The document was created to guide the lodging industry regarding technologies to protect its systems. For the effort, NIST deployed a PMS, a door lock system and a number of other commercial technologies designed to protect network environments.
Benefits of this research include:
- Increased security and reduction of risk for business systems like the PMS
- Better support for meeting privacy and regulatory requirements
- Instilling consumer confidence and loyalty by protecting guest privacy and payment information
The NIST paper was developed to align with the tenets of Zero Trust Security. The NIST research was limited to the reservation, check-in, issuing door keys, check-out, and payment processes.
Protecting the Network and Systems
The first tenet of Zero Trust Security is that all data sources and computing services are considered resources. We protect the resources, the hardware, software and information deployed on the network, by isolating them and controlling access by people and other systems. This isolation technique is often called segmentation.
Many organizations do this by defining network segments and using network infrastructure components like routers and firewalls to enforce rules about which systems are allowed to exchange network messages. This segmentation is required by Payment Card Industry (PCI) standards for the card data environment (CDE) and is typical for separating guest networks from the hotel’s business network. NIST chose to enhance this security by adding and using a network appliance to monitor network traffic and block inappropriate activity. This helps prevent lateral side attacks, where one compromised machine infects another.
Think of network segments as separate islands. People on one island can’t talk to those on another one unless they run a line (or bridge) between the islands. The network appliance listens to the line and blocks any message that doesn’t belong or shouldn’t be moving between the islands based on a set of rules that the appliance enforces.
What Belongs in a Segment?
It’s important to know what devices or systems belong on the network and various network segments. This is an inventory. For example, PCI requires an inventory report for the systems used for payments as a part of the PCI audit.
It isn’t enough to simply inventory the hardware, you must include the software as well. You can use network appliances and software tools to automatically build this inventory and send notifications when it changes unexpectedly. This helps protect the system by making operators aware that something has changed unexpectedly and that change could cause harm.
Controlling Access to Resources
Zero Trust tenets require that access to resources be granted on a per session basis. The system must establish trust in the requestor before access is granted. Authentication and authorization are dynamic and strictly enforced before access is allowed. To protect the business, a Zero Trust Architecture design must be able to positively identify who or what is attempting to access specific resources. It will limit access only to authorized users. This applies for both people and systems. The NIST document uses an appliance to help manage these identities and creates logs when identities are confirmed.
MFA and Identification
Digging deeper into identity capabilities requires a discussion of authentication and authorization:
Authentication is proving that a person or system is who they claim to be. If you belong to a gym, you might have a card with your name and photo to identify you as a member. This proves who you are to the person at the front desk. That’s authentication.
Authorization is what a person or system is allowed to do. Your gym card might also show that you’re allowed to use the exercise circuit and the racquet ball courts, but not the sauna or pool. This is authorization.
We’re all familiar with the normal practices of providing a username and password. But even if you can count on everyone using a secure password (and you can’t), this isn’t safe enough to protect high risk data like payment information and network configuration settings. In modern systems, anyone who requires access to sensitive data or to system or network configuration settings should be using multifactor authentication (MFA). This requires something in addition to a username and password. It may be a biometric like a fingerprint or a face scan or it could be something like a card, a phone or other device used to generate a unique one-time password or code that only you possess.
Public Key Encryption
Systems also need to identify themselves to other systems. To do this they often depend on public key encryption (PKE). A PKE system uses two encryption keys:
- A private key that’s protected and stored securely
- A public key that’s shared and published openly
- A message encrypted using the private key can be decrypted with the public key, proving the private key holder generated message. A message encrypted by the public key can only be decrypted using the private key. For secure, private communications you simply need to publish the public keys and encrypt each message twice, once with a private key and once with a public key.
To authenticate another system, a system will send credentials to that server by encrypting the message using its private key. This server is normally an identity server that validates the credentials and determines whether the requestor has permission or is authorized to access the desired resource (authorization). If the requestor is authenticated and authorized, it receives a ticket or token allowing it to access the resource for a set period of time.
What Is a Security Appliance?
NIST chose to use a security appliance that provides identity services with MFA support, a secure vault for storing secrets like private keys and encryption and decryption services. This appliance also handles payment card tokenization so you can securely store payment card data.
Protecting the Data
Zero Trust requires security for all communications on the network, even those within a network segment. In general, data needs to be protected when it’s in transit, or moving from one place to another and when it’s stored, or at rest. Using transit level security (TLS) consistently can protect data in transit. TLS secures the channel or link between the sender and the receiver. You’re using TLS on a browser when you see HTTPS: in front of the URL or when you see a green lock icon in the address bar.
Another way to protect data in transit is to use point to point encryption or P2PE. Instead of counting on the channel being secure, this method encrypts the data itself before sending it. This means even if the channel is compromised the data is still secure. Always send payment card data using P2PE.
You can protect data at rest in several ways depending on the level of security required. Data requiring the highest security levels can be:
Tokenized: The system replaces data, like an account number, with a token you can use to retrieve it. This method reduces security needs and makes it a good way to protect credit cards.
Encrypted: You need a key to both encrypt and access the data. You can use the key to encrypt search criteria so you can search the database without decrypting the data. Keys are secret and best stored in a secure vault. The security appliance that NIST selected also provides a secret storage service. And it supports passing data to the appliance to be encrypted and decrypted without the need to reveal the keys.
Monitoring and Alarming
Zero Trust Architecture continuously collects information about the state of the network, infrastructure, communications and resources. It uses this information to improve system security. You must also monitor output. This would be a tedious job for a human, so NIST architecture includes a pair of solutions to help address these needs. They work together to monitor the systems, analyzing what’s happening and block bad behavior before it has a negative impact. They’ll also log events and actions and generate alarms when the system needs human intervention.
The system has the ability to:
- Control, log and manage changes and updates to devices and systems in the PMS reference design
- Monitor and protect the PMS reference design network and the devices connected to it
- Monitor the network to detect potential cybersecurity events
The reference designs support monitoring network activity. The privilege access management tool can:
- Report on and correlate events with the control system with log information
- Monitor personnel activities to detect potential cybersecurity events
- Watch for unauthorized personnel, connections, devices and software
- Monitor for connections and attempted connections by unauthorized devices, users and systems.