Zero Trust for Physical Access Control

September 6, 2024 – From the desk of Neil Fallon

The term “zero trust” was first used to describe a security model based on the principle of “never trust, always verify.” Over the last 15 years, IT professionals have embraced this model to never trust a user or device on the network by default, even if that user or device is already inside the network. This strategy ensures that every access request is validated.
 
At the time that zero trust was gaining more broad attention, I was engaged with the US Government’s Identity and Access Management programs as a vendor supplying authentication software for both logical and physical access. NIST FIPS-201-2 standards outline how a CAC and/or PIV credential should be used to maintain integrity for physical access and network access.
 
For the US Government the starting point of zero trust for network access remains the adoption of the PKI authentication mechanisms available on the CAC and PIV credentials to secure network sign-on requests.  More puzzling was why zero trust became an IT security model and seemingly ignored the role physical access to buildings and sensitive areas plays in maintaining a secure environment. Enabling a Physical Access Control System (PACS) to authenticate an access request using the same PKI mechanisms for logical access, even if the request is coming from inside the building, is the essence of “never trust, always verify”.
 
The National Cybersecurity Center of Excellence (NCCOE), a part of the National Institute of Standards and Technology (NIST) released on August 6th the fourth version of a preliminary draft practice guide, Implementing a Zero Trust Architecture (NIST SP 1800-35), for public comment.  This is an opportunity for the PACS community to make their case to include physical access into a Zero Trust Architectural model.
 
 

Click here to contact Neil Fallon and learn more.

About Identity One

Identity One builds on the FIPS 201 standard, creating innovative next generation registration, validation, issuance visitor management, visitor PIV card and derived credentials for CAC, PIV and TWIC.  Identity One’s solutions serve physical access, logical access for TWIC compliance, US Federal Government Security and US Armed Forces Security. We issue, register and verify identities for frictionless access and integration everywhere, protect identities from being impersonated, and secure intellectual property. We digitally verify identities for the physical and logical world. Identity One software and services are BAA (Buy American Act) compliant and TAA (Trade Agreements Act) compliant. Identity One is headquartered in Atlanta, Georgia, USA and all our products are proudly made in the USA.