Defense in Depth in Azure: layered security across the stack
Slide deck explaining Defense in Depth security model in Azure: seven layers of protection (physical, identity, perimeter, network, compute, application, data) to prevent, slow, contain, and detect attacks.
Defense in Depth in Azure: layered security across the stack
Introduction to Defense in Depth security model in Azure: layered security across the stack to protect against attacks.
Defense in Depth in Azure: layered security across the stack
Introduction to Defense in Depth security model in Azure: layered security across the stack to protect against attacks.
Defense in Depth: the one-sentence definition
Layer multiple protections so one failure doesn't become total compromise. Not one 'magic' security control. Multiple layers reduce risk and limit impact. Helps prevent, slow, contain, and detect attacks. Avoids single points of failure.
Why layers matter
Because any single control can fail. Misconfiguration and human error happen. New vulnerabilities appear over time. Stolen credentials can bypass 'strong' barriers. Layers buy time and reduce blast radius.
The 7 defense-in-depth layers (data at the center)
Each layer protects a different part of the stack. Physical security. Identity and access. Perimeter. Network. Compute. Application. Data.
Physical security
Protect the buildings and hardware that run the cloud. Datacenters, facilities, and hardware protection. Foundation for every other layer. Mostly handled by the cloud provider. Still part of the end-to-end security story.
Identity and access
Control who can do what—then keep it minimal. Identity equals who you are (users, apps, services). Access equals what you can do (permissions). Stolen credentials are a common attack path. Least privilege reduces impact.
Perimeter vs Network
Perimeter protects the edge; network controls movement inside. Perimeter: boundary filtering and edge protection. Example threat: Distributed Denial of Service (DDoS). Network: segmentation and allowed communication paths. Goal: limit lateral movement if something gets in.
Compute + Application layers
Secure how code runs, and secure the code itself. Compute: secure configuration and patching of runtimes. Application: secure code and safe app configuration. Provider secures the platform; you secure the workload. Misconfigurations can bypass 'strong' outer controls.
Data layer
Protect the data directly, not only the systems around it. Data is the central asset. Limit access with strict permissions. Reduce impact with encryption and good key handling. Assume other layers might fail—data still needs protection.
Zero Trust + Defense in Depth
Layers plus a mindset: verify, minimize access, assume breach. Zero Trust principles: Verify explicitly. Use least privilege access. Assume breach. Defense in depth equals layers; Zero Trust equals how access is handled.
Don't confuse one control with layered security
Great controls help—but they don't replace the other layers. Firewall / Web Application Firewall (WAF) does not equal full security. Multi-Factor Authentication (MFA) strengthens identity only. Backup plus Disaster Recovery (DR) equals recovery, not prevention.