You Already Know What Zero Trust Is, but Might Not Realize It

by Micro Focus Employee in CyberRes

Zero Trust is not a new concept, but the name may be. Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. But Zero Trust also is used in the physical world and can be seen, although perhaps not noticed, in action by anyone who has travelled through an airport. 

You already know what Zero Trust isAfter 9/11, the Unites States Security Advisory Committee was tasked with creating a framework for improving airport employee access control – and surprise, it is based on Zero Trust – although the term isn’t used in anywhere in their 32-page report. What is included are sections on authentication, authorization, monitoring, response and a description of their Insider Threat program. 

Zero Trust at an Airport

Let’s look at zero trust at an airport. From least to most secure, most international airports are divided into these areas:

  • Check-in / Baggage Claim, or the Public Area.
  • Concourse, or Sterile Area, where everyone must be badged or ticketed to enter.
  • Air Operations Area (AOA), which includes aircraft movement areas, aircraft parking areas, aircraft loading ramps, and aircraft safety areas.
  • Maintenance and airport operations areas, open only to approved personnel.
  • Airplane Cockpit, only open to pilots and other approved personnel 

Anyone is allowed into the Public Area. Translating this into the digital realm, this would be any public web page. 

To enter the Sterile Area, everyone needs to show proof that they are allowed to be there. Passengers must authenticate themselves through appropriate identification documents and be authorized by possessing a ticket for same-day travel. 

Workers, whether employees of the airport, tenants, contractors or airlines, need to be badged. Digitally, this can be compared to a company’s employee network, whether accessed via a VPN, by logging onto a server, or by entering a user ID and password through an application or web page. 

Once someone is authorized to enter the Sterile Area, they have unfettered access to restaurants, shops, waiting areas and bathrooms. But staff and passengers are allowed through a gate onto an aircraft only if they can prove they are authorized for that specific access. Think of an aircraft gate as a payroll, sales, or accounting system. Only employees with a need to be there are allowed to access those systems, and that access might be limited to read-only or to specific portions of data. 

Passengers obviously are not allowed into the AOA or maintenance and operations areas. And US law requires that access to many secure areas require MFA – multi-factor authentication – by holding their badge to a reader and then entering a PIN number or presenting a finger, palm, or iris to a biometric reader. 

Like the digital realm, access is monitored and logged. Every time someone is or is not allowed to move from one area to another, the access is logged via the identification which was presented, and the timestamp can be used to look up associated video from the thousands of cameras at an average airport. In fact, multiple airports are using CyberRes ArcSight as their Security information and event management (SIEM) system to log, understand, and respond to threats. 

Token-Based Security

Often, the badge color or design designates the areas that the holder can access. It should be obvious if someone is in a location where they shouldn’t be just by looking at their badge and airport employees are taught to say something if they see something. 

The digital equivalent of “looking at a badge” to see if someone is authorized to be in a specific area might be a session ID, a Security Assertion Markup Language (SAML) token, or a Kerberos token, each of which supports the transfer of authentication data between two parties - the identity provider (IdP) and the service provider (SP). 

Summary

The next time you don’t think you can get your head around zero trust or explain it to someone else, think back to your last time in an airport. In fact, if you are reading this blog in an airport, look around to see who is wearing a badge and what their badge looks like – then guess what access it might give them. You now have a new game to play to keep you occupied when the lounge is full, or your flight is delayed. You can thank me later.

 

Join our Community | Access Manager User Discussion Forum | Tips & Info | Idea Exchange | NetIQ Unplugged YouTube channel

Labels:

Identity & Access Mgmt
Anonymous