Zero Trust Security And Video Surveillance
Designing "Zero Trust" IP networks is a cybersecurity trend, but what does it really mean for video surveillance?
We examine:
- How is "Zero Trust" defined?
- How does it impact video surveillance?
- How can video surveillance manufacturers support Zero Trust?
- What advantages and challenges are there for Zero Trust?
- How should integrators approach Zero Trust networking?
- What are the limitations of Zero Trust?
- What is the US DoD / federal government approach to Zero Trust?
- How is Hikvision advocating for building Zero Trust?
"Zero *****" ********
**** ******* * ********** ******** ******** **** defaults ** *******, ******* *** *****, not ***** *******, **** ** **** are '******' *** ************'* *** *******.
******* ******** ****** ** ************ *** dynamic ******* *********** ** ***** *** devices, ****** ** ******* **** ** the ******* ****** ** *** ******* based ** *** ************ ** *** task *** ***********.
******* *** ****, "**** *****" **** not ****** *** ** ** ******* of *** ****** ** ***** ********. For *******, ***** ************ *******, ********** if ***** **********, ***** ***** ** abused ** *** ******'* ***** ********** or *************** **** *** ***** ********** (as ** ******* ***** **** *** Verkada ****).
Zero ***** **********
***** **** *** ****** **** ** continuously ******** *** ********** *** **** given ****** ** ********** ********* **** permitted. ***** ****** ***** *** ******** as * "******", ***** **** ******* trust ** *******, *** ***** ** devices:
****** ** ********, ** ********, ******-********** *********(****), ***** *** ** ********-***** ** turnkey **********, *** ******* **** ****** inspection (*.*. **** *********** ** ********* data ** **** ****?) ** ******** to ********* ** *********** ********* (*.*. VPN).
************, ***** ******** * **** ***** network *** ***** **** ** ****, there *** **** ****** ** ********** and ***********, *** * ***** ********** Zero ***** ******* (*.*. *****-****** **************, 802.1x, **** **********, **** ******** **********, etc.). **** ********** ******** *********** ******** and ********* **** ** ******** ** video ************.
Impact ** ***** ************
***** ************ ********* **** **** ******* of ****** ** *****, *** ** a **** ******** ** ******* **** moderate ** *********** *************** (*** ****'********** ** ***** ************ ************* *************** and ********). ***** **** ***** ******** *** video ************ ***** **** ******** **** of ***** *************** *** ********.
*******, *** ********** ** ************* ** a *********** ********* *** **** ***** surveillance ************* *** ***********.
Barriers ** **** *****
***** *** * ******* ******** ** Zero ***** ** ***** ************:
- *********** ****** ** ** ** ***** own
- *********** ********* *********
- *** ******** ************* ** *** ** option
*********** ****** ** **** ***** *****
***** ************ ******* *** ********* **** a ******** ** ** ************'* ** network, ** **** *****, * **** small ********. ******* ** ****, **** integrators **** **** ************** *** *** surveillance *******, ******* ** ***** ****** ********* ************ *** **********, ************ **** ************* concerns.
*******, **** ***** ********** ***** ** be *********** ****** *** ****** ************ and ***** ******* * **** ***** of ***********/************* ******* *** ************ **********'* purview. *** *******, **** ***** ***** not ** ******* ** ******* ***, smartphones, ********, *** ***** ******* **-******* devices ****** ******** ******** *******.
*********** ********* *********
************ **** ***** ******* *** **** of *** *** **** ** ****** within ***'* *******. **** ***** ** be ******* ******* *** ******** ******** of *** ********.
* ******** ****** ** **** ***** is ********* ***** *** ******* *** accessing ********* (*.*. *** *********, ****** streams) **** ****** ****** ****. **** Touch ******* ******* *** *** ** multi-factor ************** (*.*. ***-****-*********, **********, *** keys, ***.) ***** ***** ** ****** that *** ******** ** *** **** is *********.
*******, **** **** ******** ***** ** the ******* ** ***** ******* ** to **** *****, *** ** * worst-case ******** *********** ******* *** * user **** ********** ** ** ********* incident, *** ** * ********* ***** out ** ***** *******.
** ****** *** ** ***** ************* For **** **** **
***** **** ***** *** **** ******* vulnerable ******* **** ********* ** ********** other ********* ******* ** ***'* *******, one ***** ***** ** ***** ****** manufacturers *** **** **** ******* **********. For *******, ***** *****, **** **** zero *****, **** ** ***** **** their ***** ********* **** *** ** breached **, *****, ***** ***** ** spying ** ***** *********.
Verkada *** **** *******
**** ******* *** ******** ** ***** 2021, *** *** ** ******** ************ ***** ********** *********** ***** **** ***** ******** architecture. **** ********** ********** **** **** though ******* ******** **** ****** ** admins, ******* ******* *** ******* ******* Verkada ***** ******* ***** ******* ****** Okta's *** *******.
*******, ** *** ******* ******, **** were **** ** *** ********* *********** from ****'* *** ***** ************ ******.
US *** **** ***** *************
***** ********** ** ******* ******** ** initiative ** **** ** ****** *** capabilities ** **** ***** *************** ** ********* *** ********. *******, the *** **** *** ****** ** to ** ***% *** ** ********* security ***** ** ******* ** ***** this.
*** ******** ** **** ***** ** scope, *** ***** *** ** ********/******** specifications, ** ****** ** * ***** for *** ************:
*** *********** ** *** **** ******* ** ** ***** *** *********, operator, *******, *** **** ** **** Trust ** *** *********** *********** ** ********* * **** ***** framework ****** ** ******** ***********.
**** ****** * **** ** ********* and **** **** **** *********-***** ******* that **** **** ************** *******, ****** and ***********:
********** ******* **** ****** *********** ******* ******* **** ****** ****** and ***** ******** ***** ******* ***************. ******* *** ********** ** ******* policies, ***** ** ***** **** ****************, **** *** ** ************** *******, reconfigured,***/** ******** ***************, ******* ****** **** ****** *** ineffective.
**** **** ******** **** ****-******* *****-****** hackers:
*****-****** ******* *** **** *******, ****-*********,*** **********. *** *** ** *** tactics,**********, *** ********** ******** **** **** invasive ******* *** ****** ****************** ********** **** **** ********** ****** ***** and ********.
Hikvision ********** **** *****
********* ******** *********** ********* **** *****, * ************** ******* *** *** cybersecurity ******; ** ** *******'* ******* can ** *******, **** ***** ******* is ** * ***** ******* *****.
***********, *** ********** ****** **** *************** for ************ * ****** **** ***** network *********:
********* *** ********* *** ** ********* and *** ********* **** **** *** need ** ****** *** ***** ************ system
************ ** ********* ****** "***** ******* are *******" ***** ******* *** ****** purpose ** **** *****.
Limitations ** **** *****
* *********** **********/**** ** *** ** that**** ***** **** ********** *** *********. ******* ********* ****** Verkada **** '***** *****' ********** ** view *** ********'* ****** ******* ** any ****. ********, ** ******** ****** to *** **** ***** ****** *** cameras ******* ****** **** ********'* ********.
*** ** *** ******* *** "**********" from *** ********** ** **************, **** Security, *** ************* ********. **** ** a **** ** ********** **** ***** in *******, ** **** *** ****** with ***** ******* ** *** ******* infrastructure/admin ******* ** ***********.
**** * ********* ********** ***** **** ************* ***************, ***** ** ******* **** ***** have ****** **, ******* *** ******* was ************ ******* ******* *******'* *** servers:
Video ************ ************ ********* *******
******* ** *********, **** ** *** only ***** *** ***** ************ ******* that ****** ********* *********** ** **** Trust, **** ******* **** ****. **** ****** ******** **** ************ manufacturers ***, ** ****, ******* ** securing ***** *** ******* *** ************. Securing ***'* ****** ******* ** ******** the ***** ** ***-**-*** ********** ************* (e.g. *****, ********, ***-*****) *** *********** security ********* (*.*. **** ****, **********, Sonic ****).
***** *********** *** ******** ** **** security ********* ** **********, ** **** not ******** *** ********** ** ******** that *************** *** ********* *** **** one *** ******** ***** ***'* ******'* suppliers.
********* *** *********** *******.
**** ******* ******* ** ******** **** Zero ***** ************ (***) ** * worthless *******, ******* "*** ***** ***** to ***** ****** *************." * ***** that ********** ** *** ****. ** Okta ****** *********** ***, **** *** their ******* ********* ***** ** ** an ******** ***-******* (** ****), ** that * ****** ** *** ******* side ***** *** ********* *** **** of *** **** *******. ** ***** would ** **** ** * ******** valuable ********** ** **** *** ****** or *** ****** ***. *** ******* is ******* ** ****** **** ******* customers **** ***** ******* ** *** sense **** *** ***** ***** **** and ******* **** ********, *** **** is *** **** *** *** ******* you *** **** ** *** ****, i.e. **** *** **** ******** **** care ** ***** *** ********. ** @Jacob ****** ******* *** *****, ** Verkada *** *** ** ******'* **** helped ****** ******* ** ***** ********** mistake ** ********** ***** *** ***** admin *********. *** ** *** ***** adding *** ********** ** **************, *** no **** ****** ** *** ******** can **** *** ** **** ******** is ******-****** *** ******* **** *** it.
#*, ** *** *** ********** **** ZTA ** *******. ** *** ******** with *** **** **** *** **** here:
******* ********* **** ***** ******* ** the ***** **** *** ***** ***** data *** ******* **** ********, *** that ** *** **** *** *** anytime *** *** **** ** *** kind, *.*. **** *** **** ******** take **** ** ***** *** ********.
*** ***** *** *** *** ******** with ***, **** **** ******** **** ZTA ********** *** ******** ***** ******* you **** ******* *** ** *** 'trust' *** ******** *** ***** ** still ********* ** *** ********** **** providers *** ****** ** ******* ******** whether ** ** ***** ** *** or *****, ***.
** ** ***** ** *** * worthless *******, *** ***** *** ***** risks, ** ** ***** ***** ****
**** ********** ********** **** **** ****** Verkada ******** **** ****** ** ******, neither ******* *** ******* ******* ******* could ******* ***** ******* ****** ****'* own *******.
**** ************ *** ***** ** ***, if ****** ** ** ***** *** enforced, **** ******** ** *******, *** activities *** ********* ********.
*******, **** ** * ******* **** a *********** ********** *** ******** ** cybersecurity. **** **** *** ******** ************ and ********* ** ********** ****. ***** schools, *********, ***** ********** *********, *** countless ***** ********* **** ************ **** are ****** ** ******** ** ** so, *** ******* ** *** ***** of ****, ************/******** ******* *** **** one ***** ***** ** *** ********.
***** *********** *** ******** ** **** security ********* ** **********, ** **** not ******** *** ********** ** ******** that *************** *** ********* *** **** one *** ******** ***** ***'* ******'* suppliers.
***** **** ****.
*'** ****** **** ********** ******** ***** because ** ************ (***) *** ******* of **** **** - ***** ** critical.
***** ***** ** ************** ** **** **** ********** ** this ********** ***** (***** ************) *** is * '**** ********' ** *** kind ** ***** ******* *******.
***, ********** ********* ** *********** **** *** manufacturers **** ********* ******** ***'* ********** in *** ****** ** ***** ********.
**** ********/******* ******* ******** ***** ** not ** ****** ** ******* ***** models **** ***/******* ***** ** *** customer ********** ********, ***** ** **'* own **** **** ***'*, **** *** remote (*** **** *****) ****** *** 2FA ******* ********(**** *** ****** ***** notifications). *** ***** **** ***** ******* or ******** **** *** *** ****** to *** ******** ** **** **** no "***** ****" ************. **** **** and/or ******** ***** ***** ** ** intermediate, ******* ***** *******(*), **'* ** nas *** ***** ****/*** ******* ****** to *** ***** ******* **** **** no ************ **** *** *** ********. Log *** ****** *** ****** ******* events **** ************ ** *** ********* local ******** ****. **** *** ***** at * ****. ** **** ***** security ** ***** **** ***** ** protection, **** ** ** ***** ********* for ** ****. **** **** ** solution ** *** ****** ******* ***** business ** **** **** ****** ***** be ****** ** ******* **** **** burdens. *** **** ******** ** **** enough? *** ** *** *****, *** what ** *** *****. ***** ** one ******* ** **** ********** *********- purchase ******* ************ ***** *********(** ** doesn't *****, ***** *** ** ** exist. ****** ********* **** ****** ** destroy *** ********), ******* ****** **** review **** ***'* ** ******* **. If **** *** *******'* ************ ******** are ****** ** ***, ***** ** little *** *** ** ***** ****
*** ** *** **** ********* ***** of **** ***** ** ****** *** product **** ** ***** ** * reverse ********. *** ******* ****** **** ever ***** ** ***** *** *******. Will **** **** ****, ***...... *** not ** ******* ***.
**** ** * **** ***** ********* or ******** ?, *** ***** **** the ********** ******** * ***** *****. Maybe ********* *** ******** *** *********.
**** * **** ** * *******, Safe -* ***** *** ***** **** Trust ******** *** ************ ** *** really **** ** ***** ***** **** Trust **** ***** ** ******** **** can *** ** ***** ******** **** cloud ****** ********, ***....
* ***'* **** *** ****. ******* I ** ******* **** ***** ******** that ****** **** *** ***** ******** work. **** * ***'* **** *****.
***** **** ** ****** **** **** work *** ***** ******** ********* **** will *** ****** *** ******, *********** that **** **** *****, *** *** what **** ** ** *** **** sell *** **** ***** **** *** test **** **** ** **** **** the **** ******* *** ******* ***** products ** ******'*.
***** ***** ******** ** **** **** cloud *** *****, *** *** *** today.
***** ******* ** ********* *** ********* to ****-*****. *** ********* ********* ** white-lists ** * **** ****-**** ******.
*******, * ***** ************* **** ** made. ********* ***** ******* ** *** hardcode ***** ***** ********* **** ****** scripts *** **** ****** **** ** the ********. *** ***** ***** ** 3rd ***** ****** ** ******, *******, & ********* ***** **** ****** **** if ******* *** ***** ** ***. What ******** *** ********** *********** *** is ******** **** ** **** *** vendor. ***** *** **** **** ******** methods *** ********** **** *****-***** ******** within *** ***** ******** **** ********* devices, ****** ************ ****, *** ***** evidence, *** ***** ***** ********* ****** support.
***** ****** ****** *** *** ************** of *** ******* ** ********* *** the ************** ** *** *********** *** vet *** **** ******* *** *******. Yes, **** **** *********** ********** *** these *********** *** ********* **** *** can ***** **** ***** ** ***** to *** ******** *** *** ***-*****.