|
Wayne Parslow, VP EMEA operations at Imprivata on how organisations can link their physical and IT security systems together
For data centre managers, protecting critical business information requires an understanding of two separate worlds – the physical protection of assets, and IT security. The realm of physical security can cover everything from locks and building access systems through to securing the physical servers and storage themselves. On the other hand, IT security concentrates on the data that the organisation is responsible for, and protecting that against unauthorised access.
However, the responsibility for these areas of security tends to be very separate. The facilities management team will hold the budget for the physical security of the organisation, while the IT team will be responsible for securing the computing assets that the business owns or uses. This approach can lead to gaps in the overall security profile of the organisation, and consequently affect the business’ ability to meet its requirements around information assurance and corporate governance.
To close these gaps, the organisation has to change its approach to security, and adopt a more joined-up strategy. This involves the physical and IT security teams working together, as well as a convergence of the technology systems that are in place.
Physical security and IP
Previously, the facilities team would solely be responsible for the physical security of the data centre building or buildings. This primarily focused on keeping unauthorised individuals outside the facility. While this external security planning is still a big part of their overall job role, the evolution of the technology that this team will use has seen a big expansion in what is covered by the physical security system. Internal security and ensuring that employees are allowed access to what they are authorised to get into has therefore developed as part of the physical security remit. Part of this is due to the movement of physical security technology onto the IP network: CCTV cameras, video and image storage and door access control systems have all migrated over to the IT network.
This has taken place due to the additional opportunities for innovation that IP provides, as well as the reduction in cost that has taken place. IP CCTV offers organisations better quality of images, while it is also easier to save pictures or direct them through to another location. Similarly, door access systems have moved over to IP as well – this provides an organisation with more flexibility and greater control over employee access to physical assets. Sensitive areas within buildings can now be restricted to those with the right access privileges.
This ability to restrict access to only those that are authorised to be within a certain location can also help organisations ensure that their IT systems remain secure. If a company’s sensitive information is held on particular servers and storage resources, these can be held within a room that is protected by a door access card system. Equally, the workstations within this location can be locked down, DVD or CD drives can be removed, or USB slots can be rendered inoperable, to make removal of data more difficult as well. Strong authentication and IT security
Alongside the physical security team’s efforts to make assets secure, the IT team has also had to evolve its approach to keeping data secure. Data centre security began with the standard perimeter security measures such as firewalls and anti-virus software, followed with intrusion detection systems to stop outsiders getting into the company’s IT infrastructure. After this development of the data centre’s external security, data centre security planning is now turning to deploying an internal security strategy.
This focus on internal security began with greater use of password policies to ensure that only the right user gets access to an application. However, as the number of applications that are password-protected goes up and the rate of changes are enforced, users end up forgetting their credentials and being locked out of systems. Secondly, passwords can be simple to guess, or for users to share with each other.
These developments have led to strong authentication becoming more popular with businesses that want to ensure their critical applications remain secure. Technology such as finger biometrics, smart cards or one-time-password tokens are proving popular with organisations that are covered by legislation such as the Payment Card Industry Data Security Standard (PCI DSS) or data protection guidelines. This additional layer of security not only improves the ability of organisations to prove that users are following the security policy that is in place, but it also makes life easier for the employees themselves.
Alongside this authentication and access management strategy, organisations can also deploy single sign-on, or SSO. SSO replaces the numerous passwords that a user may previously have had to remember with one overall network credential. The user has their password automatically entered into their applications on their behalf. Aside from the benefit that this offers to the user, it also provides the organisation with a full trail of all the access and authentication events. Bringing physical and IT security together
This parallel development of physical and IT security strategies from focusing on external issues through to covering both internal and external security has meant that security planning and policy has developed to bring these two disciplines together. This convergence of security is based on these two areas being able to share information between each other in a meaningful way. With the move of physical security devices onto the IP network, this is now possible.
By linking the data centre’s physical access systems into the identity management platform, the user’s location can also be used as a factor for whether they are allowed access to IT resources. As a user enters the building, they will swipe their smart card and enter their credentials into the building access system. After this, the user can then go up to a workstation and enter their IT network log-in. At this point, the authentication and access management system can query the physical access system to check that the user is within the building. If they have properly authenticated into the building, then the IT authentication platform will let them onto the network.
This converged approach to security means that there is a single policy in place. With this strategy, the organisation can prevent issues such as tailgating, where a user forgets to log himself into the physical access system, and instead enters behind a colleague. For the physical security team, this breaks their access policy but also means that the organisation cannot generate a list of who is within the building for health and safety purposes. That employee can also still gain access to IT resources. Using system-level convergence, the IT system can query the building access database to check that a user is listed as within the building; if he is not, then the user can be denied access until this has been rectified, or he can answer some challenge questions in order to be allowed entry.
Another benefit of this approach is that when a user leaves the organisation, their access privileges can be locked out. Typically, the physical security deprovisioning process tends to be a lot easier than the IT side of things, as taking away one badge is simple compared to the number of accounts that may exist in the network, or applications accessed via the Web. With a converged security approach, if a physical security account is closed then the user would not be able to enter any of their applications, even if they have a network or application log-in that is still “live”.
Taking a converged approach to security means that there is one single point of management within the organisation. While this approach makes creating and enforcing security policy easier, it may require changes in how the physical and IT security teams manage themselves. Traditionally these have been separate parts of the organisation, but there is now a greater need for them to share information and support security planning.
This change can make both physical and IT security professionals more effective in their respective roles. This overall strategy can offer far greater benefits to the organisation as a whole compared to an approach where these security efforts remain siloed. Using physical and IT security systems together can prove the saying true: the whole is greater than the sum of its parts.
|
