Entering a physical facility should be just as secure as logging onto a PC.
Security professionals often find themselves hard-pressed to secure both physical and logical assets (as well as comply with stringent government mandates). So why are so many organizations behind the curve when it comes to managing physical and logical access?
There are dozens of excuses: “It’s too expensive.” “Securing electronic data is a greater concern.” “We wouldn’t even know where to start.” However, the reality is that a unified approach to physical and logical access actually saves money — not to mention time. While it’s true that cyberattacks are a mounting threat, physical/logical access control loopholes can be Achilles’ heels to sophisticated hackers who know how to exploit them.
High assurance identity credentials allow organizations to manage access to secure areas and systems. Just keep the following five tips in mind to ensure that your organization isn’t falling victim to common access control blunders.
ol.thisol { font-weight:bold } ol.thisol span {font-weight:normal }
- Converge!
Do not treat physical and logical access control separately. Both are about controlling access to a resource — they share the same security goal. Whether that resource is a sensitive room or a sensitive piece of data, access rules will be defined in the same manner. Similarly, the same identity information about the requestor should be required to evaluate access requests.
CISOs at many organizations struggle to justify the cost of high assurance identity credentials for use in their IT systems. CSOs have struggled with this same cost vs. benefit problem for high-assurance PACS capabilities, such as biometric readers.
Today, enterprises creating successful business cases look at physical and logical access as the same problem that can — and should — leverage the same solution. Convergence saves money and improves security, a rarity in this space.
- Guard Physical Assets Closely
- Don’t Stop at Your Front Door
If you have embraced the benefits of identity federation for your Web portal or cloud applications, don’t stop at your front door. Identity Federation is commonly accepted as the most effective way to gain assurance of the identity of persons external to your organization.
In other words, I accept my partner’s own corporate-issued credential for access into my applications. I receive the most up-to-date identity information about my partner, verification of their employment status, and I avoid having to provision and maintain credentials for these external users. The most mature identity federation organizations, though, still issue me a temporary badge when I show up in their building’s lobby, despite being able to accept my own corporate credentials at their Web site.
If you consider that visitors to your offices are there for a business purpose that is related to whom they work for and in what role, then this is critical to verify at the time access is requested. If their employment relationship no longer exists (e.g. they were fired), this would be critical to know before allowing access to the building. However, this vetting is rare, because it’s socially awkward and tedious to do manually. Interoperable credentials and a trust framework that backs them allow any organization to leverage their partners’ credentials for PACS and LACS simultaneously.
- PACS/LACS Convergence = Better Operational Intelligence
PACS/LACS convergence is about more than costs savings or increased assurance of identities; it is about better operational intelligence.
CISOs and CSOs have not traditionally talked to one another (often the case even when it is the same person in both roles) given the silo-like nature of these areas. What opportunities are missed as a result? If a user logs in from home on their VPN, and the same person has just badged in at the office, isn’t that a problem?
Even PACS talking to PACS in the same organization is unusual. What if a user badges into their home office in the morning and the branch office across the country an hour later? Attackers are looking for blind spots, and the “PACS/LACS barrier” represents tempting low-hanging fruit.
- Evaluate Options
Look to your industry or immediate customer base to determine if there are already others that have implemented converged PACS/LACS solutions with external partners in mind.
In the United States, the Federal Government’s PIV and PIV-I are the dominant high-assurance credentials intended to be used for both PACS and LACS. Everything from desktop login to email can already take advantage of PIV or PIV-I based credential, but recently PACS vendors have released systems compatible with these credentials as well. Converged PACS/LACS solutions are now mainstream, and will be the focus of most major security conferences in 2010.
Do not allow physical security to lag behind logical security. Criminals attack the weakest link, and at many organizations today, that is likely to be the front door — literally.
There have been many cases where data thefts occurred not online, but rather through lax physical security of the servers themselves. Remember Willie Sutton’s famous quote about why he robbed banks: “Because that’s where the money is.”
Jeff Nigriny is president of CertiPath.