To better defend digital assets, follow physical security’s playbook

In the wake of the terrorist attacks on September 11, 2001, owners and managers of tall buildings scrambled to improve the security of their assets, their tenants, and the millions of visitors that frequented their sites annually.  In a rush to enhance the security and safety of their buildings, along with the people who occupied them, facility managers invested millions of dollars on access controls, monitoring systems, and people to ensure they were better prepared for unexpected events.

In 2002, the Building Owners and Managers Association of Greater Los Angeles partnered with the RAND Corporation to review the state of building security in that city.  The results of the study, noting a surge in additional cameras, perimeter controls, and security personnel, would look familiar to today’s infosec professionals.  In an especially prescient passage, the 20- year-old study predicts: “Although a ‘security standard’ has not emerged, we expect stricter access controls of one type or another to be permanent additions to downtown high-rise buildings.”

Prior to 2001, it was not uncommon for visitors to be able to roam from floor to floor, hallway to hallway, and business to business, unfettered once they passed through the lobby doors.  After 2001, this free access was significantly curtailed by security guards, turnstiles, and card-controlled doorways, which were in turn monitored by cameras and facial recognition systems.  Today, visitors are often monitored by artificial intelligence engines designed to predict disruption.

While even the worst of today’s cyberattacks don’t compare to the immeasurable loss of human life in the 9/11 attacks, it’s high time that the owners and managers of corporate networks take the same approach and sense of urgency to protecting corporate digital assets that their physical security counterparts have taken with protecting building access.  

The days of open trust are over

One of the best ways to defend the digital assets of a company is to adopt the zero trust framework of controls.  Given the recent attacks on corporations and governmental agencies alike, whether through SolarWinds or any other advanced attack, it is imperative that access to data be further locked down, protected, and monitored.

We must complete the progression from open trust to full verification.  As Forrester Research’s John Kindervag pointed out in 2009, the guiding principal of zero trust is a mindset of “never trust, always verify.”  Anyone who has experience with red teaming a corporate network knows full well that there is still a lot of implicit trust that can be exploited.

A zero trust control framework provides digital defenders the same value as a parallel mindset does for the protection of physical structures.  As the RAND report put it, “The prevention decisions within the control of building owners and managers center on ‘hardening the target,’ which can accomplish (1) deterrence and (2) detection and denial.” Restricting and monitoring access provides better visibility into who and what is attempting to access business assets.  Building rules and contextual decision-making into the controls makes it harder for attackers to exploit and bypass the controls that are in place.  With the correct implementation, these additional controls can lead to a better experience for legitimate users of the assets (think of an access management portal that provides a single, secure way to access multiple applications).

The key components of establishing a less trusting network, and building in better verification, detection, and remediation, are tied to enhanced controls at the data and user level.  Instead of assuming that anyone on your corporate network is supposed to be there, it is necessary to establish the identity of that person (or device) at the outset, then track that identity through the entire interaction.  Systematic decisions of trust must then be made with every request for additional resources.

Just as building managers had to improve their access controls 20 years ago to better defend against an evolving and asymmetric threat, network managers today need to adopt new and increasingly untrusting strategies to protect digital assets from a rapidly evolving, well-funded, and increasingly destructive set of adversaries.