What Zombie Movies Teach Us About Zero Trust Security 

At FRC, we’ve curated best of breed technologies to help the public sector achieve a Zero Trust security posture. I’m always searching for ways to translate complex principles of Zero Trust to our stakeholders, and I came across a blog from 2021 by James Stanger, Chief Technology Evangelist at CompTIA.  James gave the analogy of zombie movies to understanding zero trust.  I loved this and wanted to flesh (no pun intended) it out further 😊 

What Zombie Movies Teach Us About Zero Trust Security 
 
It’s not a stretch to view that the survival tactics seen in zombie movies have some surprising parallels with the cybersecurity strategy known as Zero Trust. While one involves flesh-eating living dead and the other protects digital assets, the underlying premise of distrust and constant verification is remarkably similar. 

In the typical zombie movie, the world order has collapsed. The old rules don’t apply. The biggest mistake survivors make? Trusting the old assumptions. They trust that the walls will hold, that someone looks uninfected, or that a cleared building stays cleared. This misplaced trust often leads to disastrous consequences (usually involving someone getting bitten). 

Sound familiar? In the world of cybersecurity, relying on the old approach is becoming just as dangerous.  

Let’s break down how the fight for survival in a zombie apocalypse mirrors core features of Zero Trust: 

1. The Perimeter Has Fallen (Assume Breach) 

Zombie Movie: The fences are down, the mall doors are breached, the safe zone is compromised. Survivors quickly learn they can’t rely only on outer defenses. The threat could be anywhere, even within their own group. 

Zero Trust: This model starts with the assumption that the network perimeter has already been breached or is inevitable. This proactive, somewhat pessimistic stance fundamentally changes security design. Instead of focusing solely on preventing initial intrusion at the perimeter, the emphasis shifts to implementing robust security controls within the network to detect, contain, and mitigate threats that may already be inside. Don’t assume safety just because someone is “inside.” 

2. “Are You Bitten?” (Never Trust, Always Verify) 

Zombie Movie: The most tense scenes often involve verifying if someone is infected. A hidden bite can turn an ally into a deadly threat. Survivors must constantly verify the status of others before granting trust or access to safe areas. Trust is earned, moment by moment, not assumed (not implicit). 

Zero Trust: Every single user, device, application, and data flow attempting to access resources must be treated as potentially hostile and must undergo verification and authorization before access is granted. Past access doesn’t guarantee future access. Strong multi-factor authentication (MFA) and device health checks become the digital equivalent of checking for bite marks. Authorization is not a one-time event; it is dynamic and re-evaluated continuously based on policy and context. 

3. Securing the Safe Room (Micro-segmentation) 

Zombie Movie: Survivors don’t just lock the front door; they barricade individual rooms or sections. If one area is breached (a zombie gets into the cafeteria), it doesn’t mean the armory or sleeping quarters are automatically compromised. Access is compartmentalized. 

Zero Trust: This involves breaking the network into smaller, isolated zones or segments (micro-segmentation). If one segment is compromised, the breach is contained and cannot easily spread laterally across the entire network. Access between segments is strictly controlled based on verification. 

4. Need-to-Know Access (Least Privilege Access) 

Zombie Movie: Not everyone gets the keys to the armory or the pantry. Access to critical resources (ammo, food, fuel, medicine) is granted only to those who absolutely need it, for the duration that they need it. Giving everyone free run of the base is asking for trouble. 

Zero Trust: Users, devices, and applications are only granted the minimum level of access (privileges) necessary to perform their specific tasks. Access should be granular, context-aware, and often time-bound (referred to as Just-in-Time or Just-Enough Access). This minimizes the potential damage if an account or device is compromised. If a zombie (compromised account) only has access to the library—and only for a short amount of time–, it can’t suddenly access the nuclear launch codes. 

5. Constant Vigilance (Continuous Monitoring & Analytics) 

Zombie Movie: Survival depends on staying alert. Listening for moans, watching the perimeter, keeping track of supplies and personnel. Any anomaly could signal imminent danger. 

Zero Trust: Security isn’t a one-time check. Zero Trust architectures rely on continuous monitoring of network traffic, user behavior, and device health. A user or device isn’t granted persistent trust after an initial login; their identity, device posture, and other contextual factors are re-evaluated dynamically before each resource access, often on a per-session basis. Advanced analytics detect anomalies and potential threats in real-time, allowing for swift responses – like automatically revoking access if suspicious activity is detected. 

Why This Matters 

While the comparison is a bit grim and (hopefully, humorous), it highlights a crucial shift in mindset. In today’s digital landscape – with remote work, cloud services, and sophisticated attackers – assuming trust based on network location is no longer viable. Like survivors in a zombie apocalypse, organizations need to operate under the assumption that threats can come from anywhere and anyone, at any time. 

Adopting a Zero Trust approach means moving away from outdated assumptions and embracing a strategy of continuous verification, strict access control, and proactive monitoring. It’s not just about building higher walls; it’s about ensuring that even if (or when) the perimeter is breached, the critical assets inside remain secure. 

So, next time you’re watching a zombie movie and the survivors suspiciously eye their companions, remember – they’re just practicing good Zero Trust principles!  

Federal Resources Corporation (FRC) 

FRC has curated a collection of best of breed technologies to help organizations implement a Zero Trust architecture.  For our customers that have already made investments in other technologies, we help them understand and enhance their posture optimizing those investments. Contact us today to discuss your Zero Trust Strategy – Contact Us