical is outermost, data is innermost — because the exam may ask which layer a control belongs to or which layer sits closest to the data.
The CIA triad
The CIA triad frames the three fundamental goals of information security. Spell each one out precisely, because SC-900 distractors swap the definitions:
- Confidentiality — sensitive information is accessible only to authorized parties. Breached by data leaks, eavesdropping, or over-broad permissions.
- Integrity — data stays accurate, complete, and is changed only through authorized processes. Breached by tampering, corruption, or unauthorized modification.
- Availability — systems and data are accessible to authorized users when needed. Breached by outages, ransomware, or denial-of-service attacks.
Attackers, by contrast, pursue the opposite trio sometimes called the DAD triad: Disclosure (against confidentiality), Alteration (against integrity), and Denial/Destruction (against availability).
Mapping controls to CIA goals
A control can support more than one goal, but each exam scenario has a primary cue:
| Control | Primary CIA goal | Why |
|---|---|---|
| Encryption | Confidentiality | Makes data unreadable without the key |
| Hashing / digital signatures | Integrity | Detects whether data was altered |
| Access control / least privilege | Confidentiality + integrity | Limits who can read or modify |
| Backups, redundancy, failover, DDoS protection | Availability | Keeps services reachable through failure or attack |
When you read a scenario, work in three steps: (1) identify the asset (facility, identity, network, compute, application, or data); (2) identify the failure being reduced (exposure, tampering, outage, or unauthorized access); (3) map the proposed control to the nearest layer and CIA goal. This turns vague questions into a quick lookup.
How defense in depth and Zero Trust fit together
Defense in depth and Zero Trust are distinct but complementary. Defense in depth says use layers. Zero Trust says trust nothing by default — verify explicitly, grant least privilege, and assume breach. A strong modern design uses both: layered controls around resources, and identity-centered verification for every individual access request. Neither replaces the other. For example, network segmentation (a defense-in-depth layer) supports Zero Trust's 'assume breach' principle by limiting lateral movement, but segmentation alone does not satisfy the requirement to verify every request explicitly.
Common exam traps
- Treating one product as the whole strategy. Buying a firewall or enabling MFA strengthens one layer; it is not defense in depth by itself.
- Confusing the goals. Availability is not about secrecy. If a question describes keeping a service reachable during a DDoS attack, the answer is availability, not confidentiality.
- Assuming hashing hides data. Hashing supports integrity, not confidentiality — it does not keep data secret, it detects change.
- Forgetting the layer order. Identity and access sits near the outside (right after physical), while data is the innermost layer being protected.
For SC-900, you should be able to (1) recite the seven layers in order, (2) define each CIA goal in one accurate sentence, and (3) match a described control to both its layer and its primary CIA goal. That combination answers the majority of Domain 1 'concepts' questions on this topic.
Worked example
Consider a scenario: 'A company encrypts its customer database, requires MFA for administrators, segments its production network, and keeps geo-redundant backups. ' Database encryption is the data layer, supporting confidentiality. MFA for admins is the identity and access layer, supporting confidentiality and integrity by limiting who can sign in and change things. Network segmentation is the network layer, supporting the assume-breach idea and limiting exposure (confidentiality/integrity). Geo-redundant backups are about availability — they keep data recoverable after an outage or ransomware event.
One scenario, four controls, four clean mappings — exactly the reasoning the exam tests.
Keep in mind that non-repudiation and authenticity are sometimes mentioned alongside CIA, but the triad the exam asks about is strictly confidentiality, integrity, and availability. If an option lists 'non-repudiation' or 'federation' as a CIA goal, it is a distractor.
Which control most directly supports the integrity goal of the CIA triad?
In Microsoft's defense-in-depth model, which layer sits immediately inside the physical security layer?
A retailer wants its checkout service to stay online during a large-scale denial-of-service attack. Which CIA triad goal is the primary concern?
Which statement best captures the core idea of defense in depth?