Physical security is an applied science, unlike logical security. It is rarely the subject of research work. But though the physical security of an IT operation is often given less attention than logical security, it can be critical.
Information security is more than passwords and firewalls. That is, it also encompasses critical safeguards against unauthorized physical access. Just as with logical breaches, a physical breach can result in loss of data and system availability – ultimately leading to financial loss.
Securing the physical components of an enterprise can seem tantamount to envisioning a facility as a modern version of a fort. The valuable assets are inside the walls, and the people trying to get the valuable assets are outside. The difference is in the scope and evolution of the technology. Instead of a portcullis, there are access control systems. Instead of defensive ditches, there are perimeter surveillance systems.
Often, too, there are critical insider threats, including loss of data using portable storage devices, or theft
of equipment by insiders. Consider the former systems administrator for the Naval Research Laboratory who recently pleaded guilty to a federal charge stemming from the theft of nearly 19,000 pieces of computer and office equipment.
In a basic sense, the assets to protect include buildings and equipment, along with the often more valuable information and software contained within. These must be protected from theft, vandalism, natural disasters and accidents. Fundamentally, this translates to considerations of construction, preparedness and appropriate physical intrusion protection. Though all this should be thought through and designed into the amenities of a building, often it's only considered in retrospect.
One concept is to extend the reach of security systems. “Pushing out the perimeter is a way to extend the security organization's visibility of their physical world, before something intrudes into a closer proximity,” says John Frazzini, president of BRS Labs, a maker of behavioral recognition systems. “What you're talking about really is bringing information from a variety of different collection points into one place.”
What are the parameters of protection in a physical security program? It depends. The Pentagon has a different set of requirements from that of an office park. Data centers have varying restrictive requirements based on the nature of the data they store.
Increasingly, some of the technology used to provide physical security is connected to an organization's networks. Aside from the security problems, this can present a burden on existing systems. For example, one of the problems with video surveillance is the relative size of the files that have to be stored.
“More and more video is IP-based, and goes on the network,” says Mo Hess, global segment manager of security
for TAC, a manufacturer and integrator of physical security products. “The
files associated with video surveillance are data hogs. Many times, you would like to view a particular scene when an incident may have occurred, and
you have to be sure that it's stored
and available for viewing well after
Vendors often design physical security systems without considering their eventual connection to a company's network. And physical security products typically have long life cycles. Physical and logical security staffs, which are tasked with protecting enterprise assets, may see increasing overlaps.
All physical security methodologies seek to provide rational answers to the basic questions: “Who are you?” and “Why are you here?”
This can be verified with the classic means of identification – what you have, what you know and who you are. What you have is something a person has on them: a card or token. The problem is that these items can be stolen or lost. What you know could mean a password or a secret challenge/response answer. This can still be shared or otherwise discovered, and if written down, carries the risk of discovery. Who you are means the recognition of unique physical characteristics, generally classed as biometrics. These include identifying fingerprints, hand shapes, iris patterns and retina scans.
Virtually all biometrics systems are pattern recognition-based. They take a picture of a pattern, classify it, take another picture at access time and compare the two.
“Fingerprint readers are the kinds of devices that are most commonly used, mainly because the data is fairly clean,” says TAC's Hess. “But they're not always 100 percent accurate.”
A new entry to biometrics is a technology from Fujitsu – a vascular ID system that reads palm vein patterns.
“The veins in the palm are unique, and have a very data-rich, intricate pattern,” says Jerry Byrnes, manager of biometrics technology and strategic planning at Fujitsu Computer Products of America.
Using near infrared light, the system looks under the surface of the skin. When the light is shone on the palm, the refection of the vein pattern does not return – that is, everything but the vein information comes back. The system analyzes the unique pattern of these “shadows.” The image is very intricate and individual – even the left and right hand patterns are different.
Another system tied to physical security can be likened to loss-prevention systems at retail stores. For some organizations, the biggest fear is that someone might steal a computer – walk off with it, and take data off of it at their leisure. One way around this is to put an RFID tag on the computer, so that anyone exiting the facility will alarm the guards – much like the store alarms at many major retailers.
“I know of facilities where, if a computer is transported past a certain point, the doors are locked and armed guards are summoned,” Hess says.
This approach works due to the growing sophistication and use of RFID tags.
“I think the use of RFID tags will grow and be tied in with video surveillance systems, so that if a computer leaves a location without authorization, there will also be a video trail to see who took it,” Hess adds.
The same approach could work for data tapes that are removed for off-site storage. For example, Time Warner, which lost data on 600,000 employees stored on 40 backup tapes during transit to an offsite location some time ago, could have benefitted from this tactic. The tapes contained the names and Social Security details of its employees dating back to 1986.
There also are systems that can analyze actions taking place in a particular location and alert if something that should not happen does. For instance, if a person walks in and picks up something that should not be moved, and then walks out with it, the system can issue an alert in real time. Recognizing anomalous activity is key, and monitoring unusual behavior patterns of people helps.
“Most bank robbers exhibit an unusual behavior when they enter a bank,” TAC's Hess pointed out. “Typically they enter, look left, then right, then proceed to the teller line. A regular customer generally will not do that. They will just enter and without pausing proceed to the shortest line. That kind of behavior can be readily identified and alert security that a potential problem may exist, and that a particular person should be watched,” he said.
Video analytics can increase the value of the data that is being accumulated, says Frazzini. The weakest link after all is the person – there is so much data to monitor that it's easy to become distracted. With analytic systems in place, rather than having four people watching multiple video systems, you may only need one. That one person would only have to look at exceptions, not everything, he says.
Also, after the fact, a video analytics system can scan through information a lot faster that a human. Rather than have a person watch a week's worth of data, an analytics system can do it in a matter of hours or minutes. It's a more effective use of the data one already has, he adds.
Lacking physical security, an organization may spend a good deal of money on logical protection, and then suffer a loss of data through a physical intrusion, says Frazzini. Unfortunately, there is probably no silver bullet that will fix all security problems, and that may be an unrealistic expectation – security will always be about people, even though technology can help cope with the problem.