2.2 Defense in Depth and the CIA Triad
Key Takeaways
- Defense in depth uses multiple overlapping layers of controls instead of relying on one perimeter.
- Common layers include physical, identity and access, perimeter, network, compute, application, and data security.
- The CIA triad frames security goals as confidentiality, integrity, and availability.
- SC-900 scenarios often ask which layer or CIA goal a control primarily supports.
Layered security reduces single-control failure
Defense in depth is a security strategy that uses multiple overlapping layers of controls. The point is not to build one perfect wall. The point is to assume that a single control can fail through misconfiguration, vulnerability, stolen credentials, or a necessary business exception, then make sure another layer limits the damage.
Microsoft Learn describes typical layers that start with physical security and move inward toward data security. Physical security protects facilities and hardware. Identity and access controls authenticate and authorize users. Perimeter controls help protect boundaries. Network controls segment traffic. Compute controls harden virtual machines, containers, and other compute resources. Application controls reduce software vulnerabilities. Data controls protect the information itself.
| Layer | Example exam cue |
|---|---|
| Physical | Restrict access to facilities, servers, and hardware. |
| Identity and access | Require multifactor authentication and least privilege. |
| Perimeter | Use firewall or DDoS controls at an external boundary. |
| Network | Segment traffic with isolated network zones or rules. |
| Compute | Patch systems and restrict administrative access. |
| Application | Validate input and test for vulnerabilities. |
| Data | Classify, restrict, and encrypt sensitive information. |
Defense in depth connects closely to the confidentiality, integrity, and availability triad. Confidentiality means sensitive information is available only to authorized parties. Integrity means data remains accurate, complete, and changed only through authorized processes. Availability means systems and data are accessible to authorized users when needed.
A control can support more than one CIA goal, but SC-900 questions usually have a primary cue. Encryption protects confidentiality by making data unreadable without keys. Hashing can help verify integrity by detecting changes. Redundancy, backups, failover, and DDoS protection support availability. Access control can protect confidentiality and integrity by limiting who can read or modify resources.
How to reason through scenarios
-
Identify the asset first: facility, identity, network, compute, application, or data.
-
Identify the failure being reduced: exposure, tampering, outage, or unauthorized access.
-
Map the proposed control to the nearest layer and CIA goal.
Defense in depth is different from Zero Trust, but they work together. Defense in depth says use layers. Zero Trust says do not trust requests by default, verify explicitly, grant least privilege, and assume breach. A good modern design uses both ideas: layered controls around resources and identity-centered decisions for every access request.
For SC-900, avoid thinking of defense in depth as only firewalls. Firewalls can be one layer, but the strategy is broader. A strong design may combine identity controls, network segmentation, endpoint management, application security, data classification, encryption, monitoring, and recovery planning. If an attacker gets past one layer, the next layer should slow, detect, contain, or reduce the impact of the attack.
What is the main idea of defense in depth?
Which CIA triad goal is most directly concerned with keeping systems accessible to authorized users?
Which control most directly supports integrity by detecting whether data changed?