Zero Trust is a concept particularly relevant to the hospitality industry. It applies to organizations that have guest networks, use multiple cloud services, allow BYOD (Bring Your Own Device) policies and have remote employees.  

‍But what does Zero Trust mean? It’s both a concept and a technology architecture and design. The main idea is that no machine, software, device or human can be implicitly trusted and all must be continuously verified.  

The strategic goal of every hospitality company should be to migrate toward a Zero Trust security posture at an enterprise level for all technology users at hotels/restaurants and respective offices, call centers, remote employees and guests.  The key driver for Zero Trust is that we have experienced attacks from trusted third parties, trusted software, trusted network connections, trusted devices, etc. They weren’t malicious by intention, but instead were compromised and attackers used them to gain access to targeted environments and data.

In order to understand Zero Trust, we need to start by looking back to the initial era of internet security technologies. The founding principle was to implement security defenses on the basis of trusted vs. untrusted. This was applied to network connections, systems and applications and end users. It was also an approach taken in assessments and audits.  For example, a defined perimeter separated the trusted environment from the untrusted environment with firewalls. These firewalls had settings to allow specific “trusted” network connections access to applications and services inside the perimeter combined with a default setting to deny all except those that were permitted. In other words, network location determined trust.  

However, as online attack techniques increased, it became clear that the perimeter defense strategy was losing ground. It was often described as having as many holes as a piece of Swiss cheese.  A new security theme, trust but verify, began to take root. As a starting point, the Defense Information Systems Agency (DISA) and Department of Defense developed a new approach focused on individual transactions instead of a defined defense perimeter.  Then an international group of security leaders created the Jericho Forum with the purpose of overcoming the limitations of perimeter based security. It published a work in 2004 that sparked further progress toward the concept of Zero Trust, a term coined by John Kindervag while working at Forrester Research Inc. as a research analyst.

‍

How is Zero Trust Different?

The first core difference in the Zero Trust model is that access must be verified for every user and all resources on a continuous basis. This translates into the scope, scale and depth of authentication for access control.  It isn’t realistic to implement multifactor authentication for every transaction. Zero Trust calls for dynamic risk models that challenge changes at the device or user levels.  Access control requires data elements such as endpoint hardware type and function, geo location, firmware versions, operating system and patch levels.  

These are only a few examples of the requirements, but they help to illustrate why it takes time and investment to migrate to a Zero Trust environment. In order to achieve this more complex level of authentication, you need a complete and dynamically available inventory of all authorized users, devices and applications. While technology hardware, network and software inventory has always been a principle of information security, Zero Trust takes it to another level by requiring this inventory data to vet or check access requests.

The next major difference is to limit the impact of an external or insider breach. There are various ways to accomplish this, but in practice, global system admins can’t have a single login with access to multiple hotel LANs or systems. Rather, they need to use a separate login to each hotel or application.  

It may seem like a headache for these super admins, but the results are highly effective. The process prevents attackers from gaining lateral access across multiple hotels or restaurants or from one application to another.

Network segmentation is another tactic that can limit the impacts of a breach. It typically separates guest networks, specialty areas such as spas or retail stores, front desk or reservation networks and other local business functions.

Zero Trust also involves automated context collection and response, including next-generation endpoint security. An example is application whitelisting with settings in high enforcement mode. Note that this needs to be deployed on all endpoint devices and servers rather than just in high risk zones.  

Other useful aspects of Zero Trust include identity protection, cloud workload technology, encryption of data and email security. You can find additional principles and guidance regarding Zero Trust in US NIST Special Publication 800-207 which you can download for free.    

You should ask every vendor you use if they’re compliant with this security standard. It is now the leading vendor neutral model. Everyone involved in Zero Trust should read it.

‍

How to Get Started

First, know that no single technology vendor on the market today can provide a Zero Trust security model. Also, Zero Trust Network Architecture (ZTNA) isn’t the only component of Zero Trust architecture, although it is a critical piece.  

According to research and consulting firm Gartner Group, “Zero Trust is a widely misunderstood term and overused” by many marketing campaigns. So beware of anyone claiming they have a simple, one-stop approach. The tried and proven approach is to begin with an evaluation of your current state. This assessment should include all endpoints, applications and networks to identify gaps and the scope or scale of deployments. You may want to engage external auditors or consultants to give an independent view in an expedient timeframe. You can view the results to set priorities, resources needed, timelines and budgets.

Highlights of the Gartner Group’s recommendations for priority and focus include:

• Look at adaptive access controls with priority on all remote access and SaaS applications.
• Define policies that require stronger authentication, such as multifactor authentication (MFA), CAC card, PIN, etc.
• Define how to establish machine and application workload identities.
• Inventory and replace (over time) all instances of VPN that allow access to the network.
• Define policies for combining user attributes and services to enforce who has access to what.

If your company is just getting started with plans for Zero Trust, you aren’t too late. The Gartner report referenced above notes that observations from client inquiries indicate most companies are in the strategy phase. It’s an ambitious undertaking that may take 3 to 5 years. But incremental progress along the way will reward you with a stronger security posture as cyber attacks continue to escalate in the foreseeable future.

‍