While physical and IT security convergence has been more of a subtle shift than many experts predicted, high performing security groups understand that today's business environment requires an integrated approach to managing security.
Whether your perimeter consists of gates and guards or bits and bytes, its purpose is to act as the first line of defense against unwanted or unauthorized access. With trends such as teleworking, mergers and acquisitions, cloud computing and outsourcing blurring the lines of traditional physical and logical traditional borders, “moat-and-castle” models of perimeter security no longer apply. Security leaders are faced with the need to adapt and innovate perimeter security, which offers many opportunities to push the convergence envelope forward.
Since access control is one of the primary purposes of a perimeter, linking physical and logical access policies is a sensible place to start looking for opportunities to achieve convergence. Innovations in security management have been occurring organically on both the physical and logical sides, but to date, there is no “uber-dashboard” that provides a single, unified console.
One of the biggest challenges to managing access policies is the fact that they are highly dynamic. Managing change is by nature complex, and managing that complexity has been the bane of security managers who are tasked with balancing the day-to-day activities of security operations with the need to create a forward looking security strategy. On the IT side, it has become impossible to manage change without automation.
The good news is that as a whole, network security has evolved to where there are integrated consoles that can provide visibility into current access policies across network infrastructure and automate the change management processes for those devices. While there will never be a single silver bullet for security, it is worthwhile to take a deeper look at some recent innovations in network security to mine for opportunities to map a user's IT and physical access privileges.
Firewalls are still the primary component used to define a network's perimeter. With almost 100 percent penetration into business computing environments, firewalls have proven to be a stable, mature technology. However, when the first firewalls were introduced, few people foresaw that rule sets would become so large and complex, often containing hundreds of rules. On top of this, most organizations need more than one firewall to protect perimeters as well as sensitive internal network segments. Multiplying the exponential growth of the number of rules across numerous firewalls has caused day-to-day operations, change management and auditing to become a significant portion of the overall IT security budget.
As the complexity of network security infrastructure grows, organizations are employing more and more highly skilled administrators to manage routine operations. Rather than focusing their expertise on strategic goals, administrators spend most of their time on repetitive, manual tasks in an attempt to enforce corporate policies over dozens - or hundreds - of distributed infrastructure components.
So despite the increase in IT security budgets, and the resulting increase in human and technological resources, many companies are still not getting the level of security and regulatory compliance that they need. Firewalls cannot be a strategic part of a modern convergence strategy until security managers have this under control, and this challenge exists with other networking gear as well.
When it comes to firewall and network operations, it is important to understand the level of complexity that administrators are facing. A typical enterprise might have dozens, if not hundreds, of firewalls and network devices. Each device has its own set of policies - a complex set of rules defining the access privileges and restrictions for specific users and services. Given the variety of devices - different vendors, versions and administration tools - security policies are extremely difficult to implement. The ability to automate firewall configuration monitoring, auditing and change management offers significant time and cost savings.
From a risk management standpoint, because the implications of a firewall configuration error can be severe, it is important to analyze the impact of every change before it is implemented on the ground. Since it has to be done manually, risk analysis is performed rarely, if at all. While it is difficult to assign a value to the cost savings gained from avoiding a potential security breach, any firewall admin who has suffered downtime after a change window and had no clue what caused the outage can attest to how frustrating manual troubleshooting can be.
Next is compliance. Just to list one example, the Payment Card Industry Data Security Standard (PCI DSS) first came into effect in September 2006 to ensure that organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. Section 1 of the standard requires these organizations to “install and maintain a firewall configuration to protect cardholder data.”
While the PCI DSS standard has a section dedicated specifically to firewall policy audits, there are numerous compliance mandates that dictate the need to audit changes to IT infrastructure. As a result, change automation has become a priority. In addition to compliance, corporate governance initiatives demand a high level of transparency and accountability into the nature of any sort of rule or policy change. As a result, companies are developing ever-more detailed security requirements that need to be translated into firewall rules and implemented over numerous firewalls and infrastructure components.
More than any manual process, automating change management can ensure separation of duties and provide a reliable degree of accountability. By automating change management, routine tasks are completely automated, from end-user business requirements all the way to verification of configuration changes. Manual analysis and auditing operations can be reduced from days to a matter of hours. The resulting reduction in the time, cost and complexity of network security operations frees up security managers to focus on more strategic endeavors – such as convergence.
For example, if there are unique physical security issues related to a data center – one that for example, hosts mission-critical applications that require non-employees to have physical and logical access – understanding the logic behind IT access policies can aid in developing the proper converged, corporate security policy regarding third-party access to that particular data center. Once security lifecycle management solutions hook into systems such as Active Directory stores, the ability to start applying and managing converged access policies becomes a lot less far-fetched.
Or, if a company is going to open up its logical perimeter in order to work with an MSSP or cloud services provider, does it behoove the CSO to consider the impact on physical security? Would that require non-employees to have on-site access? Would it entail corporate assets such as servers or other IT gear to be moved and/or managed outside the physical confines of the enterprise?
Just as companies turn to managed security services providers (MSSPs) to manage IT Security, the same is happening with physical security. When tasks such as IP video surveillance or physical security information management (PSIM) are being outsourced to managed physical security services providers (MPSPs), this in turn has important IT security implications.
In teleworking scenarios, firewalls, and IPSec and/or SSL VPNs are essential for enabling employees to access mission critical resources from remote locations. But there are plenty of physical security issues to consider with teleworking as well, such as what other physical assets belonging to the company are being used at remote sites? How are they being protected? It is much easier for a disgruntled employee to take a USB stick and copy confidential data from their corporate laptop when it is at their home than when it is at an office under constant video surveillance. While a firewall policy couldn't prevent that last scenario, understanding who has access to what IT systems and services can only help physical security teams make better decisions.
If a company is acquired by or merges with another company, a refresh and alignment of firewall policies is absolutely critical. And keep in mind, firewalls are often used to create discrete internal segments within an existing network. The ability to create that kind of separation is important physical security teams also. For example, if the facilities team is tasked with moving several rooms of servers in one data center to another, that might not need to be moved if they could be cordoned off logically instead of physically.
All of these scenarios are opportunities for convergence that will create a common way of approaching perimeter security as it continues to evolve. As businesses embrace new technologies, business models, business partners and tools, their risk, compliance and security posture will shift.
Any CSO with an eye toward convergence should leverage these changes as a tool for creating a common ground between disparate security teams so that any cultural differences between physical and IT security people are, slowly and over time, replaced with a shared perspective.
