Join Us at Oktane 2025! September 24-26 | Caesars Palace, Las Vegas | Booth S6
Learn More

Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices
Assume breach: Trust nothing, verify everything - because attackers are already inside.

The DoD Just Confirmed What We’ve Been Saying All Along: Trust Must Be Earned

Key Takeaways
  • The U.S. Department of Defense publicly states that it assumes its networks are infiltrated.
  • Modern security requires real-time signals like OS version, MDM status, and EDR health to validate device and user trust, not static credentials or one-time checks.
  • Organizations can use certificates and posture assessments to implement real-time device trust, proactively tackling internal risks rather than reacting to a breach.

Even the DoD Knows the Perimeter is Dead

“There is no such thing as a secure system.”
—Lisa Porter, Former Deputy Undersecretary of Defense for Research and Engineering

The U.S. Department of Defense openly admits it no longer trusts its own networks.

For years, the Department of Defense was concerned that its networks had already been compromised. Following the 2024 Salt Typhoon breach, which hacked a U.S. state’s National Guard network and disclosed sensitive data, including administrator credentials and key infrastructure designs, cybersecurity experts no longer simply suggest Zero Trust. They act as if a compromise has already occurred.

While Lisa Porter, former Deputy Secretary of Defense for Research and Engineering, pointed to this mindset in 2019, the most recent breach has made it clear: US forces must now expect a constant adversary presence throughout their networks. This shift emphasizes the long-term trend away from perimeter-based defense toward proactive management and fast response.

This isn’t a bureaucratic overreaction or a preparation exercise for the worst-case scenario. Perimeter-based security is no longer adequate, a fact that specific sectors, notably the public, are now starting to acknowledge.

Companies spent a lot of effort and money “securing the edge” for years, thinking they could keep attackers out if they built strong enough walls, VPNs, firewalls, and NAC. Instead of making visible attacks, threat actors silently take advantage of weaknesses in trusted devices, reused credentials, and access points that aren’t watched.

Assume Breach is No Longer Optional

Assume Breach is a security principle that questions whether you can trust any system, device, or user by default. It starts with a simple but important assumption: your environment is already unsafe or will be soon.

This viewpoint opposes security systems that focus solely on prevention or perimeter defenses. Instead, it redirects its attention to confinement, visibility, and ongoing validation. Assume Breach implies building your networks, systems, and access restrictions so that you think attackers are already inside.

Threats today don’t wait until the next time you have to check for compliance. Attackers often get around static security restrictions by using stolen credentials, software dependencies that have been hacked, unmanaged shadow IT, and lateral movement strategies.

Trusting a device is insufficient because it is connected to the right VLAN or passed a compliance check yesterday. You need to check all the time to make sure it still meets your security needs.

That means asking:

  • Has the version of the OS changed without warning?
  • Is the device still part of your MDM?
  • Have the EDR platforms flagged the device?
  • Is the way the user acts in line with how they usually act?

If any of these changes happen, access should be instantly revoked – no tickets, no manual checks.

Any of these might be a warning. By itself, they might not mean a breach, but when you put them all together, they affect how much trust a device or identity should acquire at any particular time.

Assume Breach doesn’t imply giving up on prevention; it means making systems that expect failure and keep the damage to a minimum.

It drives security teams to invest in:

  • Segmentation and fine-grained access control
  • High-quality logging and telemetry
  • Automatic detection and reaction
  • Finding threats and seeing unusual behavior

Ultimately, Assume Breach is about moving from reactive security to proactive defense. If your company still relies on perimeter rules or implicit trust, the question is not whether the trust will be violated but when.

Why Should This Concern Every Organization?

Because no organization, government or private, is immune to compromise.

The rise of BYOD, remote work, and using cloud services has transformed internal networks into a new attack avenue. It’s no longer just governments or high-value targets at risk; every organization today functions in a setting where breaches are unavoidable.

Relying on firewalls or VPNs to keep risks out is not an option. The challenge of the moment is to prevent breaches, constantly check device and user trust, and respond in real time. This transformation requires all organizations, regardless of their industry or size, to reconsider how access decisions are made and how quickly misconduct can be detected and isolated before it spreads.

For organizations, this means removing static controls and moving toward dynamic, real-time models of trust, where access is consistently earned and not given out permanently.

The same concerns that prompted the government to embrace an assume breach mentality – remote access, insider threats, and complex IT environments, are present in every organization:

  • Hybrid work and mobile devices allow users to access systems outside the network.
  • SaaS and cloud services have supplanted on-premises applications and tightly managed settings.
  • Supply chains and open APIs expose third-party vulnerabilities.
  • Identities exist across platforms, and a single hacked login might expose several services.

In these circumstances, depending on static controls like IP ranges, VPN access, or periodic compliance scans is outdated and risky. The longer trust is implicit, the longer an intrusion may go undetected.

What Real Security Looks Like Now: Device Trust

Trust cannot be based on a login or IP address range in today’s dispersed contexts.  It must extend to the device itself, and this trust must be earned rather than assumed.

Device Trust uses many levels of verification to guarantee that only secure, authorized devices may access company resources. This often entails integrating with an MDM solution like Intune or Jamf to enforce and monitor security regulations, as well as the usage of digital certificates that are unique to each device and resistant to theft or reuse. Real-time posture checks, such as device encryption status, OS version, and MDM enrollment, help to improve the trust model.

Before giving access, the system determines if the device is still registered in the MDM, whether its operating system and security tools are up to date, and whether its certificate matches the expected identity. It also looks for changes in the device’s risk posture from the previous access attempt. These validations occur in real time and ensure that hacked or unmanaged devices cannot access sensitive systems, even if valid user credentials are used.

This approach to trust has three significant benefits. First, it secures business-critical apps and data by limiting access to compatible devices. Second, it promotes regulatory compliance by adhering to GDPR, HIPAA, and PCI-DSS standards. Finally, it lowers overall risk by authenticating both the user and the device at the point of access, hence reducing the attack surface across the environment.

Trust Must Be Earned, Continuously

The most secure networks no longer trust and forget.  They validate continuously.

If you still use passwords or do periodic posture checks, you are not just out of date, but also vulnerable. Risks are now within the perimeter, waiting for old trust concepts to fall apart.

SecureW2 replaces static trust with live, certificate-backed decisions based on real-time identification, device health, and risk indicators.

If something changes, access is denied.  Automatically.

Contact us for more info.

About the author
Radhika Vyas

Radhika is a technical content writer who enjoys writing for different domains. She loves to travel and spend time with her dog, Cooper. Her exceptional writing skills and ability to adapt to different subjects make her a sought-after writer in the field. Radhika believes that immersing herself in different environments and experiences allows her to bring a unique perspective to her work.