Defense in Depth

Recently, I learned the term Defense in Depth, which is a defense strategy in DevOps.

I came across the topic when learning about the right way to set up an AWS VPC. I wondered why we need to put EC2 instances into a private subnet if the individual EC2 instances are already protected by a security group. Was both a security group and a private subnet overkill? This Reddit comment explains why Defense in Depth works here. Essentially: it lowers the surface area of attack.

Defense in Depth gets a little tangled in my head with Security Through Obscurity, though the concepts are quite different.

My main pushback against the concept of Defense in Depth is that it could muddy where exactly the responsibility lies for blocking an attack. You could think at turns that “We’re safe! The subnet will stop this” or that “We’re safe! The security group will stop this”, but not be sure which is actually configured to stop which attacks. This is a very weak criticism of the concept.

I suspect that calls for layered security will often be rejected for being “overkill”. I can see myself doing this is a developer demanded we secure something that I felt was already secured further up the chain. So, Defense in Depth cannot be applied without thought.