I had an interesting conversation with a colleague recently about the convergence of physical and information security. He had visited a vendor and had seen very impressive physical security. Yet somehow he found himself inside the facility without an appropriate visitor's badge.
When he asked why he had not been stopped for not having a badge, they said it was not their policy to stop visitors without badges. Instead, they would report them and watch them. This was seen as being more hospitable, without sacrificing security. In fact, my colleague had been reported three times that morning.
This story got me thinking about how we view information security in these times of terrorism, cybercrime, fraud and limited security budgets. There are a couple of key questions here. First, should we, or can we, engage in "hospitable" security? Second, what are the differences, conceptually at least, between physical and logical security? The second is easier to address.
Many organizations, physically, have a fortress mentality. But if you get past the guns, dogs and doors and get into a conference room, chances are you can plug your laptop into the socket on the wall and join the organization's network infrastructure.
Clearly, the fortress mentality does not extend to the logical protection of information assets. Can we, or indeed should we, extend the same courtesies to our online community that we might in the physical world? Perhaps, but we must be careful.
There are some simple things we can do to make a network infrastructure user-friendly yet secure. Perhaps that conference room might have a "dirty" internet connection that is outside the organization's firewalls and perimeter networks?
In one organization I know of, you can't connect to the network without your PC being scanned and reconfigured to a standard directory, file and desktop format. Any unapproved program is automatically uninstalled and the user reported for being out of compliance. As a result, users rarely turn their computers off and won't use laptops as every power-up takes about 20 minutes.
We need to be somewhere between the extremes of wide open and closed-up tight. We should not let the times derail us from our primary objective: enabling the mission of the organization safely and, as much as possible, conveniently for our users. Convenience still counts. Without it, users are tempted to look for bypasses and that's an even bigger problem.