My Primer on Zero-Trust Architecture

Castle-and-Moat

This is not a unfamiliar strategy to most. Essentially, the landscape is divided into at least two segments – external and internal (i.e. the castle). What divides them is a moat and a drawbridge that selectively permits traffic to and fro the castle.

In digital sense, the castle refers to your home network while the external whole wide world is kept seperated by your home router (and it’s firewall) acting like a moat and drawbridge.

The downpoint of this strategy is that if you let a malicious actor in or if he/she is already inside the castle, they can freely access the resources within and take their time to pick the various locks protecting treasure chests or rooms while avoiding detection (a.k.a lateral movement). Therefore, enterprises invest heavily in perimeter defence products like firewalls, data loss prevention, VPN, traffic inspection, etc.. To address lateral movements, periodic log reviews are conducted.

So does this strategy still apply to cloud deployments? Yes but Zero-Trust Architecture (ZTA) would also be appropriate.