4 Reasons Physical Security Has a Faster Path to Zero Trust

(Editor’s note: This article is an installment of the “Real Words or Buzzwords?” series about how real words can become empty words and stifle technology progress.)

This article is prompted by several converging factors.

First, enterprise IT faces escalating demand for robust Governance, Risk, and Compliance (GRC) focused on data and privacy protections. The stakes are raised by intensifying cybersecurity threats, evolving privacy regulations, and the AI-fueled surge in data generation, use, and sharing. Over the past decade, there has been a significant rise in data-driven organizations. Data-driven companies are 23 times more likely to acquire customers (McKinsey) and see productivity gains up to 63% (Data Ideology). The higher the value of the data, the more important GRC oversight becomes.

Physical security systems both use and generate large amounts of data that GDPR and other privacy regulations classify as personally identifiable information (PII), such as an individual’s location — as most security professionals already know. Affected systems include physical access control, video surveillance, and visitor management, with incident investigations and guard force management adding further sources of PII. It should be no surprise, then, if someone with an IT GRC role comes knocking on Physical Security’s door to assess the status of its data protection.

Second, IT depends on Physical Security to safeguard the IT infrastructure that stores, transmits, and processes sensitive data — another reason IT GRC has a vested interest in the Physical Security function.

Third, from a different perspective, Physical Security can secure its own data far more easily than IT can protect its vast information systems. The security data landscape is smaller and less complex, typically involving fewer than a dozen staff with critical system access and only a handful of systems containing sensitive data. In contrast, IT must safeguard thousands of end users across numerous enterprise applications. This makes Physical Security one of the easiest business functions in which to implement effective data security and privacy controls.

This contrast underscores why, despite the slow progress of Zero Trust adoption in enterprise IT, Physical Security can have a faster path for applying its principles. As I wrote earlier this year in “Planning a Zero-Trust Security System Network”, Gartner predicts that only 10% of large enterprises will have mature Zero Trust programs by 2026—up from less than 1% in 2023. This reflects the vast complexity of enterprise IT. Physical Security presents the opposite picture: its operations and technology systems form a smaller, simpler landscape, one well-suited for the application of Zero Trust principles.

James Connor, the Head of Corporate Engagements at Ambient.ai, put it this way: “Physical Security is now squarely in the crosshairs of enterprise risk management. IT GRC leaders are asking tough questions, regulators expect proof of compliance, and adversaries are increasingly targeting cyber-physical systems. This is the moment for Physical Security to lead — not lag — in Zero Trust adoption.”

The key for Physical Security lies in recognizing that Zero Trust for Physical Security does not require reinventing operations or radically altering technological deployments. Rather, it involves firming up and formalizing controls that often already exist in practice. By focusing on four specific domains, security leaders can take a divide-and-conquer approach, formalizing existing procedural controls, and applying Zero Trust in ways that strengthen both compliance and protection.

1. Security Operations and Administration

The first domain is Security Operations and Administration, where Zero Trust applies to the people managing daily security functions. Each operator or administrator account is a potential insider threat. Applying Zero Trust in this domain means, for example, limiting privileges according to the least-privilege principle, requiring multi-factor authentication for system access, and securing items such as physical keys and visitor badges. It also requires documenting controls — not only so IT GRC can verify that insider risks are being managed in compliance with organizational requirements, but also to support internal periodic checks that ensure the integrity and effectiveness of both procedural and technical controls.

2. Site Physical Access Control

The second domain is Site Physical Access Control, where Zero Trust applies to how people enter and move within facilities. Each entry point is a potential vulnerability. Applying Zero Trust in this domain means ensuring that access events are continuously validated, that tailgating and piggybacking are detected and prevented, and that anomalies such as doors held or propped open are captured for immediate response and investigation. A clear example comes from Ambient.ai’s customer story on TikTok U.S. Data Security, described in the online article “TikTok USDS Employs AI-powered Zero Trust to Revolutionize Physical Security.”

3. Security Systems Networking

The third domain is Security Systems Networking, where Zero Trust applies to the networks that connect cameras, access panels, sensors, and other intelligent devices. Every device is a potential attack surface, so Zero Trust requires that devices be authenticated before they communicate on the network and that their access remains continuously conditional.

A practical method available today is 802.1X authentication with EAP-TLS, supported by leading security device models and enterprise-grade switches. With this approach, each device presents a unique certificate to prove its identity before the switch or wireless controller grants network access. If the certificate is expired, revoked, or invalid, the device is denied connectivity. IT and Security teams can centrally manage which devices are trusted and revoke that trust instantly if compromise is suspected.

It is important to note that NVT Phybridge enterprise grade switches deliver both data and Power over Ethernet (PoE/PoE++) over long distances using existing or new twisted pair cabling (2,000 ft.) or coaxial cable (6,000 ft.), and provide full support for 802.1X authentication with EAP-TLS.

Looking to the near future, ONVIF’s TLS Configuration Add-on, released in 2024, provides a standardized way to configure and manage TLS settings on IP-based security devices such as cameras. When camera makers start supporting this ONVIF Add-on, it will be easier to enforce encrypted communications and certificate-based trust across multi-vendor environments, reducing the complexity that has often hindered secure camera deployments.

In the meantime, the Axis Device Manager software supports configuring and managing TLS settings for EAP-TLS on Axis cameras.

Beyond authentication and TLS configuration, Zero Trust networking also requires:

• Network segmentation to isolate devices into defined zones, preventing lateral malware movement.
• Encryption of data flows to protect sensitive information in transit.
• Real-time monitoring to detect anomalies such as unusual traffic patterns or unauthorized communication attempts—capabilities often best provided by the organization’s IT function, since it is already responsible for monitoring corporate information systems in that way.

The above three aspects may seem daunting to physical security technologists, especially for large-scale systems. However, for example, the Viakoo Action Platform is a Cyber-Physical System (CPS) Protection Platform that very comprehensively supports zero trust networking across segmented networks for physical security system devices and applications by providing device visibility, automated security for firmware, passwords, and certificates (for authentication and encryption), and continuous monitoring and remediation to ensure devices remain secure and compliant. 

It is an agentless platform, meaning it does not require software to be installed on each device. This allows for friction-free and scalable management of any size physical security system deployment, as well as centralized management for multiple sites. As IT successes have already proven, a purpose-built cloud-based platform is the best approach to take for securing large-scale technology infrastructure and keeping its protection up to date with the evolving cybersecurity risk picture.

Together, the controls described above ensure that only verified devices can connect, that their communications are encrypted and compliant, and that non-compliant security profiles are detected quickly—making the security systems network a controlled environment aligned with Zero Trust principles.

4. Security Technology Deployment, Integration and Service

The fourth domain is Security Technology Deployment, Integration, and Service, where Zero Trust applies to how systems are implemented, integrated, and maintained. Each deployment or service activity is a potential risk point. Applying Zero Trust in this domain means enforcing rigorous acceptance testing, requiring temporary and verified access for service providers, and documenting all activities to ensure that configurations remain secure and compliant over time.

On reading a draft of this article, James Connor suggested the following summary table to provide a quick overview of the key points and Zero Trust controls.

Final thoughts

Zero Trust adoption across enterprise IT will remain slow because of the sheer complexity of information systems. Physical Security, however, has a faster path forward. By focusing on the four well-defined domains listed above, security leaders can apply Zero Trust in ways that are both practical and impactful.

Many of the necessary controls already exist in some form; what’s required now is to formalize and document them, align with IT GRC practices, and extend Zero Trust principles consistently. In doing so, Physical Security not only strengthens its own protections but also demonstrates to the enterprise that it can lead by example in adopting modern security practices.