Continue your mission
How CDA's Empty Fortress doctrine relates to traditional defense in depth — complementary strategies starting from different assumptions.
Defense in depth is the traditional security strategy of layering multiple controls so that if one fails, others still protect the asset. Empty Fortress is CDA's doctrine that the strongest defense is having nothing worth stealing. These are not opposing strategies — they are complementary, but they start from fundamentally different assumptions.
Defense in depth layers controls at the perimeter (firewalls, WAFs), network (segmentation, IDS), endpoint (EDR, hardening), application (input validation, authentication), and data (encryption, DLP) layers. The model assumes the asset is valuable and present, and layers controls to make it progressively harder to reach. It is sound engineering, but it has a critical assumption: the data is worth protecting because it is there.
Empty Fortress challenges the foundational assumption. Before layering controls around data, it asks whether the data should exist in your environment at all. If it should not, eliminate it. If it must exist, minimize it. If it must exist at volume, encrypt it so that breach yields ciphertext. Only then do you layer traditional defense-in-depth controls around what remains.
Defense in depth protects the infrastructure itself — the compute, the network, the identity plane. These cannot be eliminated. Empty Fortress protects the data — or rather, protects the organization by ensuring there is minimal data to protect. The combined approach creates an architecture where the infrastructure is hardened through layered controls and the data footprint is minimized through zero possession principles.
Defense in depth can become a justification for data hoarding — we have seven layers of controls, so it is safe to keep everything. Empty Fortress rejects this reasoning. Controls fail. Layers get misconfigured. The only data that cannot be breached is data that does not exist.
CDA does not choose between these strategies. We implement defense in depth for infrastructure and operations, and Empty Fortress for data architecture. The combination is stronger than either alone.
Defense in depth and Empty Fortress are complementary, not competing. Defense in depth protects infrastructure through layered controls. Empty Fortress protects organizations by eliminating unnecessary data. The combination creates the strongest possible security posture.
CDA Theater missions that address topics covered in this article.
Operating under the assumption that breach is inevitable, and designing your architecture so it doesn't matter.
Architectural patterns for limiting blast radius through isolation of systems, data, and access.
Written by CDA Editorial
Found an issue? Help improve this article.