Thought Leadership

Zero Trust Model Overcomes the Limitations of ‘Castle-and-Moat’ Security

zero trust

The zero trust model overcomes the limitations of “castle-and-moat” security.”

(September 8, 2021) Remote work and the growing adoption of cloud services have changed the cybersecurity dynamic. Traditionally, organizations relied on a strong network perimeter to keep the bad guys out. With that perimeter increasingly porous, a new approach to security is needed.

The zero trust model overcomes the limitations of “castle-and-moat” security. It assumes that every user and device attempting to access the network is a threat until verified and authenticated. Zero trust also limits the resources users can access and minimizes the attack surface to reduce the potential damage caused by a successful cyberattack.

Forrester Research coined the term “zero trust” in 2010 and presented the first model. It does not require a wholesale replacement of security controls — organizations can leverage existing investments and proven technologies to implement a zero trust model. The key is to refocus those capabilities on protecting IT resources no matter where they reside.

The Castle-and-Moat Model

It’s easy to visualize how castle-and-moat security works — imagine a castle with a drawbridge and sentries posted at the entrance. Anyone seeking to gain entry is challenged by the sentries. If the person is deemed “safe,” the drawbridge is lowered and he is permitted to enter. The drawbridge is then raised to protect the castle from attack.

Problem is, anyone inside has free rein to roam about the castle. An attacker who makes it past perimeter defenses can cause serious damage. If, for example, hackers were to gain entrance using stolen user credentials, they could easily exfiltrate data and take down internal systems.

What’s more, perimeter defenses do little to protect resources that are outside the perimeter. If the queen is traveling through the countryside, she is vulnerable to attack.

Zero Trust Basics

Organizations can use virtual private networks (VPNs) to control remote access in the castle-and-moat model. The VPN requires strong authentication and encrypts data traveling between remote users and the data center. However, VPNs can be difficult to maintain and create latency that impacts application performance. And they are still vulnerable to attack if user credentials are compromised.

The zero trust model offers a better approach. It is based on the principle of “identity as the perimeter,” strictly controlling user access and ensuring that all devices meet security requirements. Access is based upon degrees of trust. Is the endpoint a user’s personal device or company-issued? Is the user logging in from an expected location? What resources is the user trying to access?

Continuous monitoring is another feature of zero trust. Users are periodically reverified and devices assessed to ensure they have not been compromised.

Key Principles and Technologies

The success of the zero trust model depends upon well-established security principles. One is the concept of least privilege access. Users should be allowed to access only the resources and data they need to do their jobs. If attackers steal the user’s credentials or gain access to the user’s device, there is less chance they’ll be able to cause serious damage.

Least privilege access is complemented by micro-segmentation, the practice of breaking up the network into small zones. Users with access to one zone must be reauthorized to access another. This prevents an attacker from moving laterally through the network.

Multifactor authentication (MFA) also plays an important role in zero trust. MFA tools require users to provide more than one “factor” to verify their identities. For example, a code sent to a mobile device or a biometric such as a fingerprint might be required in addition to a username and password.

Perimeter-based security is showing its weaknesses now that many users and resources are located outside the corporate network. The zero trust model provides stronger security for today’s distributed IT environment.


Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.

Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile

Contact Us

  • Industry

  • Category

  • Regulation

  • Solution