The locks on your organization’s doors will soon be talking to your servers. Physical and IT security convergence has been a slow-moving trend for several years, but tight budgets and a desire to strengthen data protection have thrust it into the spotlight.
Saving money is a primary driver, along with a need for stronger identification and authentication measures and centralized management of security. Without appropriate physical security, critical data protection just isn’t possible.
“Your workers need to understand that you can’t have effective data protection without effective physical protection,” says Denise Mellor, chief security officer of the California Franchise Tax Board. “If people can access your physical infrastructure without safeguards, your data is at risk regardless of other security.”
In other words, you will need to prepare your employees for this shift as you bring data and physical assets under a single security umbrella.
Combining physical and IT security measures not only makes critical data more secure, it also eases compliance by giving users fewer things to worry about. Instead of an ID card, a card key and a virtual private network token, for instance, many employees now carry just one smart card.
What’s more, integrated hardware and software obviates the need to buy separate security systems and hire different groups of staff to support them. Like the movement from the PBX to IP telephony, putting these services under IT reduces management overhead and increases control. This all combines for significant bottom-line impact.
The state efforts echo work on the federal level. Spurred by HSPD-12 (the Homeland Security Presidential Directive mandating common identification for all federal employees and contractors) and FIPS 201 (the federal standard for verifying personal identity), the federal government has made strong inroads in security convergence. As the effort trickles down to the state and municipal levels, collaboration becomes easier and smaller agencies don’t need to reinvent the wheel.
Avoiding Possible Pitfalls
Be wary of deploying integrated physical and data security solutions too quickly without considering potential “gotchas.”
One example: Locking down your Supervisory Control and Data Acquisition (SCADA) infrastructure — a complex web of systems that do everything from controlling valves that operate water flow to monitoring dams and running traffic lights. The shift from proprietary SCADA systems to those that rely on IP can open up new security risks.
“Convergence has leaped ahead of many SCADA manufacturers’ ability to cope,” says Mark Weatherford, executive officer of the California Office of Information Security and Privacy Protection. This technical leapfrogging brings both management bugs and security vulnerabilities, which could potentially aid a malcontent in closing off a sewer, turning off a fire prevention system or causing some other catastrophe.
Fortunately, it’s not an insurmountable problem. Although SCADA systems may have security vulnerabilities, proper implementation of standard IT authentication and perimeter defenses should offer adequate protection. “The key is getting in there early,” says Weatherford. “Too many of these systems get fully deployed before a security specialist is even involved.”
Converging systems can be a challenge, but the momentum and security and management benefits behind convergence are too great to ignore. Ensuring success means doing the research, training staff and embracing emerging technologies.
Jim Shanks is executive vice president and former CIO of CDW.
Blended Security Strategy
Try these tips for combining physical and data security:
- Start with training. “Educate employees about the importance of converged security,” recommends Denise Mellor, chief security officer of the California Franchise Tax Board.
- Consider compliance. Investigate compliance guidelines and adapt the published security standards pertinent to your projects.
- Create best-use cases for a proposed system. Flesh out incompatibilities. For example, a smart card might be able to open a door at headquarters and also allow virtual private network access from a remote terminal. But is it smart enough to know that combining both of these technologies in a single session is a problem?