---

name: defense-in-depth description: Apply layered security architecture. Use when designing security controls, hardening systems, or reviewing security posture. Covers multiple security layers. allowed-tools: Read, Glob, Grep

Defense in Depth

Security Layers

┌─────────────────────────────────┐
│         Perimeter Security       │  WAF, DDoS Protection
├─────────────────────────────────┤
│         Network Security         │  Firewalls, VPNs, Segmentation
├─────────────────────────────────┤
│         Host Security            │  OS Hardening, Patching
├─────────────────────────────────┤
│         Application Security     │  AuthN, AuthZ, Input Validation
├─────────────────────────────────┤
│         Data Security            │  Encryption, Access Control
└─────────────────────────────────┘

Layer Controls

1. Perimeter

• Web Application Firewall (WAF)
• DDoS protection
• Rate limiting
• Bot detection

2. Network

• Network segmentation (VPCs, subnets)
• Security groups / firewalls
• VPN for internal access
• Zero-trust network access

3. Host

• OS hardening
• Patch management
• Endpoint protection
• File integrity monitoring

4. Application

• Authentication (OAuth2, OIDC)
• Authorization (RBAC, ABAC)
• Input validation
• Output encoding
• Session management
• Secure headers

5. Data

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.3)
• Key management
• Data masking
• Access logging

Security Checklist

• WAF configured with OWASP rules
• Network segmentation in place
• All traffic encrypted (TLS)
• Authentication on all endpoints
• Least privilege access controls
• Secrets managed securely
• Audit logging enabled
• Backups encrypted and tested

Principle of Least Privilege

Grant only the minimum permissions needed:

• Use IAM roles, not long-lived credentials
• Scope permissions to specific resources
• Regular access reviews
• Just-in-time access for sensitive operations