Share Via
Zero Trust has evolved from a theoretical security principle into a broadly accepted strategic objective. NIST 800-207 formalized its architecture. CISA’s Zero Trust Maturity Model outlines phased implementation. Identity platforms, endpoint tools, and cloud security controls continue to mature.
Yet breach patterns remain remarkably consistent. Despite advances in perimeter hardening, identity enforcement, and cloud security, attackers continue to gain footholds inside enterprise environments and expand from there. The issue is not simply how attackers enter. It is what the environment allows once they do.
The data reveals a structural pattern.
1. Initial compromise remains simple.
According to recent editions of the Verizon Data Breach Investigations Report, roughly 68% of breaches involve a human element—credential theft, phishing, misuse, or error. The entry point is often unsophisticated. What transforms that foothold into a material incident is not the sophistication of the attack, but what the environment permits next.
2. Lateral movement turns incidents into breaches.
Incident response investigations, including public reporting from Mandiant, consistently identify lateral movement as a defining characteristic of significant breaches. Once inside, attackers enumerate internal systems, harvest additional credentials, pivot across hosts, and escalate privileges. In many environments, the internal network offers limited structural resistance to this expansion.
3. The device landscape has shifted beyond traditional controls.
Industry analysts estimate that the majority of enterprise-connected endpoints are now IoT or OT devices—printers, badge readers, surveillance systems, HVAC controllers, medical equipment, manufacturing systems, and other embedded assets. Many cannot support modern endpoint controls or cryptographic identity binding. Most were never designed to operate under contemporary threat assumptions.
4. Infrastructure is no longer just plumbing—it is a target.
CISA’s Known Exploited Vulnerabilities catalog increasingly highlights routers, VPN appliances, and firewalls among actively exploited systems. These devices sit at critical junctions of trust. When compromised, they provide visibility, persistence, and leverage at scale.
None of these observations are surprising in isolation. Taken together, however, they reveal something more fundamental: the internal network was never designed to assume compromise.
This expansion most often occurs inside the enterprise campus—the wired and wireless network that connects offices, hospitals, warehouses, factories, retail locations, and other corporate sites. It is the environment where users, infrastructure, and unmanaged devices converge. More importantly, it is the domain of east–west communication, where devices interact directly with one another rather than simply reaching outward to cloud services.
The persistence of lateral movement inside these environments is not primarily a tooling failure. It is a consequence of architectural assumptions.
Enterprise campus networks were historically engineered to prioritize availability and connectivity. Segmentation mechanisms such as VLANs and subnets were introduced largely for broadcast containment and administrative grouping—not for least-privilege enforcement. Admission controls determined who could connect. But once admitted, devices often shared broad trust domains where peer discovery and internal communication were common.
That design aligned with an earlier threat landscape. Device populations were smaller. Ownership was clearer. Perimeters were more defined. Internal traffic was implicitly trusted.
Modern adversaries operate differently. They assume compromise. They expect to land somewhere inside the network and plan to move laterally from there. When east–west communication is broadly permitted by default, that strategy succeeds.
Zero Trust frameworks emphasize explicit authorization, identity binding, continuous verification, and least privilege. These principles are sound. But their consistent failure at the campus level suggests a deeper issue: the architecture itself was never designed to enforce them comprehensively.
Before evaluating overlays, micro-segmentation policies, or new enforcement tools, it is necessary to examine the foundational assumption embedded in enterprise networking for decades:
Communicate first. Secure later.
That assumption shaped the internal structure of most organizations’ networks. It also explains why Zero Trust initiatives frequently stall when they reach the campus.
The next part of this series examines how that architectural assumption became embedded in enterprise design—and why it now limits the realization of Zero Trust.
