Which describes defense-in-depth in information security?

Defense-in-depth means you don’t rely on a single security control. Instead you place multiple overlapping controls across physical, network, endpoint, and application layers so that if one layer is breached, others still block, detect, or mitigate the threat. This layering creates redundancy and resilience, reducing the chance that a single weakness leads to compromise. For example, strong access controls and MFA protect who can do what, encryption protects data at rest and in transit, endpoint protection and regular patching limit malware spread, network segmentation restricts movement, and continuous monitoring detects unusual activity. The approach described—overlapping controls across multiple layers—best captures the idea of defense-in-depth. Relying on a single firewall, focusing only on perimeter defenses, or depending solely on encryption all leave gaps that other layers would catch or prevent.