Informal history of network protocol security: from Garden of Eden to Zero Trust

I have been involved in the network protocol security scene since the 1990s, so I decided to write this post about how we got here. I divide this history into four phases: Garden of Eden, Perimeter Protection, Secure Internet, and Zero Trust.

Garden of EDEN

Up until the 1990s, the Internet was pretty much the Garden of Eden. Everyone was assumed to have good intentions, encryption was not used, and authentication was haphazard. Networks were not connected, and not many people had access. The Internet was an academic network. There was little monetary value to invite malicious actors. It was good times!

Perimeter Protection

However, at some point became apparent that malware and people with bad intentions could come over open networks, and the time for Perimeter Protection started. Organisations erected firewalls that controlled access between an intranet and the Internet. Secure alternatives to plaintext connection protocols emerged, such as SSH. The intranet was assumed to contain only the good guys, so once you were inside, there were no boundaries.

Secure Internet

As the Internet became a means of critical communication and commerce through the Web, there was a greater need to connect organisations. The Internet expanded from cables to wireless networks and mobile, and the Secure Internet phase started. All this requires secure communication protocols like TLS and IPSec over the networks, and firewalls need to have more holes through them. Later, the introduction of the Internet of Things (IoT) multiplied the need for secure communication and introduced new protocols like MQTT and CoAP.

Zero Trust

As intranets became more complex, it became impossible to control the people and devices inside them. This started the phase of Zero Trust. Intranets are split into subnetworks, and individual network nodes do not trust each other without authentication. An attacker with initial access must move laterally and find ways to compromise nodes inside the network. This brings defence-in-depth to block and slow down an attack.

I hope you enjoyed this brief and informal network security history. We at Test of Things are helping IoT manufacturers build secure IoT systems that implement the zero-trust principle.