A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?
Correct. Defense in depth employs overlapping layers of security controls to protect assets and ensure resilience against attacks.
Why this answer
Defense in depth is a security strategy that layers independent defensive mechanisms so that if one layer fails, another layer is already in place to prevent or mitigate an attack. The scenario explicitly describes multiple layers (firewall, IDS, endpoint antivirus, MFA) working together, which is the core definition of defense in depth. This approach ensures no single point of failure can compromise the entire security posture.
Exam trap
The trap here is that candidates often confuse 'Defense in depth' with 'Zero Trust' because both involve multiple security controls, but Zero Trust is specifically about eliminating implicit trust and verifying every access request, not about layering defenses as a fail-safe mechanism.
How to eliminate wrong answers
Option B (Zero Trust) is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, regardless of network location; it does not inherently describe a layered defense strategy. Option C (Least privilege) is wrong because least privilege is a principle that restricts users and systems to only the minimum permissions necessary to perform their functions, not a multi-layered control architecture. Option D (CIA triad) is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a set of security objectives, not a design principle for implementing multiple layers of controls.