Page 78 - Cyber Defense eMagazine September 2025
P. 78
to all cells—and organizations need to take that lesson to heart if they want to limit risk within their digital
infrastructure.
How Prisons Mirror the Zero Trust Approach
Access restriction and segmentation each play an important role in keeping prisons secure. Individuals
cannot enter a prison facility unless they are on an approved visitors (or vendors) list. Those incarcerated
within its walls cannot move between living units, the law library, gym facilities and other approved areas,
unless granted permission or at specific, predetermined times. Correctional officers themselves require
keys or keycards along with IDs and other verification and authentication methods to pass through
security doors. For most institutions, access to the internet is highly restricted or prohibited, and all
institutions are on high-alert to mitigate smuggled-in contraband. These are just a few examples, but the
point is this: within the walls of a prison, movement—both physical and digital—is monitored, managed,
and restricted.
When you break it down, the entire architecture of a prison facility is designed to protect the incarcerated,
protect correctional staff, and protect the public. But incidents still happen. And when a disruption occurs,
there are protocols and procedures in place to contain the situation, communicate the impact, and
conduct a postmortem to ensure it doesn’t happen again. To anyone in the cybersecurity field, that should
sound pretty familiar—and it underscores the deep similarities between data security and traditional
physical security. While it’s easy to view the two fields as distinct, the truth is there is a lot that
cybersecurity professionals can learn from their counterparts in the physical security field.
Applying Zero Trust Principles to Digital Environments
That basic lesson should help security and risk leaders think differently about how they build their network
architecture. First, consider what Zero Trust actually means. Ideally, it means access is never granted by
default—identities are not “trusted,” they need to continuously prove that they have the right to access
certain systems and data. What’s more, they should never have access to more data than they actually
need and when they need it. This is referred to as the principle of least privilege: identities should have
the minimum number of privileges needed to perform their essential functions, and nothing more. This
helps significantly limit the impact of a potential breach: if a set of credentials is stolen, the attacker will
only have access to a limited amount of data or systems, making it difficult for them to escalate the attack.
The parallel to a prison is clear. Incarcerated persons—and even guards—are not granted more access
than they need. After all, if an incarcerated person could open every door in the prison with a single key
dropped by a guard, that wouldn’t exactly be ideal. In the real world, different doors would require different
keys and different sets of credentials, and an incarcerated person attempting to access restricted areas
would be repeatedly challenged to prove their identity—even if they somehow got ahold of a corrections
officer uniform. There are multiple layers of defense, and none of them involve trust. If you can’t prove
who you are and why you should have access to an area, it simply won’t be granted.
Cyber Defense eMagazine – September 2025 Edition 78
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
