Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

01:00 PM
Connect Directly
E-Mail vvv

Zero Trust in the Real World

Those who are committed to adopting the concept have the opportunity to make a larger business case for it across the organization, working with executive leaders to implement a zero-trust framework across the entire enterprise.

To date, the zero-trust model has largely been thought of, and implemented as, a technology strategy — one that helps organizations strengthen their cybersecurity posture. This is understandable, as the concept of zero trust is centered around one key theme: never trust, always verify, which provides perimeters around data, applications and networks while allowing those perimeters to be dynamic and fluid based on risk with an identity- and data-centric approach. However, when one considers the risks of intellectual property loss, reputation damage, theft, etc., that exist outside of the digital realm, zero trust is also a sound approach to protecting the integrity of the entire business.

Related Content:

Increase in Physical Security Incidents Adds to IT Security Pressures

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: AI and APIs: The A+ Answers to Keeping Data Secure and Private

The reason for this is that physical intruders, insiders, and third parties can lead to many of the same problems that you're trying to prevent in the cyber world: stolen documents, leaked sensitive data, etc. These same threat actors can also use physical tactics to compromise electronic assets — for example, walking around the office looking for Post-it notes with passwords. Consider these other examples:

  • A physical intruder gains unauthorized access to your building by posing as a delivery driver. (Let's face it — none of us bats an eye when a delivery person or a plant-waterer is walking around the office.)

  • A potential "acquirer" holds a meeting with the executive team to see product plans, only to go off and use these plans to build the product themselves.

  • Someone breaks into your office after hours to steal important company files.

  • An executive casually mentions a confidential acquisition to co-workers in the lunchroom without validating that those employees can be trusted with the information.

  • An employee sends a recorded Zoom call to someone outside of the organization for nefarious purposes.

And the list goes on. Put on your "black hat" for a moment and think about all the ways you might unintentionally compromise information in your office — it wouldn't be that hard, right?

This presents an opportunity for CISOs. Those who are committed to adopting zero trust this year have the opportunity to make a larger business case for it across the organization — working with the chief risk officer, chief executive officer (CEO), and other executive leaders to develop and implement a zero-trust framework across the entire enterprise. This will not only strengthen the company's overall security posture, but it will also help CISOs solidify their position in the upper echelons of the business. Case in point: A recent survey by Forrester found that 82% of the 317 global security decision-makers polled said that "they are committed to migrating to a Zero Trust security architecture, and their interest in Zero Trust has elevated the role of CISO to board-level visibility at 49% of organizations."

Zero Trust in the World of Physical Security
For most companies, applying a zero-trust model across physical security strategies is still uncharted territory and knowing where to start is half of the battle. Of course, there are the age-old, general physical security best practices, such as required badge entry, ensuring employees lock their computers anytime they leave their desk, and making sure employees document passwords in their head rather than on Post-it notes.

But the most effective way to ensure the concept of zero trust is to expand employee education beyond the cyber realm, to all areas of the business. And it needs to be all employees (the executive giving away intellectual property to that potential acquirer needs to learn a thing or two about zero trust!). Two fundamental shifts in perspective need to happen to achieve this:

  • First, employees need to understand that data breaches, intellectual property leaks, insider financial leaks, and other security incidents don't only result from attacks on corporate networks; they can also result from physical device theft or the activities of the person in the next cube.

  • Second, they need to recognize that they're responsible for protecting more than themselves from security threats; they must also do their part to protect their organization. Damaging security breaches hurt every one, and no one is exempt from doing their part.  

And organizations will need to implement a zero-trust framework without calling it zero trust (it's definitely a morale killer if you tell all your employees you don't trust them). Internal communications teams should come up with creative campaigns, so employees rally behind and adopt zero-trust concepts (talking about "protecting each other," for example, is a nice way to flip things around).

When employees shift their thinking in this way, companies can be successful with enterprise-wide adoption of a zero-trust framework to uphold physical security. Instead of ignoring that delivery guy, they'll have the knowledge and background to question it, "Hmmm … why is he walking around the office?" and alert the front desk or security.

Most CISOs are also more experienced at encouraging safe employee behavior than other executives, which puts them in a strong position to drive employee education initiatives around a zero trust-driven workplace. So, as more of you CISOs embrace zero trust this year, take a step back and think about how your initiative could be much larger and have a more profound impact not only on your organization's overall security posture, but also on your personal posture within the executive suite.

Jerry W. Chapman has been with Optiv Security for 15 years developing and delivering Identity and Access Management (IAM) solutions. With 18+ years of experience in Identity, Jerry has been successfully enabling clients in designing and implementing an IAM strategy that ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.