Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

2/10/2021
01:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Zero Trust in the Real World

Those who are committed to adopting the concept have the opportunity to make a larger business case for it across the organization, working with executive leaders to implement a zero-trust framework across the entire enterprise.

To date, the zero-trust model has largely been thought of, and implemented as, a technology strategy — one that helps organizations strengthen their cybersecurity posture. This is understandable, as the concept of zero trust is centered around one key theme: never trust, always verify, which provides perimeters around data, applications and networks while allowing those perimeters to be dynamic and fluid based on risk with an identity- and data-centric approach. However, when one considers the risks of intellectual property loss, reputation damage, theft, etc., that exist outside of the digital realm, zero trust is also a sound approach to protecting the integrity of the entire business.

Related Content:

Increase in Physical Security Incidents Adds to IT Security Pressures

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: AI and APIs: The A+ Answers to Keeping Data Secure and Private

The reason for this is that physical intruders, insiders, and third parties can lead to many of the same problems that you're trying to prevent in the cyber world: stolen documents, leaked sensitive data, etc. These same threat actors can also use physical tactics to compromise electronic assets — for example, walking around the office looking for Post-it notes with passwords. Consider these other examples:

  • A physical intruder gains unauthorized access to your building by posing as a delivery driver. (Let's face it — none of us bats an eye when a delivery person or a plant-waterer is walking around the office.)

  • A potential "acquirer" holds a meeting with the executive team to see product plans, only to go off and use these plans to build the product themselves.

  • Someone breaks into your office after hours to steal important company files.

  • An executive casually mentions a confidential acquisition to co-workers in the lunchroom without validating that those employees can be trusted with the information.

  • An employee sends a recorded Zoom call to someone outside of the organization for nefarious purposes.

And the list goes on. Put on your "black hat" for a moment and think about all the ways you might unintentionally compromise information in your office — it wouldn't be that hard, right?

This presents an opportunity for CISOs. Those who are committed to adopting zero trust this year have the opportunity to make a larger business case for it across the organization — working with the chief risk officer, chief executive officer (CEO), and other executive leaders to develop and implement a zero-trust framework across the entire enterprise. This will not only strengthen the company's overall security posture, but it will also help CISOs solidify their position in the upper echelons of the business. Case in point: A recent survey by Forrester found that 82% of the 317 global security decision-makers polled said that "they are committed to migrating to a Zero Trust security architecture, and their interest in Zero Trust has elevated the role of CISO to board-level visibility at 49% of organizations."

Zero Trust in the World of Physical Security
For most companies, applying a zero-trust model across physical security strategies is still uncharted territory and knowing where to start is half of the battle. Of course, there are the age-old, general physical security best practices, such as required badge entry, ensuring employees lock their computers anytime they leave their desk, and making sure employees document passwords in their head rather than on Post-it notes.

But the most effective way to ensure the concept of zero trust is to expand employee education beyond the cyber realm, to all areas of the business. And it needs to be all employees (the executive giving away intellectual property to that potential acquirer needs to learn a thing or two about zero trust!). Two fundamental shifts in perspective need to happen to achieve this:

  • First, employees need to understand that data breaches, intellectual property leaks, insider financial leaks, and other security incidents don't only result from attacks on corporate networks; they can also result from physical device theft or the activities of the person in the next cube.

  • Second, they need to recognize that they're responsible for protecting more than themselves from security threats; they must also do their part to protect their organization. Damaging security breaches hurt every one, and no one is exempt from doing their part.  

And organizations will need to implement a zero-trust framework without calling it zero trust (it's definitely a morale killer if you tell all your employees you don't trust them). Internal communications teams should come up with creative campaigns, so employees rally behind and adopt zero-trust concepts (talking about "protecting each other," for example, is a nice way to flip things around).

When employees shift their thinking in this way, companies can be successful with enterprise-wide adoption of a zero-trust framework to uphold physical security. Instead of ignoring that delivery guy, they'll have the knowledge and background to question it, "Hmmm … why is he walking around the office?" and alert the front desk or security.

Most CISOs are also more experienced at encouraging safe employee behavior than other executives, which puts them in a strong position to drive employee education initiatives around a zero trust-driven workplace. So, as more of you CISOs embrace zero trust this year, take a step back and think about how your initiative could be much larger and have a more profound impact not only on your organization's overall security posture, but also on your personal posture within the executive suite.

Jerry W. Chapman has been with Optiv Security for 15 years developing and delivering Identity and Access Management (IAM) solutions. With 18+ years of experience in Identity, Jerry has been successfully enabling clients in designing and implementing an IAM strategy that ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32077
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
CVE-2020-23263
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-23264
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...