The same Zero-Trust tools that protect your digital assets also protect the buildings that house them as well as the people who keep everything up and running.
Location, location, location. It’s been the mantra of real estate professionals for years, but it needs to be the mantra of those charged with protecting IT infrastructure, too.
No matter how cloud-based your organization is, you still rely on physical buildings to house servers, barge lines, data centers, racks, network devices and the people who operate them. Tools like physical or digital keys, cameras, alarm and badge systems, and proxy cards control access to who can enter facilities. But in our age of drone strikes, suicide bombers and GIS services such as Google Maps, how do you protect your physical IT infrastructure?
Companies often address the challenge by placing critical IT infrastructure in unmarked buildings or working with companies like Google to hide satellite images of their infrastructure. But these solutions don’t get to the root of the problem — how online vulnerabilities can expose your buildings, just as they expose your digital assets.
“How Vulnerable Is My IT Infrastructure?” Let Us Count the Ways!
Applying a Zero-Trust approach to your physical IT infrastructure starts with the Zero-Trust pillars we’ve already addressed in this blog series. Allowing offsite access to company laptops without online identity or endpoint protection — as well as failing to provide end-to-end encryption or to secure apps — open the door to bad actors.
Here are some examples of how those bad actors can breach infrastructure on various levels.
Imagine that two employees at a large insurance company are exchanging emails about work they need to do at an unmarked, offsite data center. During the exchange, one of them drops the address of the facility.
However, without MFA, bad actors only need a username and password to gain access to the company’s email system. Requiring an additional device for login, such as the employee’s cell phone, adds an additional layer that significantly reduces the risk.
Failing to adhere to regulatory requirements can put you at risk, as well. While few companies do so intentionally, over time, the requirement to process Payment Card Industry (PCI) data or other sensitive information separately from other data processing systems can slip. In addition to violating regulatory requirements, the failure to segment such data puts you at risk of legal exposure from regulators or from customers with vulnerable data. This is especially relevant in highly regulated industries like healthcare, manufacturing and financial services.
Significantly, segmentation regulations apply whether your services are on premises or hosted in the cloud. That means cloud providers must also comply. Microsoft, for example, has been independently audited by the Securities and Exchange Commission and deemed to comply with regulations for infrastructure in Azure and throughout the Microsoft 365 environment, including SharePoint, Teams, OneDrive, Yammer and Exchange).
Below are some of the major regulations governing segmentation and infrastructure. Others may apply to your industry:
- Securities and Exchange Commission (SEC ) Rule 240.17a-4(f)(2)
- Financial Industry Regulatory Authority (FINRA) 4511(c)
- Commodity Futures Trading Commission (CFTC) 1.31(c)-(d)
- Center for Internet Security (CIS) v8 3.12
- National Institute of Standards and Technology (NIST) 800-53 R5 SC-3 and 800-171 R2
It’s a little-known fact that your cell phone may mark photos with their subject’s geographic location. Say you take a picture of an unmarked building housing a data center and sent it to a colleague whose device is breached. Unless you have disabled your iPhone or Android device’s ability to disable geolocation services, a tech-savvy person could reverse engineer the photo and find out exactly where the facility is.
In fact, the same vulnerability applies to personal photos. If you post family photos on social media, for example, someone could obtain your family’s location from the photo.
Consider the challenge the military or security agencies face when they are entrusted to protect facilities housing sensitive data. As military leaders exchange information about the location of materials at facilities, for example, that information must be encrypted not only where it is stored and when it is traveling from one device to another but also as it is being used. Failure to do so could lead to disaster.
By now, we hope it’s clearer how all the Zero-Trust Architecture pillars work together to protect your IT infrastructure — not just what is built with bits and bytes, but what is built with brick and mortar. That’s why a weakness in one area exposes them all. Just as we are all connected to each other through our devices, our vulnerabilities are connected, too.
In our final blog post, we’ll look at network security in a way that goes beyond the traditional idea of the “firewall.” Technology, training and policies must work together to keep bad actors out of your network in the same way they protect identities, endpoints, apps and data.
Until next time, stay safe and stay vigilant!