While applying security measures at every layer, you should always keep your system isolated in a small pocket to reduce the blast radius. If attackers get access to one part of the system, you should be able to limit a security breach to the smallest possible area of the application. For example, in a web application, keep your load balancer in a separate network from other layers of the architecture, as that will be internet-facing. Further, apply network separation at the web, application, and database layers. In any case, if an attack happens in one layer, it will not expand to other layers of the architecture.
The same rules are applied to your authorization system to give the least privilege to users and provide only the minimum required access. Make sure to implement multi-factor authentication (MFA) so that even if there's a breach in user access, it always needs a second level of authentication to get into the system.
Provide minimal access to ensure...