Most of us don’t have responsibility for airports but thinking about airport security can teach us lessons about how we consider, design, and execute IT security in our enterprise. Airports have to be constantly vigilant from a multitude of threats; terrorists, criminals, rogue employees, and their security defenses need to combat major attacks, individual threats, stowaways, smuggling as well as considering the safety of passengers and none of this can stop the smooth flow of travelers as every delay has a business knock-on effect. Whew! And this is just the start.
The airport operators are a lesson in supply-chain and 3rd party communications. They cooperate with airlines, retailers, and government agencies, and their threats can be catastrophic. They also need to consider mundane problems like how do you move a large number of people around quickly, what to do when someone leaves a bag to go shopping and how to balance risk reduction with traveler comfort - many needs to be considered, planned for, and the execution when a risk is identified needs to be immediate. All before thinking about IT-related issues, thefts from retailers, employee assessments and training, building safety, people tracking, and … the list seems almost endless.
Our business IT security needs might not seem so complex; however every enterprise has its external and internal attackers; hackers, ransomware, DDoS attacks to take down your systems and rogue employees, or inadvertent actions by good employees who don’t realize what link they are clicking on or data they are over-sharing. At the same time, the business needs to be able to enable the newest and most effective apps and systems and employees hate anything that appears to get in their way.
So, let’s see what airports can teach us about thinking about possible threats and appropriate safeguards to deploy a layered approach that protects your data, users, and infrastructure.
If you take just one threat; terrorism as – this image shows that US airports have more than 20 layers of security – a mixture of human and technological measures. https://en.wikipedia.org/wiki/Airport_security#/media/File:Security_layers.jpg
There’s no silver bullet, there’s not one piece of security awareness or technology that will solve all problems – but if integrated, they can all build together to draw a picture of the possible threat. Our defenses shouldn’t rely on just one technology either, but when we have multiple capabilities working together, we can evaluate, identify and address our security needs.
Here’s my table of some of the needs of an airport and equivalent areas in general IT security. Just as in an airport, individual pieces are of limited benefit unless they are brought together. Even though each item improves overall security, a single management console that can correlate all these pieces of knowledge and suggest or make policy decisions is crucial to ensure you get maximum benefit.
|
Airport |
Enterprise IT |
|
Check ticket against passport |
Global SSO and multi-factor authentication for every app (including cloud) |
|
X-ray baggage |
Scan attachments for malware |
|
Security gates and hand baggage check |
DLP for confidential data loss control |
|
Facial recognition comparing security gate and plane gate with a ticket |
Zero trust – keep checking at all times |
|
Baggage weight check |
Review email attachments – treat previously unseen executables as a suspect |
|
CCTV as passengers move around airport |
User behavior analytics for risky behavior |
|
Database of travelers, prior travel, destination information |
Logging / analytics |
|
Temperature tests for COVID |
Block surfing to high risk web sites |
|
Visa requirements |
Access control to sensitive areas or sensitive data |
|
Check expiry date on passport |
Reconfirm credentials after a period |
|
History of prior travel |
User behavior analytics to understand “normal traffic” for each individual user and alert on unusual patterns. |
|
Open Skies Initiative – sharing data with destination – allowing arrest on landing |
Insights to check and implement defenses before attacks based on other organization’s threats |
|
Landing card (where staying, reason etc.) |
Employee justification for actions – feedback loops when challenged |
|
Fingerprints on landing – check against previous travel history |
Insights |
|
Security guards, customs agents, check-in staff, people monitoring CCTV |
The personal touch – the SOC team investigating threats and defining and implementing policies |
|
Different security lines for additional checks |
Remote Browser Isolation |
|
Overall SOC center to correlate all inputs |
Global management |
What have we learned?
First, the job of securing an airport is complex and involves a lot of planning, cooperation with 3rd parties, and a vast mixture of people and technology-based security.
Second, we cannot rely on one defense, just like airports.
Third, concepts like zero trust, MITRE ATT&CK framework, Cyber Kill Chain are all aiming to look at threats in the round – we need to look at threats from every angle we can and implement the best technology we can.
The best solutions will be integrated, you need to be able to collate activity patterns to evaluate risks and define defenses. McAfee’s Device to Cloud Suites is designed to bring together multiple systems all under one umbrella and let you accelerate cloud adoption, improve productivity and bring together more than ten different security technologies all managed by McAfee ePolicy Orchestrator (ePO).