Zero Trust Principles Applied to Physical Security Edge Devices
Hikvision's Chuck Davis discusses adapting zero trust for physical security systems, emphasizing edge-based trust decisions and treating devices as IT assets.
In an interview with Help Net Security, Chuck Davis, VP of Global Information Security at Hikvision, outlined how the principles of zero trust can be effectively applied to physical security systems, such as cameras and door controllers. He stressed the importance of treating these devices as integral IT assets rather than distinct, isolated components.
Davis addressed a common challenge: the perceived conflict between zero trust's 'never trust, always verify' mantra and the strict latency requirements of physical security systems. For instance, a door controller must make an unlock decision within milliseconds, a timeframe that seems incompatible with traditional, centralized cloud-based policy engines. However, Davis argued that this is a design constraint, not an insurmountable barrier, and that zero trust can be implemented at the edge without reverting to outdated perimeter-based security models.
The key, according to Davis, lies in distinguishing between centralized trust governance and centralized decision execution. While policy creation, identity management, and authorization logic should remain centralized, the enforcement of these policies can and should occur locally at the edge. This distributed trust model, with centralized policy, allows edge devices like door controllers to make rapid decisions based on policies that were centrally authored, validated, and distributed.
This architecture separates the Policy Decision Point (PDP) from the Policy Enforcement Point (PEP). The PDP, operating centrally, determines access rights based on identity, context, and policy. The PEP, embedded in the edge device, executes these decisions locally, ensuring rapid response times. Crucially, local enforcement does not equate to local trust. Edge devices must operate under cryptographically signed policies with short-lived credentials and strict access boundaries, with policies being centrally governed, refreshed regularly, and subject to continuous revalidation.
Davis warned against operational drift, where security teams might extend policy cache lifetimes to avoid disruptions caused by network issues. This gradual relaxation of security, often undocumented, can transform a zero trust edge implementation into a slowly eroding perimeter, undermining the entire security posture.
Furthermore, the architecture must explicitly address fail-safe versus fail-secure configurations. For emergency egress systems, prioritizing life safety means defaulting to an open state during network degradation. Conversely, highly secure areas might require a default-closed state. These outcomes must be deliberate architectural choices, not accidental consequences of connectivity loss.
Ultimately, Davis concluded, zero trust in physical security is not about funneling every decision through a central cloud. It is about ensuring that all decisions, regardless of where they are made, are identity-aware, contextually constrained, continuously validated, and revocable. The 200-millisecond door controller is a prime example of why edge-native design is essential for successful zero trust implementation.
He also highlighted the common industry failing of not universally treating physical security devices as the IT assets they have become. When a camera or access control system connects to a network, it functions as an embedded compute platform with an operating system, APIs, and network management capabilities, necessitating a comprehensive IT security approach.