The presentation discusses the best places to enforce security policy, whether that's on the endpoint, in the network, or in the cloud, while also exploring where security policy enforcement is headed and how it affects practitioners today. The delegates challenge the traditional default of placing enforcement in the network, but quickly acknowledge its necessity in specific situations. For environments with unmanaged devices, such as universities with student BYOD policies or enterprises with a proliferation of IoT devices like cameras and smart appliances, the network remains the only viable enforcement point. These scenarios highlight that a one-size-fits-all approach is impractical; the correct location for enforcement is heavily dependent on the context of the organization, the users, and the types of devices that need protection. The core challenge is applying effective policy without being able to install an agent or directly manage the endpoint.

As the discussion evolves, it addresses how the very structure of the enterprise network has fundamentally changed. The classic three-tier model of core, distribution, and access has been replaced by a modern equivalent for remote work: the cloud, the internet, and the employee's home. This shift has eliminated the traditional network choke points where security policies were once enforced. In response to this new reality, the conversation shifts to Zero Trust as a necessary paradigm. Rather than defending a perimeter, Zero Trust treats every access request as a distinct transaction. It simplifies security to its core components—a consumer (like a user or service) attempting to access a resource—and mandates authentication for both sides of every interaction. This is a radical departure from simply funneling traffic through a firewall and underscores the need for a new way of thinking about security architecture.

Despite the conceptual advantages, the delegates recognize the immense difficulty of implementing a Zero Trust model in established "brownfield" environments. The primary obstacle is the requirement to understand and map every data flow and application interaction, a task that has historically been nearly impossible. A more pragmatic path forward is to adopt a "protect surface" strategy, applying Zero Trust principles to one critical application or dataset at a time and expanding from there. The roundtable concludes that while emerging technologies like AI may help in mapping these complex environments, they also introduce new risks and regulatory pressures. Ultimately, the key takeaway is that no enforcement strategy—whether it's network-based, endpoint-based, or Zero Trust—can succeed without first achieving a comprehensive and accurate understanding of the environment being protected.

Moderated by Tom Hollingsworth. Recorded live at Security Field Day 14 in Silicon Valley on September 24, 2025. Watch the entire presentation at https://techfieldday.com/appearance/security-field-day-14-delegate-roundtable-discussion/ or visit https://techfieldday.com/event/xfd14/ for more information.