13 December 2007

The Convergence of Physical and IT Security


I've been thinking extensively about the on-going convergence of Physical and IT Security, especially within a corporate context. Many companies with whom I deal have a Security Manager of some type, who usually reports to the Chief Information Officer -- or just an IT Manager, who in turn reports to the Chief Financial Officer. Unfortunately, the corporate environment in Central Europe is still rather under-developed, as there are few organizations which recognize the role of Chief Security Officer (CSO) -- so that very few people with responsibility for compliance, corporate governance and security performance monitoring are at a C-level reporting grade.

Conversely, the importance of physical security is quite well understood, although often not well-implemented. In Austria, physical security is usually just a function of the Building/Object Management group, and is staffed by people who understand about locks, keys and door systems -- but not necessarily about principles of least privilege, and four-eyes oversight.

In my opinion, the international trend is towards a rapid convergence of both types of security, especially in terms of applying similar standards, methodologies and 24x7 operational monitoring. A recent customer of my company has done good work in implementing centralized monitoring of dozens of distributed locations, collecting a diverse range of output from devices such as alarm controllers, fire suppression and monitoring equipment, door access controllers, UPS (Power Supply) controllers, and even Camera Digital Video Recorders.

By centralizing all of this information in one command and control centre, the company is better able to respond to problems, and encourages early detection of potential crisis situations. As a secondary goal, convergence can allow for cost reduction, by having a single 24x7 threat response monitoring centre, who can be charged with both IT Security and Physical Security monitoring. After all, the computer doesn't care whether the intruder is detected in a LAN, or in the warehouse at 3 a.m. -- the incident response action and escalation paths will be much the same (although different personnel may be involved.)

But collecting information centrally isn't enough. You also need correlation, which means a clear understanding of the process workflow behind the security events -- and this starts with a detailed Risk Assessment, to identify the threats and their signatures. For example, security cameras act as a deterrent, and can be useful in post-incident forensics, to help identify perpetrators. But properly used, they can also detect intrusions, to trigger incident response much earlier. Naturally, cameras can be defeated -- for example, it's possible to adapt a DVD-recorder laser diode into a battery-operated laser pointer which can permanently blind most off-the-shelf security cameras (and incidentally, this can be used as a non-lethal weapon against unprotected security personnel, as it can cause instant blindness too.)

Therefore, the vigilant security manager has to prepare for such scenarios, through regular posture assessment and tiger-team testing, as well as drills and security-related staff training. Appropriate counter-measures need to be selected, and then constantly reviewed and improved. Ultimately, security is a demanding and continuously-changing battleground of strike and counter-strike, where we must always assume that the attacker is smarter, better-funded and more highly motivated than ourselves. We can only wait, prepare, be vigilant, and constantly assess our readiness -- and challenge our imaginations to anticipate the next moves.

No comments: