Network as a Story

Author: erlend

  • Why Shouldn’t We Trust Everyone?

    The question, then, is not why we should trust less. It is why we ever assumed we could trust so much

    Trust is not a default in the real world. It is something that is built, scoped, observed, and constantly re-evaluated. Yet in IT and OT security, we have spent decades designing systems that do the opposite.

    In physical security, passing a perimeter does not end scrutiny. It changes it. A badge gets you through the door, not through the building. Once inside, visibility increases. Cameras follow movement. Access narrows. Behavior matters more than credentials. Suspicion is not a failure of trust, it is how trust is managed.

    Digital security took a different path.

    Since the early 1990s, we have treated network location as a proxy for intent. If you were “inside”, you were implicitly trusted. Firewalls drew a line between hostile outside networks and friendly internal ones, and once traffic crossed that line, the security conversation largely stopped. The model was efficient, simple, and easy to operate. It was also fundamentally unhuman.

    No one in the physical world would hand a valuable object to a stranger simply because they live in the same city. No security guard would stop observing someone because they passed the first checkpoint. And no serious security operation would assume that proximity reduces risk. In fact, it usually increases it.

    Yet this is exactly what traditional network security has done.

    We encrypted the tunnel, secured the perimeter, and then removed the blindfold once the door closed. VPN established, trust granted. Correct subnet, trust granted. Firewall passed, trust granted. The closer an attacker got to the assets, the less scrutiny they encountered.

    This was not a mistake born of ignorance. It was a product of constraints. Early networks were small, identities were static, systems were few, and attackers were external. The inside-outside distinction made sense long enough to become doctrine. Firewalls encoded it. Standards documented it. Diagrams reinforced it.

    And then the world changed.

    Users became mobile. Systems became distributed. Identities became portable. Access paths multiplied. Attackers stopped knocking and started logging in. But the trust model remained largely the same. We added more zones, more firewalls, more DMZs, and more layers – all in service of protecting an assumption that no longer held.

    The irony is that physical security never made this mistake.

    A security guard assumes credentials can be stolen. A camera operator assumes access can be abused. Trust is never binary, and it is never permanent. It is contextual, limited, and revocable. That reflex is not paranoia; it is professionalism.

    In IT and OT, we turned that reflex off because it was inconvenient. Networks were easier to operate when trust was implicit and location-based. And for a long time, that tradeoff went unchallenged.

    Only recently have we collectively started to acknowledge what should have been obvious all along: presence is not intent, location is not identity, and access is not a permanent state.

    This is why Zero Trust resonates so strongly once you stop treating it as a product category. It is not a radical departure. It is a return to how security has always worked in the physical world. Continuous evaluation. Least privilege. Observation after entry. The ability to revoke without rebuilding the perimeter.

    In OT environments, this matters even more. Legacy protocols, long-lived credentials, and systems that cannot be patched make implicit trust especially dangerous. Yet we see the same perimeter-first thinking re-emerging, justified by models and standards that lag behind operational reality.

    The question, then, is not why we should trust less. It is why we ever assumed we could trust so much.

    Security has never been about keeping everyone out. It has always been about letting the right actions happen, under the right conditions, for the right reasons, and for as long as those reasons remain valid.

    Trust everyone?

    That was never how security worked. We just pretended it did in IT, until the cost became impossible to ignore.

  • It Is Time to Rethink the Role of the Network

    Organizations must stop viewing the IT network as a purely technical asset. It has become far more strategic than that.

    For many years, the campus network has been the responsibility of the IT department. Something to be planned, operated, and renewed alongside the rest of the technical infrastructure. It was procured in much the same way as parts of a building: as an investment in something physical and measurable.

    The world around us has changed faster than the infrastructure beneath us. New demands for security, flexibility, and digital collaboration mean that the network is no longer just about capacity and ports. It is about governance, risk, and the ability to change safely.

    A shift in mindset

    For large organizations and corporatotions, municipalities, agencies, and ministries, this represents a fundamental shift. The network must move from being a technical asset to becoming a strategic platform. That requires a new understanding of ownership and responsibility.

    The physical network should be treated as part of the building itself. It is infrastructure that belongs there, in the same way as ventilation and electrical systems.

    What does not belong to the building, however, are the services that depend on the network. Security, visibility, identity, and other digital control mechanisms are part of the organization’s own platform. They move with the organization and must be renewed and governed independently of which equipment happens to be installed in a rack, or whether the organization relocates to another building.

    We must therefore stop tying functionality and security to physical devices in technical rooms, and instead elevate them into services that can be consumed regardless of where the organization operates.

    Many organizations are currently in the middle of this transition. They are moving from owning boxes to managing capabilities, from thinking in terms of physical operations to thinking in terms of digital service flows.

    From infrastructure to governance

    When networking is delivered as a service, Network as a Service, the governance model also changes. We move from acquisition and lifecycle management to consumption and control. From local decisions to shared principles. From purchasing features embedded in hardware to purchasing measurable outcomes such as availability, capacity, security, and compliance.

    This is not about technology. It is about organizational maturity and the ability to combine stable operations with continuous innovation.

    Zero Trust as a governance philosophy

    The same applies to security. Zero Trust is not a product, but a principle: never trust, always verify.

    When an organization adopts this principle as a part of its governance model, the discussion is no longer about where the firewall is placed, but about how trust, responsibility, and decision authority are defined across the entire organization.

    The network then becomes more than a technical structure. It becomes part of how the organization understands and manages risk, it becomes part of the governance system, alongside finance, quality, and sustainability.

    Sustainability and responsibility

    The physical infrastructure is also part of the sustainability equation. New requirements for security and functionality often lead to hardware being replaced long before it is worn out. Not because it is broken, but because it no longer supports the next version of a service.

    Standardizing, reusing, and extending the lifespan of equipment is therefore not only technically sound, but also an important element of an organization’s environmental strategy. When intelligence and control are moved up into the service layer, the underlying infrastructure can be simpler, more energy-efficient, and last longer. That is both sound economics and responsible resource management.

    The road ahead

    For many organizations, this represents a genuine shift in thinking. From buying technology to buying capacity, control, and assurance. From projects to platforms. From counting ports to measuring compliance, availability, and sustainability.

    When governance, security, and sustainability converge, the result is not a technology project, but a strategic change in how organizations build, own, and protect their digital assets.

    Technology evolves rapidly. Maturity is not about chasing it, but about knowing what should remain stable and what must be allowed to move forward. The physical network should be the first thing to remain stable. Everything else can—and should—be built on top of it, without unnecessary constraints.

    First posted, in Norwegian at ComputerWorld