|
Combining Forces: Physical Security and IT Security
by Christine Vecchio-Flaim, NYSTEC Consultant
IT Security and Physical Security have traditionally been managed by two distinct entities in most organizations. The Physical Security staff was responsible for door keys, human security guards, building access, and safety operations. The IT Security staff was strictly responsible for the protection of data within the organization. This division of labor was seldom planned, but evolved over time and still exists in many organizations.
As technology has advanced, so have the roles of these two security groups, and we’ve reached the point today where many organizations are overdue for a restructuring of their security workforces. Eric Maiwald, an analyst from Burton Group, clearly states a rationale for combining the two groups: “If physical access to a computer system can be achieved, gaining logical access to the information on that computer system is guaranteed.”
So how do we begin to unify these two distinct groups into one dynamic security entity that protects our two most critical assets, people and information? Let’s step back for a moment and trace how we arrived at this point.
When I started my career in the mid-1980s, security organizations consisted primarily of retired military personnel and law enforcement officers. Somehow I managed to break into the Physical Security ranks with no law enforcement background, but I was a rare bird. No one within our 60-person security organization knew anything about computers. I was the techie of the group, not because of my vast experience in the computing world, but because I knew how to operate a PC.
For most security organizations in the 1980s, computer security was a low priority. Slowly but certainly, organizations began to realize that data protection was critical. But where would they turn? They asked their Physical Security gurus and quickly learned that most of these people, although talented at old-school security measures, were not very knowledgeable about this new computer technology. Thus the IT Security organization was born.
IT Security became an elite group that grew separately from the Physical Security group. Not wanting to be left behind, I decided to become a part of the elite group, so I returned to school and pursued a degree in Information Systems. For the next 10 years, IT Security was all the buzz, and no one talked about Physical Security.
Well, what goes around comes around. I spend a great deal of time consulting in IT and forensic security matters, and today I often find myself returning to my roots: Physical Security. All of the security components that became trivial during the IT Security boom are suddenly important today: identification cards, camera systems, alarm systems, parking controls, and disaster recovery. Sept. 11, 2001 could be cited as the stimulus, but I believe the change is more deeply rooted. More and more customers are re-evaluating their security postures and viewing security as a whole entity. They see that Physical and Information Security are intertwined throughout the organization. It all goes back to Maiwald’s observation: Give me physical access to your computer, and I own your data — period.
Just think about today’s security control systems. Stand-alone electronic door openers are all but obsolete. Today’s security control systems perform their wizardry for multiple facilities operating on multiple hardware and software platforms across complex networks. Many of these systems incorporate network-security authentication through a variety of technologies including biometric authentication. Digital camera systems are fast replacing old analog CCTV systems. Video systems operate across corporate networks and the Internet, and some even incorporate artificial intelligence. Traditional lock-and-key sets can be replaced with electronic cores that utilize chip intelligence to perform their tasks. Investigations have also become high-tech. Computer forensic analysis is required for almost any type of investigation.
Now is the time to start thinking about the convergence of security disciplines into one organization with complementing skills and the coordination of work — all of which can save your organization money. A combined security-services organization would still have diverse skills, but react as a unit in considering physical and logical security measures across the organization. A combined security group can perform comprehensive risk assessments with a thorough understanding of organizational needs while applying appropriate security controls.
Want to know the biggest problem with segregating security departments? It promotes turf protection. Turf guarding is seldom good for any organization, and in the case of security, it can be a very serious impediment. Consider the number of data centers designed today without any input from Physical Security experts. Just as the Physical Security staff is not qualified to be the sole designer of your data security controls, you would be foolish to let the IT Security staff work alone in designing your Physical Security controls. The Technical and Physical Security experts need to work in concert.
The Physical Security group manages many security control systems independently of the IT folks. In some cases, the security vendor’s out-of-the-box controls offer the only protection. Many of these systems run over the network or Internet, or have remote dial-up accounts. These systems can be extremely vulnerable to attack, but could be enhanced and better secured if only the IT Security experts assisted in their implementation and administration.
Regulatory controls also favor a combined security organization. HIPAA and Sarbanes-Oxley both mandate the appropriate logical protection of data as well as adequate Physical Security controls. The physical and logical protection of data will have far more success when coordinated from a single source.
A prime example of cost-effectiveness is the use of a shared access token for facility and network access. Combining these technologies will result in reduced user-support costs, comprehensive audit trails of physical and data access, a single point of contact for activation and deactivation of accounts, and reduced system administration costs. Of course, using shared access tokens has its risks, but the benefits far outweigh them.
In many organizations, responsibilities overlap between Physical and IT Security teams. A combined security department can provide streamlined administration and reduced operating costs and capital expenditures.
We stand at a new crossroads where Physical Security and IT Security have converged. In order to effectively protect both your people and your data, the time has come to merge forces. Neither security discipline is more important than the other. In today’s world, neither can function by itself.
Back to NYSTEC Home Page
|
|
