Security

Understanding Zero Trust Via Physical Security? What a Concept!

by: VMware Sr. Manager, Physical Security Systems and Technology Philip Jang and VMware Senior Security Strategist Craig Savage

Zero Trust, a unified and built-in cybersecurity defense framework, offers your enterprise a variety of powerful and effective methodologies to combat threat actors—wherever they lurk. That makes this new approach a valuable ally in the era of globally dispersed offices, lockdowns, remote workers, and ever-proliferating devices. But the benefits don’t stop there. Zero Trust can be surprisingly simple and inexpensive to implement. 

We understand the reality, however. 

The enterprise is a complex ecosystem, and transforming your cybersecurity approach using a brand-new paradigm can seem daunting, if not confusing. However, this blog will demonstrate the simplicity of the Zero Trust cybersecurity model through the eyes of familiar physical security (PhysSec) methods.

Close up of dog's eyes

Zero Trust, as the name implies, means absolutely nothing is trusted by default, regardless of origin. Currently, due to pandemic protocols, a VMware user must now badge into an office and also attest to health status—analogous to the Zero Trust cybersecurity concept that user and device must prove trustworthy and ‘clean.’ No one is trusted outside of the corporate network until there is valid proof of credentials, regardless of how the network is accessed.

Back to physical security. 

Once a person is allowed in a building, there are further security measures in place to prevent unauthorized access, primarily through the use of smart badges. Trust must constantly be proven by repeated validation/credential checks as the badge is used internally.

For example, a visitor would only be allowed access to certain areas (lobby, restrooms) unescorted. Likewise, areas/rooms deemed highly sensitive would require additional badge access and be authenticated through another secure door to enter—whether the person was an employee or not. Badge credentials can also be updated in the physical access control application, and the badge has the ability to be deactivated altogether if reported lost, if a visitor returns it to the lobby, or if an employee changes status (promotion, leaves the company). The physical badge may be the same, but the authorizations change as required. 

Who are you Scrabble pieces with white background

This is exactly how Zero Trust micro-segmentation works. Cyber credentials are constantly scrutinized every time access to a new ‘area’ (app, service, etc.) is attempted. Therefore, a person with marketing credentials would not have instant access to accounting functions as s/he would be automatically micro-segmented. This prevents a threat actor who breaches a corporate network from having access to the entire ecosystem—the more the hacker attempts, the more the system questions the credentials or deactivates access altogether.

The Zero Trust model even allows for on-the-fly credential changes, such as an employee joining a sensitive project for a limited time or taking maternity leave and will not access the system for a while. This makes cybersecurity remarkably nonintrusive for credentialed end users, yet thwarts situations that cybercriminals could traditionally exploit, such as a merger, new software being deployed, or the aforementioned expansion of a sensitive project.

Security control room

Finally, let’s talk about the aspects of PhysSec most people associate with physical security—human patrols, cameras equipped with artificial intelligence (AI), and even robots in the case of VMware. These components offer insight and visibility that are all part of the Physical Access Control Systems designed to help identify breaches and other physical security threats.

The equivalents in the cybersecurity world revolve around enterprise logging, analytics, and monitoring engines. These powerful features ensure every application and service is consistently examined holistically, per the Zero Trust model. Like a security officer, they can ‘sense’ when something is wrong, such as an app acting in strange, nonstandard ways (because it’s being manipulated by a threat actor). 

As should be clear by now, the Zero Trust framework can be a virtual parallel of what the PhysSec team is hopefully doing already. If you and your InfoSec team keep this fact in mind, you’ll soon discover Zero Trust is both approachable and a remarkably simple solution to some very complex issues. 

VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.