The Last Mile

The Castle is Empty: Why Network and Security Can No Longer Be Separate Departments

by

Ed Loveless
in

For the last twenty years, we’ve built enterprise networks using the “Castle and Moat” philosophy.

The Castle was the Data Center. We put all our valuables—our applications, our customer data, our intellectual property—inside thick stone walls. We dug a deep moat around it (the Firewall). And we put a drawbridge at the front (the VPN).

If you were inside the castle, you were trusted. If you were outside, you were a threat until you proved otherwise.

This model worked great… until everyone moved out of the castle.

Today, your applications aren’t in the Data Center; they’re in the Cloud (Salesforce, AWS, Azure). Your users aren’t at their desks; they’re at Starbucks, in airports, or working from their kitchen tables. The Castle is empty, but we’re still spending millions of dollars guarding the drawbridge.

The Department of “Go” vs. The Department of “No”

The biggest problem we face today isn’t technology; it’s organizational structure.

In most companies, the Network team and the Security team operate in silos.

  • The Network Team (The Department of “Go”): Their job is to connect things. They care about speed, uptime, and latency. They want the pipes wide open.
  • The Security Team (The Department of “No”): Their job is to protect things. They care about compliance, risk, and locking things down. They want filters everywhere.

Historically, these two teams only spoke when something broke. The Network team would design a fast, elegant architecture, and then Security would come in at the last minute and bolt on a clumsy appliance that slowed everything down.

In a hybrid world, this friction is unsustainable. You cannot have one team building the highway and another team randomly setting up roadblocks that cause traffic jams.

Moving the Checkpoint to the Cloud

This is where the acronym soup—SASE (Secure Access Service Edge) and SSE (Security Service Edge)—comes in. Forget the jargon for a second. Here is what it actually means in plain English:

We are moving the security checkpoint to the cloud.

In the old model, if a remote user wanted to access a file, their traffic had to travel all the way back to the corporate data center (the Castle), get inspected by the firewall, and then travel all the way back out to the internet to reach the Cloud app. We call this “hair-pinning” or “tromboning.” It’s inefficient, it introduces massive latency, and it makes Zoom calls stutter.

With SASE, we push the security enforcement to the edge, right next to the user. The “Pipe” (SD-WAN) and the “Filter” (Security) are now the same service.

The user connects to the nearest cloud gateway. They get inspected there—instantly—and sent directly to their destination. Security gets the control they need, but the Network team gets the performance they want. Everybody wins.

Zero Trust: A Marketing Buzzword for Common Sense

You can’t talk about this shift without mentioning “Zero Trust.” It sounds paranoid, doesn’t it? Like we don’t trust our own employees.

But think of it like a hotel key card. In the old “Castle” model, once you got past the drawbridge (VPN), you had the run of the place. You could wander into the kitchen, the throne room, or the dungeon. In a “Zero Trust” model, your key card only works for your room and the gym. You can’t get into the Penthouse just because you checked in.

This isn’t about mistrust; it’s about blast radius. If a bad guy steals a user’s credential (and they will), Zero Trust ensures they can’t move laterally across the network to steal the Crown Jewels.

At some point we have to accept the ‘assume breach’ posture in how we operate. If you do, suddenly all of the above seems rational and logical. Anything short of Zero Trust becomes insanity.

Security as a User Experience Feature

Here is the pragmatic argument you can use to sell this to the Board: Good security should be invisible.

We have trained users to hate security. We make them wrestle with clunky VPN clients that drop connections. We make them jump through hoops to access basic files, and provide their uncles, friends, sisters maiden name to confirm their identity every 30 minutes.. What happens? Human nature kicks in. They find workarounds. They email sensitive files to their personal Gmail accounts just to get work done.

When you converge Network and Security at the Edge, you actually improve the user experience.

  • The connection is faster because we aren’t backhauling traffic.
  • The login is seamless because it’s integrated into the browser or the device.

When security stops being a roadblock and starts being an enabler, people stop trying to bypass it.

Tear Down the Wall

If you are a CIO or an IT Director, your next move shouldn’t be buying a box. It should be buying lunch.

Get your Network Architect and your CISO in the same room. Stop building independent strategies. The perimeter is dead, and the only way to secure the modern enterprise is to accept that the pipe and the filter are now one and the same.

Unless you like medieval architecture, in which case… go build your castle. I have a great Monty Python script for you.