Should an IT staff be concerned with a network's physical security?
How concerned should IT people be with the physical security of their networks? Fifty feet outside of an office building, for example, may be a manhole that contains all the fiber that connects you to the outside world. Should those kinds of considerations be part of my network security plan?
It's interesting that you ask this question. It's one that a consulting client asked me just a few days ago. The company's office building is located in a major metropolitan area, and it shares the space with numerous other tenants. Its offices are on one floor, and its data center is located several floors away. My client was concerned that an eavesdropper might be able to tap the fiber optic connection between the two floors.
My advice to them? Don't obsess about it. There are some cases where you should be concerned about the physical security of your network, but at some point you're either going to have to trust an outside provider or run a cable through a secure area. In the case of this particular client, the risk seemed acceptable.
In the scenario you describe, an outside manhole shouldn't be a great concern. Once the traffic leaves your private network and enters the public Internet (which is of course where it goes once it leaves your building), none of the sensitive data should be sent without using encryption. Proper data encryption mitigates the risk of interception. There's no difference between someone climbing down a manhole and tapping your external connection and an eavesdropping hacker that compromises an intermediate router somewhere on the Internet.
More information:Dan Sullivan reviews some of today's biggest physical security threats.
Integrating physical and logical security can bring many benefits to the enterprise, but a successful union isn't easy.
This was first published in December 2007