“Castle-and-moat” is a network security model in which no one outside the network is able to access data on the inside, but everyone inside the network can. Imagine an organization’s network as a castle and the network perimeter as a moat. Once the drawbridge is lowered and someone crosses it, they have free rein inside the castle grounds. Similarly, once a user connects to a network in this model, they are able to access all the applications and data within that network.
What are the problems with the castle-and-moat approach?
Today, the castle-and-moat approach is becoming outdated. For most companies, data is spread across multiple cloud vendors, rather than remaining behind an on-premise network perimeter. To further the analogy: it does not make sense to put all one’s resources into defending the castle if the queen and her court are scattered around the countryside.
The biggest security flaw is that if an attacker gains access to the network — if they cross the “moat” — they can also access any data and systems within.
How does the castle-and-moat model differ from zero trust security?
The castle-and-moat approach is based on philosophy to defend your perimeter while assuming everything that’s already inside doesn’t pose a threat and is already cleared for access.
Zero trust security assumes that security risks are present both inside and outside the network. Nothing inside the network is trusted by default — hence the name “zero trust.”
Zero trust security requires strict verification for every user and device on the network before granting them access to data and applications.
How is access control managed in a castle-and-moat model?
One way organizations control access when using the castle-and-moat model is virtual private networks, or VPNs. VPNs set up an encrypted connection between connected users and a VPN server. For certain levels of access, a user has to connect to at least one VPN. Once connected, they can access the resources they need.
Since different users within the same company often require different access privileges, IT teams set up multiple VPNs. Each VPN can be thought of as its own “castle,” providing a different level of access.
The biggest drawback is that VPN acts as a single point of failure for the applications and data it protects. It only takes one compromised account or device for an attacker to cross the proverbial moat and gain access to VPN-protected data.
How does access control work in a zero trust architecture?
There are a few basic principles that underlie a zero trust architecture:
- Device monitoring: Every device that connects to a network is carefully tracked
- Least-privilege access: Users only get the bare minimum amount of access
- Microsegmentation: Networks are broken down into much smaller security zones
- Multi-factor authentication (MFA): Users must provide more than one factor to verify identity (for instance a password plus possession of a token)
Moving from castle-and-moat to zero trust: ‘SASE’
Aware of the shortcomings of the castle-and-moat model, many organizations are adopting a zero trust architecture. Many vendors offer streamlined zero trust solutions that can be turned on quickly.
But rather than adopting a separate access management solution, many organizations want zero trust security built into the network, not just layered on top of it. Gartner, a global research and advisory firm, has termed this trend “secure access service edge” (SASE).
Read my other articles as part of Zero Trust series –