Proving policies work – easing audit and enforcement of physical and logical security
The term 'security policy' used to mean different things to different people. For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night. For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to. However, this situation is changing with IT and physical security being managed together. Although they come from separate disciplines, what these two areas have in common is policy.
However, from my travels in the field, I've found that the biggest area of interest in both the physical and logical sides of security is ensuring that these policies are actually being enforced and adhered to by employees. The physical security guys all agree that making security policies stick can be tough, especially if they change the ways that employees have been working for some time. And, all agree that the convergence of these two disparate security disciplines ensures policy enforcement will now be possible across both disciplines.
During a recent visit with a pharmaceutical company, I chatted with a security executive about policy management and physical-logical security convergence. We discussed that by linking the physical access system to the IT infrastructure, behavior can be enforced more strictly. He agreed wholeheartedly. I added that in the case of 'tailgating,' someone who does not badge in to a particular zone (such as a data center) can be denied access to his IT assets if he is not authorized to access them. When logging in, the network can automatically query the building access system to check that the person has badged himself into the premises and into the zone accordingly. If not, access will be denied or the employee will be challenged with questions in order to access the network. This approach does not impact correct user behavior and reinforces adherence to the company's policy. The CIO seemed to have a Eureka moment - sound security policy theory with practical application in the real-world!
We continued to discuss how this investment in building access cards can be used as an authentication factor for gaining access to the IT system as well. By linking a user's password to the building access card, an organization can roll out strong authentication for its staff without having to invest in additional tokens or biometric readers. As most building access cards are short-range RFID devices, a USB reader connected to the PC can also act as a method for entering the network securely. Having an additional factor replace the standard password for access means that security is tighter overall, and unauthorized access is more difficult.
Using building access systems and IT security together in a converged manner creates an infrastructure that is more secure overall, while offering cost benefits compared to the traditionally disparate solutions. So instead of retiring older physical infrastructure investments like badges and readers, integrating with IT security can actually extend the value and revitalize those deep-rooted investments. Ah-ha moment #2 for the pharma security executive.
In addition, auditing and reporting within this converged security environment can be simpler: having a single overview of security, whether it is to buildings or IT assets, considerably eases the burden of proving that employees are meeting company policy. A converged security system covering both physical access and IT creates an infrastructure where the whole is greater than the sum of its parts - and makes it easier to see if policies are being followed appropriately and meet various compliance requirements.
What are your policy management concerns and challenges? How has the growing awareness of the need to converge physical and IT security changed the way you interact with your security peers? And, what's working for you?
-Chip LeBlanc, VP Business Development