The strategy around Zero Trust is as simple as: don’t trust anyone. This could be better explain by removing the concept of on-premises vs cloud, internal vs external.
All organisations focus on defending their perimeters while assuming, sometimes, that everything inside don’t pose a threat and is cleared for access – this approach isn’t working and in our opinion never worked. Just one more thing that goes into the realm of security by obscurity.
Most attacks happened not immediately after the perimeter was breached but because they were able to move through internal systems without much resistance.
We should consider our internal networks part of the public network, only faster. This means don’t allow access to services, information, servers until you know who that user is and whether they are authorised, no matter where they came from.
Enforcement is the word here, and it should be applied to all users, devices, applications, data sources and communication traffic between them, regardless of their location.
Also remember: information should be intrinsically secure, whether they are “inside or outside” our organisation.