In-Depth
Eye on Security: Integrating Physical and Cyber Security
We explore the benefits of interconnecting physical and cyber security.
By John Carney, Senior Manager, Cisco Government Practice
[Editor's Note: ESJ is pleased to welcome John Carney as a regular contributor to Enterprise Strategies. John's Eye on Security column will help you keep abreast of security issues and arm you with the information you need to make the best security decisions for your enterprise.]
Today, the bridge between physical security (controlling physical access) and cyber or logical security (such as virus detection or the prevention of unauthorized network access) can be built. The departments managing the technology for these types of security are generally separate and, more often than not, do not collaborate with one another. With the proliferation of IP convergence on the network, this separation can dramatically impact both departments and compromise the safety and security of an organization.
Cyber security and physical security greatly depend on each other. Attackers who initially gain physical access to a computer can almost always use this access to further their malicious efforts. Any device that is connected to the network must be protected to ensure that it cannot be turned into an attack tool itself.
The lack of integration between physical and cyber security creates numerous challenges. First, no single system exists to confirm a person's identity because each functional security department controls its own identity database.
Second, the lack of integration increases the potential for theft. This scenario is created because of the lack of integration between physical access and network access. A stolen or lost access card can allow an individual to enter a building without restrictions, allowing that individual access to hardware in the building. Integrating physical access with network access creates a "bond" between the two previously separate systems, where a lost card is more likely to be reported because you can't tailgate into a building to do your job.
Third, best IT management practices may not be applied consistently across departments. Separate organizations typically create their own best practices, and best practices from a physical security perspective are typically not the same as those applied to a logical security perspective. Applying consistent best practices across departments helps to minimize the chance for missed policy implementation.
Finally, cyber security devices are not physically monitored to detect tampering or unauthorized access. The problem ultimately comes down to governance, making it a priority to create a single body for security policies, procedures, and deployments.
Interconnecting Physical and Cyber Security
The revolutionary convergence of voice/video/data has completely changed how we think of technology. "Voice" now refers to several audio sources such as crowd monitoring, a gunshot in a high-crime area, or noise detection in a building that is supposed to be vacant. "Video" now refers to video surveillance, traffic cameras, digital signage, and streaming videos. With the explosion of cloud services, access to data can be anywhere, any time, and from any device. Multiple heterogeneous devices (such as video-equipped smartphones and personal laptops) are connecting to the network. Social media also plays a role in reporting security incidents, thus requiring the analysis of all sorts of data within the organization.
Fortunately, physical and cyber security technologies have matured to the point that they can now be easily integrated. The convergence of the IP network and the migration to TCP/IP of legacy sensors and appliances such as cameras and building security systems has helped drive this transformation. Cameras are now IP-based, with card readers using the IP network instead of a proprietary network, and access lists, policies, and procedures are stored and generated by computers. Additionally, consider one of the most advanced security policies available, the Payment Card Industry (PCI) standard, which includes both physical and cyber security measures in its policy.
Protect Your Users by Securing Your Network
Protecting users involves a combination of physical and cyber security. Cyber security protects computers and data from unauthorized access. Physical security keeps people safe by allowing only authorized individuals into the building.
A compromised network allows access to business-critical data and to all security sensors, video cameras, and access controls. Unauthorized access to a single security sensor such as a video surveillance camera can be bothersome, but compromising the control of all sensors can be disastrous. Many technologies are available to secure the network against the wide variety of threats that exist.
One possible high-impact solution that has minimal impact on the human engineering side is to ensure that only trusted users access the network. One way to ensure this is to require a user to show badge to enter a building prior to accessing the network. The users do not have to significantly change their behavior or how they log in to the network. However, now there is a multi-factor authentication system: something you have (a security badge) and something you know (your ID and password). By interconnecting building access to network access, the security of the network and network resources increases.
Through the use of multi-factor authentication, gaining entrance to the building no longer guarantees access to the network for an unauthorized person taking advantage of an unattended computer. This also addresses the common issue of tailgating, where one person follows another into a building without swiping a badge across the reader. From a safety perspective, this can cause problems in an emergency situation, because the number and names of the people in the building are unknown.
Requiring a badge swipe introduces many security benefits, such as creating a log of who enters the building at what time and where they enter, eliminating tailgating (because the network cannot be accessed without users swiping their badges), creating more-secure logical policies based on physical location, and allowing for an appropriate roll call after exiting the building in an emergency.
In most implementations, the physical security team tracks access to the physical plant and the logical security team tracks access to the hardware they access. Combining the two means that no access is allowed to a machine if a user does not have the proper credentials to access the physical location. Having separate databases for these two functions creates an environment where an out-of-sync scenario could arise, allowing access to a machine without having credentials to the physical plant.
Combining cyber and physical identity management does create challenges, however, which is why the concept of a single governance body for security is vital. This governance body must determine who can make changes, what changes they are allowed to make, and when they can make them. Keeping identity data accurate must be a priority because all policies and procedures use this data to enforce enterprise security policies.
Conclusion
The integration of physical and cyber security domains improves asset security. When integrating the cyber and physical security domains, keep in mind what assets you are trying to protect where those assets are located, and how to best build a secure infrastructure around those assets.
Combining your cyber and physical security processes and infrastructures simplifies the manageability of the security infrastructure and increases the visibility of your resources, making it easier to detect and prevent security incidents and providing a platform to manage the response and recovery after an incident occurs.
By integrating physical and cyber security, you create operational efficiencies, reduce risks, improve risk management, streamline incident management when breaches occur, maximize your existing investment in security infrastructure, and reduce operational and management costs.
There are many more opportunities to integrate physical and cyber security. Once the search begins, you'll very likely see administrative redundancy as well as security opportunities that you can enhance by combining these two sets of technologies.
John Carney is a senior manager at Cisco Government Practice where he is responsible for the technical marketing for government and security solutions and architectures on the Public Sector team. He joined Cisco in January of 2007 and has served as the Industry Solution Architect on the health-care, financial services, and public sector verticals. With over 25 years experience as a technical architect in a service provider/large data center environment, John's strength lies in his unique ability to understand the business issues facing customers and how they relate to the components in a large computing environment with an emphasis on security and secure deployments, including identity management, role-based, access and data security. You can contact the author at johncarn@cisco.com.