Physical and data security: Two sides of the same coin
In many, perhaps most, organizations, data security and physical security are handled by different parts of the company. This means that it's not uncommon for data security within an organization to be under the purview of the CIO or even the CFO, while physical security belongs to the facilities people who also manage the janitors and the HVAC system. In some organizations, physical security is outsourced. And in all too many cases, physical security is ignored.
"There's no point in having thorough lockdown and hard passwords and encryption on your servers if people can just walk in and take laptops," says Darren Wigfield, a senior cybersecurity engineer at Excentium. Wigfield is responsible for accrediting U.S. Department of Defense data centers to ensure they meet security requirements, including requirements for physical security.
When Wigfield looks at an organization's security, he looks at the whole picture, including how hard it is to hack into the computers, how hard it is to get passwords, and how well the machines themselves are protected from intrusion or theft.
"All everyone worries about now is the Internet," explains Shane MacDougall, CEO at Tactical Intelligence, an information security firm that tests vulnerability and penetration. But in reality, that's missing the biggest part of the security picture. "They're just as likely to get your data through the back door," he says. That would be the real back door, not the virtual one.
MacDougall says he routinely finds instances of poor physical security that can quickly lead to data security breaches. "When I've done penetration tests, I've found network jacks active in the lobby," he says. "Often they're not set to a guest VLAN. Or there's unprotected wireless."
Such breaches of physical security are still relatively common, MacDougall says. It's not uncommon to find wireless networks set up by employees who simply plugged an unprotected home Wi-Fi router into their office Ethernet jack. Other reports of lax physical security include stories of companies that have their servers in public areas that aren't monitored, or companies that prop open the doors to their data centers so employees don't have to swipe cards each time they enter. Once the intruder has access to your physical network, data security is unlikely to stand in anyone's way.
The weakest link
"The weak element in the system is the human being," says Tony Roman, president of Roman & Associates, a national security and investigations firm. He says that managing the human side of security is critical because it's people who do things like leaving doors open or abandoning their laptops in public areas.
Because physical security and data security need to support each other, you need systems that integrate humans into the security process. "It creates human redundancy through software management," Roman explains. "It ensures the human follows through, and it verifies that it was done."
To accomplish this, the security software in a data system needs to monitor more than just software intrusions. It must also monitor the physical environment and the actions of the operators or other users to ensure they follow through on physical and non-physical threats.
Step one is to find places where physical security is compromising data security. In many cases, security is compromised because the auditors don't look for physical threats. "It takes a corporate culture change," MacDougall says, adding that physical security can be a hard sell to management, which often sees it as a cost center that can best be managed by outsourced security guards. "When they do their risk assessment, they undervalue the data," he says. "What would its value be to competitors? Corporate espionage is booming. It's busier now than I've ever seen it before."
The key is treat security as an integrated process. "Someone has to look at the physical, policy, and technical [aspects]," Wigfield explains. "The same team looks at them in unison and makes sure they work together as new ways of hacking into a company are revealed." The same team should be responsible for addressing vulnerabilities with everything from operating system patches to door locks.
A great deal of both physical and data security involves training. Users need to be trained in everything from not opening suspicious files or inserting USB drives from unknown sources to having checklists at guard stations that are actually used. "You're asking for trouble if you don't have a full top-down approach to security," he says.
Of course performing a security audit that includes both data security and physical security is a complex task that requires a team approach. "You need to involve the IT manager and the security director, but also insurance risk management and legal. Every bad thing that happens to data is going to result in legal consequences," Roman says.
"This group drives the development of data and human security management software," he explains. "This is the software that integrates the human being into data and network security." Roman adds that while commercial products are available to help with this integration, all must be customized to provide proper support for the individual security needs of an organization.
Putting security into practice
The key to creating a complete security approach for an organization is to get management buy-in, and then assemble the team from the top down. This means that the critical people in the company are assembled into the security team. "I would start by establishing a change management board," Wigfield suggests. "Most companies of any size have a group for implementing improvements in workflow."
Wigfield says the change management board is the logical place to start working on a change as significant as a security overhaul. But several experts note that the security team needs to include representatives from several areas. These include information security and physical security personnel, as well as the CFO, the CIO, the risk management officer (if there is one), and the legal department.
It's also important to stop treating physical security as an afterthought. While it might be cheaper to hire an hourly security guard from a staffing agency, you probably won't get buy-in to the team from a temporary employee.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.