The convergence of physical security technology and information technology continues to impact security and IT departments, their personnel and their vendors. For the purposes of this article, physical security is defined as the protection of physical assets (people and material), and logical security is defined as the protection of electronic information assets. Historically, this distinction has made sense for a number of reasons.
Physical security existed long before electronic information came into existence, thus the practice of physical security was well established prior to the advent of computer data systems. When computer data systems appeared, they fell within the domain of computer engineering. There was limited access to computer systems because they were physically separate from the rest of the enterprise and few individuals in the organisation dealt with them. At that time, the protection of data systems was the subject of specialised engineering knowledge. Thus physical security - as a body of knowledge, a practice and a profession - grew up separately from logical security.
Cultural separation
There were also aspects of our culture that helped perpetuate the separation of the two security domains. Fewer than 20 years ago, a writer for Time magazine wrote of 'computer phobia', which was a common subject of discussion in business and personal circles. Those were days when bosses dictated or hand-wrote letters and secretaries typed them. Most businesses ran on data that was stored throughout the organisation in file cabinets and desk drawers. Centralised data functions were generally limited to accounting and payroll matters. Centralising data on paper was generally practical only for storage purposes. How could anyone access it? One person could read or carry only so many papers in a day. This situation posed low risks (compared to today) for data theft and destruction and a good physical security programme guarded against most data threats.
Business and cultural convergence
Several business and cultural landscapes have been changed by two occurrences:
* The advent of the personal computer and the continuing exponential growth of its computing power.
* The proliferation of widely networked computer systems and the Internet.
Today, elementary school students learn the basics of personal computing and access data from around the world via the Internet. High school students build websites and database systems and engage in electronic commerce. Today's computer disk drives let businesses store and work with volumes of data that exceed the size of the Library of Congress. Critical personal and corporate financial and banking information is just one element of the vast expanse of electronic databases.
Thus the attractiveness and accessibility of single data targets (data stored in one location) are significantly higher than was the case 10 or 12 years ago. Data worth tens of millions of dollars can fit onto a single CD and can be transferred out of the country of origin in a matter of minutes.
While security practitioners are certainly aware of the preceding historical facts, most security practitioners are steeped in the security domain in which they have been trained and employed: either physical or logical security. Thus we have to cross a gap that is both cultural and technological in order to properly protect the organisations we serve. Criminals have a head start on crossing that gap. We must catch up and pass them.
Connecting physical and logical security management
Where physical and logical security are defined and managed independently of each other, security holes exist that outsiders and insiders can exploit. Given that insider threats are the source of the most damaging attacks, it makes sense to eliminate the holes by eliminating the organisational disconnection between physical and logical security.
To understand where and how physical and logical security can be integrated, one should examine the similarities and differences between the two domains. Physical security and logical security are similar in more ways than we may first imagine, according to Kelly J 'KJ' Kuchta, CPP, CFE, who heads up Forensics Consulting Solutions LLC of Phoenix, AZ. Kuchta stresses the similarities between physical and logical security. The commonalities in physical and logical security functions indicate that high-level strategy can be developed that applies to both domains.
Another point of physical-logical collaboration is physical protection for information systems infrastructure (computer and network equipment and their connections). If the data systems or networks are physically attacked, both physical and logical security personnel must respond. Having a separate physical security system for computer and network protection can leave the physical security responders in the dark. It makes sense to have a single, integrated security system (access control, alarm monitoring and CCTV) that can report alarms to both security groups. Logical security personnel can identify which data systems to monitor more closely. Physical security can be prepared to make an appropriate response. Both groups can use surveillance camera information.
Data exists in both domains
Data can exist in physical and electronic formats and can be converted between the various formats with no real loss of value. When in physical form - such as printed documents, computer screen displays, handwritten forms, photographs, or drawings - data requires physical protection. When in electronic form - stored in computer memory or disk storage, being sent over phone or network lines, or being transmitted to a cellular phone or other wireless device - data requires electronic protective measures. There is a third form - human memory and the person-to-person discussions that provide human data transfer - that is sufficiently independent from physical and electronic forms to require its own special protective measures. These are primarily procedural, contractual and educational in nature.
The life cycle of data
Tatum Partners is a US national service organisation of 400 former chief financial, chief information and chief technology officers of world-class organisations such as the CIA, Nabisco, Hilton, Disney and IBM. Joel Rakow, a Los Angeles Tatum partner, emphasises the importance of understanding the life cycle of data with regard to security.
Rakow has a client company that delivers its product to approximately 1 million customers who are consumers, not businesses. A customer typically pays between $20 and $30 a month for the product and service. When the customer relationship is created, it is consummated in a customer agreement. This agreement contains the terms of the relationship along with certain payment information that includes either a social security number, if payment is to be made by cheque, or credit card account number. The contract is delivered to one of the more than 50 branch offices by the field sales representatives and placed in the inbox, where all employees gather to collect their mail and other administrative items.
At the end of the day, someone will harvest the day's customer contracts and hold them in an office until they are sent to headquarters. About 1200 customer contracts are sent each week into HQ, where they are placed in a filing cabinet in an accounting office. A receivables clerk collects the contracts each day, if she is at work, and scans them for electronic storage on a desktop computer located in her office and at a remote site provided by a third-party vendor. The contracts are then shredded and disposed of completely.
Rakow explains: "Along the path from execution of the contract until shredding, without physical protection measures there would be many opportunities for unauthorised personnel to gain access to the personal financial information that is associated with each contract. We view this like leaving cash out in the open, but there are many companies that do not seem to view it that way."
One of the important differences between cash and data is that data can be stolen while leaving the original data in place. Without sufficient security measures - both physical and logical - data can be stolen without the data owner's knowledge.
"Do not underestimate the motivations for stealing such information," Rakow said. "The data on customer contracts has a black market value of about $2 for each personal financial identity. The criminal, of course, could sell this information over and over, via the Internet, since there is nothing to limit greed. One disturbing aspect of such theft is that when a company loses cash, the company suffers the actual loss, but when a company loses control of a customer's personal financial identity, that customer suffers the primary loss, and the company may or may not ever be held accountable."
Collaboration
Data is insecure unless it is protected in all the forms it takes during its life cycle. This usually requires close collaboration between the physical and logical security groups. Data systems can be configured so that restricted data can only be accessed from specific locations within company buildings. A combined physical-logical high-security strategy for restricted data would involve more than restricting logon access to the authorised users. It would include placing computers in special rooms where physical access control permits entry only to authorised users, and not allowing access to the data from any other computers. Using computers with no diskette or CD drives and eliminating printers from the room removes the means to take the data to another location. This security strategy can be taken further by implementing biometric physical access control to the room. Then the physical access control system can be integrated with the logical access control system so that unless a person has been granted physical access to the room based upon a biometric, that person's logon cannot be used to access data from that room.
This example illustrates an important point about integrating logical and physical security: When done correctly, the integration starts with strategies, policies and procedures. Integration of physical and logical security systems is done not for its own sake but in support of security policies and procedures. Significant security improvements can be made by integrating physical and logical security management without necessarily integrating physical and logical electronic security systems.
For instance, four points of potential integration for physical and logical security systems are:
* Authentication of users (ID verification).
* User provisioning (assigning and revoking access privileges).
* Access control (access to physical locations and data).
* Activity monitoring (identifying alarm conditions and suspicious behaviours).
Streamlining the management of the first two points can not only improve security but can also lower operating costs and improve productivity, providing a favourable near-term return on investment.
Integrated security management
Philip Mellinger is the CISO of First Data, a leader in electronic commerce and payment services with global headquarters in Denver. First Data serves approximately 3,5 million merchant locations, 1400 card issuers and millions of consumers. "You have to understand that physical and IT security do not stand on their own," Mellinger says. "Even together they do not stand as one. They must be integrated into the fabric of the business."
Adam Stanislaus, vice president of physical security at First Data, says, "I work closely with our CISO - we are pretty much connected at the hip. I am also the physical access info-sec officer, and I sit on the Information Security Group, which the CISO manages. I participate in the bi-weekly group conference calls, and we collaborate as needed on various security initiatives."
"Managing the process of developing rule sets that help the business units rather than hamper them was the big challenge," says Mellinger. "How do you react to events that have occurred if many aspects of your business are expected to operate in realtime? All the parts must move in unison - the parts that secure the enterprise, as well as the parts that generate revenue."
According to Mellinger, the first part of integrating physical and logical security is a discovery phase, with you or your vendor trying to learn about your own business. "Business is trying to absorb the promise that technology holds," he said, "but it does not start with products or technology; it starts with understanding how your business works."
Pilot projects reveal business impact
Stanislaus explains that pilot projects are one of the tools his company uses to determine the effectiveness of security measures and to gauge their impact on business operations. First Data is one of the first companies to implement the eTrust 20/20 product from Computer Associates. It collects and correlates security-related data from across the enterprise, analysing it and displaying it in an intuitive interface. First Data will be using the product to help quickly detect suspicious behaviours and identify perpetrators. "We first implemented eTrust 20/20 in a small site in New Jersey, a one-building shop," says Stanislaus. "In about a month the final test will be complete and we can plan a larger deployment."
Pilot projects allow evaluation of the impact that policy and procedures have on people, something that can be hard to identify fully in advance. "Without an approach in which management had considered all the human elements, it is hard to make technology work for you," says Mellinger.
Participation beyond security
Preparing for an integration project can require participation outside of the security groups. For example, consider the implementation of this security policy:
"All job classifications will have a defined set of basic physical and information systems access privileges, which will be assigned by HR, administered by IT and enforced by security."
This can require collaboration between security, IT, HR, legal and business managers. Do job classification descriptions need to be updated? Has policy been established regarding who should have access to what data? Are security background checks appropriate for some levels of data access? Policies will state who determines what and when; procedures will dictate how it is put into practice.
Vendor talk
When security vendors talk about integrating physical and logical security systems, they focus on their products. Sometimes they ignore the existence of the business rules upon which the integrations must be based. It is important to realise not only that new business rules may need to be developed, but that the hardest task may be implementing the organisational changes that are required to put them into effect. The business rules often impact the activities and responsibilities of personnel. Thus integrating technology solutions is not an out-of-the-box scenario, but requires significant effort. Customers must understand their own needs and objectives and communicate them clearly to vendors.
On the bright side, generally the greater the effort required to accomplish the security objectives, the greater the security improvement for the organisation.
Ray Bernard is board-certified as a physical security professional (PSP) by ASIS International. Ray is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides high-security consulting services for public and private facilities. This article is based upon material in his upcoming book, Shifting Sands: The Convergence of Physical Security and IT. For more information about Ray Bernard and RBCS go to www.go-rbcs.com
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version