SJA Exclusive: Mitigating insider threats with “zero trust” physical access

Door for physical access control

Share this content

Facebook
Twitter
LinkedIn

Bart Vansevenant, Chief Product Officer at RightCrowd discusses why attribute-based access control can enhance the power of legacy physical access systems.

Physical zero trust

The zero trust IoT security model dictates “never trust, always verify”. Networked devices are assumed to be insecure, even if they are connected to a permissioned network behind firewalls and were previously verified.

Zero trust relies on robust IoT device authentication, compliance of these devices across the enterprise, and controlled administration access to various logical network resources.

These checks happen every single time the device tries to connect. In short, zero trust assumes that a breach can happen with every access attempt as if it originates from an open network.

Over the past two years, the zero trust principle has gained increased interest from the professional security community.

Many have argued that the same zero trust principles should be applied also to physical access as a means of mitigating insider threats – but why and how?

Implementing enhanced security

The truth of the matter is that insider threats can be extremely difficult to identify and defend against, as there are many possible ways that an insider can intentionally or unintentionally threaten an organization.

One particular challenge is the need to protect confidential materials, intellectual property and sensitive data from theft or alteration.

As attention and budgets shift towards cybersecurity, it becomes easier for bad actors and insider threats to bypass cybersecurity protections altogether and target the path of least resistance – right through the front door.

It could be as innocuous as an employee holding the door for an unassuming yet nefarious individual or even as simple as someone walking out with a laptop or storage device in hand.

When applied to physical access, zero trust directs organizations to trust no one by default. In this way, there are no insider or outsider threats, as everyone is deemed a threat and addressed as such.

However in order to implement zero trust policies in practice, every request for physical access should be assessed against the person’s role, security policy or safety protocols.

Organizations can do this simply, without the need to upgrade or rip and replace their legacy physical access control systems (PACS), with the implementation of attribute-based access control, which is part of modern physical identity and access management (PIAM) systems.

Physical access

ABAC is a means of granting physical access to a user within an access control system based on rules that relate to the characteristics or properties of each identity.

Different than traditional, static physical access control lists, PIAM systems that include ABAC functionality utilize data gathered from the organization’s logical layer (i.e., IT, HR, and other business systems) and pushes down policies to be enforced by the physical layer (PACS).

For example, in order to enter the data center with their credentials, an individual must have the following attributes:

  1. They are an active employee 
  2. They are part of the IT group 
  3. They have successfully passed the ISO 271001 training 
  4. They have an approved access request by the CIO 

When the individual scans their badge at the entrance of the data center, the PIAM technology instantly evaluates the status of the identity and determines if all four conditions are met.

If so, it informs the PACS that this individual has permission to enter and entry is granted. Access levels and credentials are only activated once authentication and authorization checks have been performed successfully.

Activations are similarly limited in time, as some attributes are constantly changing, requiring users to re-authenticate even if previous access was provided.

Under ABAC, users are never assumed to have authority, upholding the very principle that defines zero trust. While these solutions work to mitigate the risk of insider and outsider threats, they often are not enough to address intellectual property security concerns.

However, by combining PIAM software with security wearables, organizations can protect their intellectual property while viewed, touched or discussed in either physical or virtual meetings.

This kind of ground-breaking solution leverages the same PIAM software layer to automatically validate that any individual in the proximity of intellectual property is properly authenticated and authorized to have access to the information or asset.

People who do not meet one or more conditions required to gain exposure to the intellectual property or asset will be visually identified by a blinking red LED light on their security wearable.

The solution also keeps a complete audit trail of when and where any individual has been in close proximity to intellectual property or high-value assets. In this way, organizations are promoting zero trust both physically and digitally.

Together, both ABAC-enabled PIAM software and new intellectual property presence control software solutions effectively enhance the power of legacy PACS to help eliminate insider threats with the highest levels of effectiveness and cost-efficiency.

Newsletter
Receive the latest breaking news straight to your inbox