Alex -

What's the difference between zero trust vs. defense in depth?

Security administrators don't have to choose between zero-trust and defense-in-depth cybersecurity methodologies. Learn how the two frameworks complement each another.

Cybersecurity teams have a number of security frameworks to choose to implement. In some cases, administrators must choose one framework or philosophy over another. In others, multiple frameworks that focus on different aspects of an enterprise's overall security posture can be used.

Zero-trust and defense-in-depth strategies are one of those situations where both methodologies can simultaneously be applied to the same enterprise.

Defense in depth: Filling in the gaps

A defense-in-depth strategy involves the use of multiple security tools and mechanisms in unison. The idea is that, if one security tool fails or is bypassed by an attacker, other properly configured tools prevent unauthorized access.

This strategy has been popular over the past few decades for the following two main reasons:

  1. A layered approach to security tools helps ensure gaps between security policies are fewer and harder to find.
  2. Defense in depth helps protect against human errors that cause misconfiguration to a security tool.

Without a defense-in-depth strategy in place, gaps and misconfigurations can open the door to attackers probing for an easy way into the network.

infographic showing the defense-in-depth layers
The layers needed for defense in depth

Zero trust: Authentication and lateral movement

The principles of zero trust are more specific than those of defense in depth. With zero trust, the goal is to never trust anyone or anything that accesses and communicates with applications and services inside a corporate network. Zero trust ensures only the correct devices and users connecting to the network, as well as workloads within public and private data centers, are allowed and expected to transmit and receive data.

infographic of building a zero-trust network
How to build a zero-trust network

The case for zero trust and defense in depth

Looking at a narrow view of what defense-in-depth and zero-trust strategies aim to deliver, one might assume the two concepts are independent of one another. In fact, the opposite is true. For example, zero-trust principles can be included as a part of an overall defense-in-depth strategy that also incorporates other application and data protection features not considered to be part of zero trust.

Even more interesting, however, is that defense-in-depth philosophies can be included in zero-trust deployments. For example, security administrators may lock down users' account so they only have the right to operate certain applications and services based on business needs. In addition, admins may create logically segmented security zones that restrict access to portions of a network that users never need. Thus, if a user account were to be compromised, not only is that account restricted from accessing only those resources that the account is configured to reach, but the security zones also further limit this access if an account is misconfigured or manipulated.

This was last published in May 2022

Dig Deeper on Data security and privacy