Zero Trust - Unambiguous similarities between medieval castle defense and modern day logical defense strategies.

I often talk about how most of the modern information security principles are based on age-old wisdom, rather than the latest, path-breaking concepts that the sales teams may want you to believe in ??.

For example, Zero Trust is a security model that assumes that any user or device, even those within the network perimeter, should not be trusted by default. Access to resources is granted only on a need-to-know basis, and authentication and authorisation processes are used to verify the user or device's identity and grant access only to the resources they need.

If you think about it, Zero Trust is one of most prominent defense strategies employed during medieval times to safeguard castles from enemies. Back in those days, it was a must to not trust anyone by default.

If you have visited castles, you would have noticed that they always had narrow pathways leading to places of importance. Castles were divided into compartments, and access was granted only to those who had a legitimate need to enter. This layout allowed the castle to be more easily defended, as attackers would not be able to move freely within the castle's walls even if they managed to breach a particular compartment.

Just like castles, modern-day Zero Trust models often divide networks into smaller segments to limit the "blast radius" of any potential breach. Access to resources is restricted to those who need them for their work or duties, and multi-factor authentication is often used to verify the user or device's identity. Attackers who manage to breach one compartment or segment of the network will not be able to move laterally and access other resources, just as in medieval times ??.

Another unambiguous similarity between medieval castle defense and Zero Trust models is the importance of verifying identity and credentials. In medieval times, those within the castle walls needed to prove their identity and credentials before being granted access to a compartment. Similarly, modern-day Zero Trust models often require multi-factor authentication, which

demands users to prove their identity and provide additional credentials, such as a password or biometric data, before being granted access to a resource.

The reason I draw these comparisons is that relating modern-day cybersecurity principles to medieval defense strategies can help cybersecurity professionals in several ways. For example, it can provide a useful analogy that helps cybersecurity professionals explain complex security concepts to non-technical stakeholders.

Secondly, comparing modern-day security principles to medieval defense strategies, can help develop more effective security strategies that take into account the strengths and weaknesses of both approaches.

Cover image of this post is a picture taken at Amer Fort, Jaipur, India many years ago. As you can see, every inch would have been under watchful eyes, which is something we all aspire to achieve, well logically, one day.