printer friendly version

Combine and standardise physical and IT security measures to minimise risk

Organisations incur significant overheads, as well as generate increased security risks, when employees misuse or abuse network resources.

Serious losses – of financial and competitive edge in particular – are incurred when intellectual property or sensitive information leaves the confines of the organisation or when computer fraud occurs.

“Users on the inside have access to business critical system resources, making the network susceptible to attacks and exploitation through the use of their privileged status,” says Karel Rode, solutions strategist at CA.

Up to and including the early nineties, an insider was defined as someone who had physical access to a computing facility – typically an employee or the system administrator. Physical security was deemed to be sufficient, as a security guard was able to identify individuals – a precaution that was enhanced by the ‘second factor’ authentication of a swipe card.

“This principle is no longer applicable and an insider is no longer referred to as an employee of the company, as this would give a contractor or temp similar privileges. Additionally, the user may connect via a remote access connection, removing physical access considerations,” Rode says.

“Someone who has achieved insider privileges, by gaining access to a computer, could pose a potential threat. This means that significant technical controls to protect against privilege abuse are needed. Without the proper security policies and governance, it is hard to accurately identify the level of threat and even harder to appropriately implement preventative controls,” he adds.

Reducing the risk

So what can companies do to reduce the risk of information loss, whilst providing staff with the required access to network facilities?

One possible solution would be to merge physical and IT security, says Rode.

Rode suggests that the most practical point of departure would be for companies to look closely at their user populations and determine where the most accurate store of active users exists within the company. This might be the current HR system for permanent staff and some other data store for contractors and temps.

He adds that companies must reconsider their current process for issuing corporate badges to employees. As companies expand in large campus environments, employees might need access to multiple buildings where each location has a different physical access control system. This is a situation that may not be under a company’s control if the company is a tenant and does not have input into the building access systems.

Rode suggests standardising staff security measures. This would make it possible for the company to limit staff access to areas and resources that pertain to their role. Companies could even limit access to certain times of the day. This approach would benefit companies that want to limit shift workers who only need to access selected zones at specified times. Taking things a step further, companies that run IP video surveillance, would be able to track, monitor and record any instances where a violation or failed repeated access has taken place.

“This leaves us with the logical access to systems, resources, applications, files and folders. The logical access scenario will succeed if companies have a data classification standard in place, which they can use within the rule definition process. This will ensure that only designated users with specific group membership or directory attributes can gain access to read, modify or delete files, or access application resources within their designated realm,” Rode concludes.

Share this article:

Further reading: