Zero Trust Security: The Fall of Constantinople !?

Disclaimer: This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated.

On 29 May 1453 the city of Constantinople fell to the Ottoman army after a 53-day siege practically leading to the defeat of the Byzantine empire and consequently the end of the Roman empire that had ruled vast parts of Europe for the past 1,500 years . The ottoman army was commanded by 21-year-old Sultan Mehmed later named “The Conqueror”.


The city of Constantinople had been very well known for its unique defences such as its infamous impenetrable high, thick, and multi-gated walls with an enclosed moat protecting its Golden Horn water section, that shielded the city for hundreds of years against numerous major attacks from Sassanians, Rus, Arabs, and Bulgars both from land and from sea.


The 21-year-old Sultan, faced with a defence system that had proven successful for hundreds of years, had to think out of the box to achieve what most thought was unachievable, break down the defences of Constantinople Walls. The Sultan took a chance on Orban, a Hungarian engineer that pitched an idea of super cannons that could blast the walls of Babylon itself. Orban was given unlimited resources by the Sultan and was finally able to deliver three functional super cannons that the world had never seen before let alone the defenders of Constantinople.


Although the super cannons were able to blast through the impenetrable walls of Constantinople for the first time in history but even that was not enough to defeat the Byzantines. The Sultan had to improvise again, and this time took on the unimaginable task of towing all the battle ships on land through Galata using greased logs (first time to be done at this scale, magnitude, stealth, and distance) and hence was able to surprise the defenders from their back and break the protection chain for the Golden Horn which eventually led to the fall of the city from both land and sea, and more so led to the ottomans lateral movement towards southern Europe and the conquest of what was then called the Balkan Peninsula.


A 21-year-old boy with vast resources was able to achieve what many with the same resources were not able to do before him, by creating new technology and by utilizing existing ones in an ingenious, undetectable, stealthy and innovative manner, defeating top of the notch proven defences that lasted hundreds of year and was able to withstand hundreds of attacks. This breakthrough allowed the young boy to move further into new territory eventually conquering more land and expanding the kingdom.

The dilemma facing defensive security is simple, entities need to effectively protect all their assets while an adversary needs to compromise only one. A single compromised asset can cause the whole protection chain to fall apart while an attack chain can fail again and again at different stages without significant damage especially when attackers have immense resources at their disposal. The fall of Constantinople marked a pivotal turning point in history for physical defensive war tactics and the castle-and-moat approach was deemed ineffective or at least vulnerable which eventually led to new defensive tactics, techniques, and procedures (TTP).


Cyber Security is now at a historical pivotal turning point in which legacy castle-and-moat approaches have been proven ineffective. The grand walls of the castle and the deep-water barriers of the moat are now easily exploitable requiring minimal resources and readily available technologies. Strangely enough we rarely learn from our own mistakes and history tends to repeat itself, to the extent that even with our grand technological advancements, we just kept building higher thicker walls and deeper moats in the form of bolt-on features to existing legacy technologies rather than innovate an entirely new approach to defensive Cyber Security.


Every hacker or wanna-be script kiddie is a Sultan nowadays with a trove of resources readily available online for the taking with just a bit of effort. Our problem is that there are hundreds of thousands of those let alone one’s backed by state. If a 17-year-old can hack the twitter accounts of the most influential worldwide leaders to post a bitcoin scam that made him a petty 100,000$ then imagine what a small group of 17-year-old nerds can do to your organisation. Thousands of developers and hackers working hand in hand on a supply chain attack that rendered the best security minds, companies, and governments  defenceless and ignorant for months would shatter your defence in depth layers in nanoseconds.

This is the never-ending ever-changing story of Security in a nutshell !!!

It’s time for a completely new way of thinking to defensive cyber security, one that acknowledges the short comings of existing core technology and clearly announces the death of the legacy medieval approach. One that innovates a unique approach that includes an entirely new security model and new technology to cope with that model. The new security model to be adopted is Zero Trust and the new technology to power it is AI, not bolted-on existing legacy outdated technology but engineered from the ground up.