Zero Trust Campus Access

Zero Trust, a term coined by Forrester Research analyst and thought leader John Kindervag, has become the cornerstone of every enterprise’s build out of IT security. The United States Dept of Commerce NIST (National Institute of Standards and Technology) has a paper published in August 2020 that outlines what a Zero Trust Architecture (ZTA) must include. No wonder then, that every cyber security company in the world has a story about how they help organisations in their journey towards a ZTA. Often, I wonder about what a ZTA in the physical space would look like. I reside in a gated community where entry is restricted to residents and those that are allowed by residents. Is it possible to apply the tenets of ZTA to a Zero Trust Campus Access Architecture? Let’s take a look at the ZTA tenets as defined in the NIST SP 800-207 document and if they find resonance in the physical world.

1. All data sources and computing services are considered resources. In the physical space, this would mean identifying the assets that are important and need to be safeguarded from the bad guys. In the microcosm that a gated community provides, all residents and assets within the houses of residents and any infrastructure assets owned by the community would qualify. We want to safeguard all these assets from physical harm, theft and damage.
2. All communication is secured regardless of network location. In the virtual space, all communication between resources within the enterprise is secured using a technology such as TLS or (less likely) IPSec which basically provide encryption and source authentication. Literally, this is difficult to achieve in a community setting although recent COVID experiences has taught us that wearing masks does provide a certain degree of encapsulation and therefore, protection from physical harm/ illness.
3. Access to individual enterprises resources is granted on a per-session basis. The use of apps such as MyGate ensures that the entry of each visitor into the community is approved by the resident of the apartment, every time they visit. Of course, there is a problem here that once the visitor has gained entry, they are free to visit any or all houses of their choice. The only way to mitigate the threat here is to ensure the security personnel accompany the visitors to their destination houses and once again, on their way out once the visit has been completed.
4. Access to resources is determined by dynamic policy and may include other behavioural and environmental attributes. In the virtual world, it is possible to map out the identity and behaviour of users based on their history of accessing various resources. Modern AI and ML techniques can reasonably accurately predict the expected behaviour of users when they access resources. I can’t think of an equivalent scenario in the physical space without infringing on some basic privacy rights. How comfortable, if at all, are we in sharing information on our daily behaviour with the community at large? As I type this, I wonder how much of what we do nowadays is truly random. Google or Apple or Meta or Amazon have good profiles built out for all that we do. Nevertheless, it is not possible to create dynamic policies based on identities and behaviours in a community setting.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. Monitoring of the assets is possible using CCTV cameras and round-the-clock security presence at all key points on the estate. Ensuring that the video logs are maintained for a reasonable amount of time and maintaining a running record of the common assets, monitoring them periodically are important. Not many community campuses maintain such records which would stand up to an audit to meet industry standards.
6. All resource authentication and authorisation are dynamic and strictly enforced before access is allowed. Providing access to resources for a pre-defined amount of time only, defining the access privileges based on the application and regularly validating the authorisation credentials are all part of establishing Zero Trust access. The definition is itself for the virtual world and therefore, it is hard to draw a parallel in to the physical world. One can ensure that any visitor does depart eventually and their departure is recorded in the application that tracks their entry. However, regularly validating their presence in the campus is awkward to say the least. Think of you needing to periodically validate that a visiting guest is actually still at your residence. Or worse, having the visitor allow themselves to be tracked does not make for a happy setting, especially when you have invited guests over.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. Fairly straightforward to understand, but hard to implement even in an enterprise. Physical assets are easier to keep track of, especially when they are owned by the community itself. Keeping track of the actual whereabouts of residents, visitors and service personnel in a campus would rely on the CCTV camera coverage. Verbal communication is of course, impossible to track without infringing on basic rights.

ZTA has been developed for enterprises and organisations that exist today, with most communications, transactions and systems completely reliant on software technology. It is imperative that ZTA tenets are followed by CISOs and CIOs to safeguard the company assets and resources. While compiling this blog post, I have gained an appreciation of the difficulties that security forces in any country/ state/ city/ district/ campus have to deal with in keeping threats at bay. Developing secure software is a skill, maintaining a secure posture is also a specialised skill. The same holds good for maintaining a harmonious, peaceful and safe environment in the physical space. Some tenets can be borrowed from ZTA. For others, it is complicated.