'Castle-and-moat' refers to a network security model in which everyone inside the network is trusted by default.
"Castle-and-moat" is a network security model in which no one outside the network is able to access data on the inside, but everyone inside the network can. Imagine an organization's network as a castle and the network perimeter as a moat. Once the drawbridge is lowered and someone crosses it, they have free rein inside the castle grounds. Similarly, once a user connects to a network in this model, they are able to access all the applications and data within that network.
Organizations that use this model dedicate a lot of resources to defending their network perimeter, just as a castle might place the most guards near the drawbridge. They deploy firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and other security products that block most external attacks — but are not as effective at stopping internal attacks, insider threats, and data breaches.
"Castle-and-moat" is not necessarily a deliberately chosen strategy. The term came into use to contrast traditional network architecture with zero trust architecture.
Today, the castle-and-moat approach is becoming outdated. For most companies, data is spread across multiple cloud vendors, rather than remaining behind an on-premise network perimeter. To further the analogy: it does not make sense to put all one's resources into defending the castle if the queen and her court are scattered around the countryside.
Some organizations today continue to keep their data in on-premise networks, and others route all Internet-bound traffic through the central corporate network in order to control access to cloud vendors. But these uses of the castle-and-moat model still have inherent security flaws.
The biggest security flaw is that if an attacker gains access to the network — if they cross the "moat" — they can also access any data and systems within. They can breach the network by stealing user credentials, exploiting a security vulnerability, introducing a malware infection, or carrying out a social engineering attack, among other methods. Firewalls and other intrusion prevention tools may stop some of these attacks, but if one gets through, the cost is high.
Zero trust security is a philosophy for how and when users are allowed to access systems and data. Unlike the castle-and-moat model, zero trust security assumes that security risks are present both inside and outside the network. Nothing inside the network is trusted by default — hence the name "zero trust."
Zero trust security requires strict verification for every user and device on the network before granting them access to data and applications.
One way organizations control access when using the castle-and-moat model is virtual private networks, or VPNs. VPNs set up an encrypted connection between connected users — often working remotely — and a VPN server. For certain levels of access, a user has to connect to at least one VPN. Once connected, they can access the resources they need.
Since different users within the same company often require different access privileges, IT teams set up multiple VPNs. Each VPN can be thought of as its own "castle," providing a different level of access.
There are a few drawbacks to such an approach:
There are a few basic principles that underlie a zero trust architecture:
These principles are broken down further in What is a zero trust network?
Aware of the shortcomings of the castle-and-moat model, many organizations are adopting a zero trust architecture. While initially such a move was fairly complex, today many vendors offer streamlined zero trust solutions that can be turned on quickly. Cloudflare for Teams is one such zero trust security solution.
But rather than adopting a separate access management solution, many organizations want zero trust security built into the network, not just layered on top of it. Gartner, a global research and advisory firm, has termed this trend "secure access service edge" (SASE). Cloudflare One is an example of a network with zero trust security built in.