Understanding Insider Threats and the Role of Firewalls in Zero Trust Security

Sitting here on the morning of the 15th with my third coffee kicking in, still buzzed from DefCon’s hardware hacking village, and thinking about something on my mind for the past month—insider threats. That’s right, those pesky threats that occur inside your own walls, sometimes sliding by your perimeter defenses. I started as a network admin in the early ’90s, administering PSTN voice/data muxes and watching the Slammer worm take down half the internet and I’ve learned that firewalls are not a perimeter tool anymore. They are the first line of defense within your organization, with the help of a Zero Trust security model.

Insider Threat Risks

So here’s the thing, insider threats are not just about malicious actors. They are caused by careless employees, contractors, even third-party vendors. But many continue to downplay this risk. A theme repeated when I assisted three banks with recent Zero Trust architecture upgrades: Traditional firewalls were designed with the assumption that ‘trusted’ internal traffic was safe. Spoiler alert: it’s not.

The trouble is, most companies have become too dependent on that perimeter. If you’ve been thinking of a firewall like it’s just a gatekeeper at the edge of your network, you’re wrong—and you’re also in trouble when you get attacked. Trust is the enemy here. And this is why Zero Trust isn’t simply a buzzword — it’s a matter of survival.

Your intranet is not a safe place. Reckless or malicious, an employee with high-level access could potentially access sensitive data, laterally traverse inside your systems or exfiltrate explicit data without triggering any alarms. This is where firewalls work beyond the perimeter.

Monitoring Internal Traffic

Consider your network the city. We had a moat and we had big walls in the ’90s, and we thought everybody inside the walls we wanted as neighbors. Now? Within those city limits, you require traffic cops, and cameras, and checkpoints — monitoring EVERY street and alleyway. Firewalls are no longer just border guards; they have become complex traffic managers monitoring internal flows as well.

Firewall monitoring can uncover anomalies in internal communication — unauthorized database queries, lateral moves and so on — that could signal a breach. With Zero Trust in place, each network segment:

• East-West, not just North-South traffic
• Internal subnet firewall rules
• Detection and Alerts Real-time real-time alerts/opt-in/opt-out visitorGP of suspicious activity being logged.

Without visibility in this arena, you’re flying blind. And believe me, I’ve been bitten myself by forgetting the internal traffic monitoring – made us very very vulnerable.

Role-Based Access Control

OK, so here’s where things start to get actually interesting — and maybe a bit controversial. Role-Based Access Control (RBAC) is widely regarded as the panacea for mitigating insider vulnerabilities. But in my experience, companies tend to treat it as a checkbox. “Yes, we implemented RBAC.” But do they actually enforce it. Or are they just lazy in keeping their permissions narrow?

There was one bank in particular I remember that an admin had access to everything—no segmenting—and there was a little—small but preventable—data breach. RBAC Policy Updates must be granular and evergreen – in line with Zero Trust/never trust, always verify philosophy.

Firewalls assist in the enforcement of RBAC principles by limiting access at the network level:

• Prevention of unauthorized protocols or ports by user role
• Restricted privileged users to exactly what their role needed to undertake
• Added support for integration with multi-factor authentication

Here’s the deal, RBAC with no enforcement at your firewall layer is nothing more than a dream on a star. Your user permissions need to have a network corollary, or you’re giving the keys to the castle to insiders.

Network Segmentation

If I had a rupee for every company that still has flat networks in operation in 2024, I’d be retired in Goa by now. But in all seriousness, network segmentation is the heart of Zero Trust—and it’s where firewall tactics have the opportunity to shine.

Divide your network as if you were cutting a pizza. Each slice is isolated, so it imposes some restrictions on how far someone arriving from the outside (or some malware) can wander inside. Don’t expect that a firewall at the border of the infested land will block things, it won’t.

Good segmentation means:

• The creation of trust zones (demilitarized zones, internal, limited open access)
• Employing firewalls with restrictive inter-zone controls
• The enforcement of fine-grained inter-segment policies to restrict the lateral movement

As I upgraded those banks, the most significant improvement came when those internal firewalls were erected between business units. Suddenly, even if one zone had been compromised, the attacker was out of a move. It’s the difference between a single gate and having a full security checkpoint at every door.

Detecting Anomalous Behavior

Here is where many people become starry-eyed about AI-driven detection systems. I’m skeptical. Now don’t get me wrong—I love the potential—but nothing compares to old context-aware firewall monitoring and hands-on expertise.

Identifying when something is anomalous is difficult. This is not just a matter of noticing the obvious, but of reading the context. For example:

• Strange days for accessing data
• Outgoing internet traffic from someone’s desktop
• Attempts to log in from unfamiliar locations or devices

Our firewall tech at P J Networks includes anomaly detection rules that are adjusted by real world experiences (and not just generic algorithms). And these systems play well with SIEMs and user behavior analytics to form a full picture.

The catch— I have met too many organizations pursuing shiny new AI offerings without nailing the basics like firewall monitoring and network segmentation. The cart before the horse.

Quick Take

Zero Trust isn’t all about perimeter defense. It’s the threat from within where people inside your network are lurking. Your unsung heroes are firewalls:

• Observe internal traffic — don’t trust internal by default
• Consider implementing Role-Based Access Control at the network tier
• Divide your network up the way you would a pizza
• Embrace anomaly detection — but be realistic about AI.

Insider threats are not only real; they’re frequently ignored. As I told those three banks, it’s not about building a higher wall out there; it’s about smarter checkpoints in here.

My Two Cents Because I Can’t Help It

Password policies? Don’t get me started. The weakest link, it turns out, almost never is the tech, but people. Your firewall can block ports and log traffic all day, but if you have someone who clicks on phishing links with abandon or uses Password123 you are already hemorrhaging.

Also—firewalls aren’t sexy. They don’t have the media buzz of the latest flashy endpoint solutions. But despite going all the way back to the Slammer worm era, their evolution is the foundation of any decent security strategy today.

So yeah, you wanna get serious about minimizing the insider threat, here’s where you can take some first steps to beef up that internal firewall system in a Zero Trust model. It’s the kind of work I engage in every day at P J Networks. Your security depends on it.

Stay safe — and, come on, pour yourself a cup of coffee. Man, this isn’t getting any easier.