The below statement is from the first published paper about a new approach to tackle the security challenges in modern networks by John Kindervag from Forrester in 2010: The Zero Trust network architecture.
It took nearly 10 years for this to get into the mainstream and to be picked up by many IT Security and Network Architects and IT Security companies. Google scaled this (as usual) and published their experiences on beyondcorp which quickly spread and lead to a wider perception of zero trust network architectures among us.
The statement below is so relevant, even 9 years after it was published first by Forrester. We are still fighting with the numerous controls that we needed to install on top of the existing networking infrastructure, like perimeter firewalls where we write policy as IP-to-IP rules, VLANs that make it hard to span over infrastructure borders like the gateway to your public cloud infrastructure or the WAN network.
There is a very big overlap between my personal experience from working with IT Security and Networking staff and the Forrester paper:
- The current model is not secure
- There is no trusted network
- You have to design your network from the inside out
- There is no segmentation if there is no visibility
- A zero trust network is highly segmented
- There needs to be a central management for segmentation (otherwise management will be a nightmare)
Security is an overlay in yesterday’s hierarchical network. There is no security layer in a three- tiered network. Network professionals downgraded or dismissed most security requirements during legacy network design. By the time they identified a security issue and brought in security professionals, network professionals had already built the network; we then had to bolt on security controls after the fact. Our networks, therefore, are overflowing with security controls wedged awkwardly into this antiquated networking model (see Figure 2). They become a management nightmare made even worse by the fact that we still have yet to fully resolve our overarching security problems.