Defense in Depth

Security Layers

┌─────────────────────────────────┐ │ Perimeter Security │ WAF, DDoS Protection ├─────────────────────────────────┤ │ Network Security │ Firewalls, VPNs, Segmentation ├─────────────────────────────────┤ │ Host Security │ OS Hardening, Patching ├─────────────────────────────────┤ │ Application Security │ AuthN, AuthZ, Input Validation ├─────────────────────────────────┤ │ Data Security │ Encryption, Access Control └─────────────────────────────────┘

Layer Controls

1. Perimeter

• Web Application Firewall (WAF)

• DDoS protection

• Rate limiting

• Bot detection

2. Network

• Network segmentation (VPCs, subnets)

• Security groups / firewalls

• VPN for internal access

• Zero-trust network access

3. Host

• OS hardening

• Patch management

• Endpoint protection

• File integrity monitoring

4. Application

• Authentication (OAuth2, OIDC)

• Authorization (RBAC, ABAC)

• Input validation

• Output encoding

• Session management

• Secure headers

5. Data

• Encryption at rest (AES-256)

• Encryption in transit (TLS 1.3)

• Key management

• Data masking

• Access logging

Security Checklist

• WAF configured with OWASP rules

• Network segmentation in place

• All traffic encrypted (TLS)

• Authentication on all endpoints

• Least privilege access controls

• Secrets managed securely

• Audit logging enabled

• Backups encrypted and tested

Principle of Least Privilege

Grant only the minimum permissions needed:

• Use IAM roles, not long-lived credentials

• Scope permissions to specific resources

• Regular access reviews

• Just-in-time access for sensitive operations