When Philadelphia law firm Post & Schell outgrew its office space, it sought a facility that would provide adequate physical and IT security for its 350 employees, assets and sensitive client data.
This job fell to Lou Mazzio, the firm's CTO.
"Hundreds of concerns were thrown on the table," Mazzio says. "Could the building provide 24/7 security guards? Do you need a passcode to use the elevators? How would the layout keep nonemployees from wandering into restricted work areas? How do you protect employees from disgruntled claimants? How do you apply the same protections to computer access? And how do you protect the data center and paper-based data from fire and water damage?"
Mazzio had never overseen both logical and physical security, so he asked the company's facilities manager to help him select a building and design an integrated security system. Today, in the three-floor downtown office space, physical and logical access is controlled with RSA Security's Smart Badges and a combination of SecurID Passage software, RSA SecurID Smart Cards and RSA ACE/Server rights management software. Employees use proximity card badges to access elevators, file rooms, conference rooms and work areas. The firm also uses the badges for two-factor authentication into the network's billing, storage, database and e-mail applications.The big challenge has always come from the introduction of new technology into an existing system.
CIODelaware State University
Crossover technologies like these are certainly pulling physical and logical security closer together. Video surveillance, badge readers and other building security systems will be increasingly integrated into IT systems over the next five years for greater information management efficiency, says Steve Hunt, a research director at Forrester Research. Regulatory compliance, risk assessments and investigations are driving this security cooperation.
But full convergence will never be a common business model, according to many analysts and IT professionals. Instead, Hunt says, the two disciplines will work closely on crossover projects.
"The physical guys wouldn't know how to configure a firewall to save their lives, and the IT guys aren't interested in guns and guards," Hunt says. "The physical guys will only need to know how to use these tools, while the IT guys will need to administer them. So, in essence, I see the IT guys supporting the physical security guys."
Unlike Post & Schell's Mazzio, Harrison O'Neill took a lead role in the construction of a new office suite for the executives of his company, a multinational engineering and construction firm.¹
O'Neill, the company's CSO, collaborated with his physical security and facilities management counterparts to design integrated systems that use smart cards to access executive suites and networked computers. Eventually, the company expanded its integrated security to other parts of its campus, but the management and operations structures remained separate.
While there's a definite need for physical and IT security to work cooperatively, O'Neill doesn't believe that the two disciplines will ever merge. One of his former companies tried convergence as it rolled out a key card system--to no avail.
"The physical security guys didn't want to give up control of the card system and didn't want it linked to the corporate networks," O'Neill says. "They couldn't get past potentially losing control of the applications."
It's a common story. Managers across all disciplines believe that giving up control means giving up budget, influence and resources. Even when there's a strong business case (ROI), physical security managers often resist integration with their IT security counterparts.
"I've lived on both sides; I've done physical security, and there's a reason to keep them separate--the cultures are incompatible but must be able to work together toward common corporate goals," O'Neill says.
One security executive who stepped up to the challenge--and, to a certain degree, failed--is Howard Schmidt, Microsoft's first CISO. In 2000, he was given control of both IT and physical security and the title of chief security officer. Schmidt was well-suited for the hybrid role, given his experience as a special agent in the U.S. Air Force and a police officer in Chandler, Ariz. Convergence made sense from a business perspective, too. "Until the merger, we had two investigative teams, and there was a lot of crossover," he recalls.
However, the decision to weight leadership on the side of IT (feeding through the CSO and up to the CIO) didn't go over well with the physical security team.
"I think the physical side saw us as a hostile takeover because the majority of new management came from the cyber side," says Schmidt, now CSO of eBay and chairman of the CSO Roundtable.
The two groups waged a turf war until Schmidt left to become vice-chairman of the President's Critical Infra-structure Protection Board and special advisor for cyber-security shortly after 9/11.Information technology is only a relatively recent entry into civilization, with less than one lifetime to develop its processes.
Chief Science OfficerHewlett-Packard
Despite his experience at Microsoft, Schmidt believes physical and IT security will ultimately be comanaged.
"More and more, you're going to see physical and IT security in the same bailiwick because, as a society, we're becoming more technically savvy," Schmidt says.
Where could physical and IT security ultimately merge? On the executive level. The CSO post would be responsible for strategic-level security oversight, with the two security disciplines cooperating yet remaining independent. But, even that high-level convergence is a long way off.
"We have a lot of cultural issues and barriers to overcome," O'Neill says. "There's no reason to race down that road."
The notion that IT leaders can assume the role of physical security is dangerous, says Stephen Squires.
"Physical security has been around since the dawn of man. We've had eons to develop risk assessment and protection processes," says Squires, chief science officer at Hewlett-Packard and one of the developers of ARPANET. "Information technology is only a relatively recent entry into civilization, with less than one lifetime to develop its processes."
That's why Charles Fletcher, CIO and assistant provost of technology at Delaware State University, turned to the campus police when looking for a way to stem PC thefts from campus classrooms and computer labs. In less than a year, the school lost $70,000 worth of PCs and monitors.
"The theft was blatant. A couple of computer labs were completely gutted," he says. "There was no way to control who was coming and going, nor could we tell who was there at the time of the thefts."
The Delaware State campus was already rigged with fiber optics and a Siemens HiPath 5000 server for videoconferencing. So, with another $700,000 worth of Siemens HiPath SIcurity smart cards and the HiPath Metadirectory, campus police issued 4,000 smart cards for physical access to the administration building and the university's six campus dormitories. The same cards also grant computer network access for faculty and students. A few cards even double as purchasing cards at the cafeteria, bookstore and local bus system.
"There were few integration challenges on the technology and network side of this project," Fletcher says. "The big challenge has been user-related issues that always come from the introduction of new technology into an existing system of mixed power users, skilled users and fear-filled users."
Smart cards are just one technology that can be used for physical and logical security. RFID cards, tokens, biometrics and password-based systems can be integrated to control access to buildings, rooms, filing cabinets, lockers, computers and data resources. Some integrated tracking systems, such as Computer Associates' 20/20, correlate physical and logical access data to monitor for unauthorized access, malicious activity and policy violations.
"Now, IT, facilities directors and executives must decide how much tracking of employees is appropriate and what the tracking data can be used for," Fletcher says.
Integrating these seemingly complementary technologies isn't easy. Electronic door locks and logical network credentials use similar architectures to identify, authenticate and authorize user access, but making them work in a holistic, monolithic infrastructure is expensive and administratively complex.
From a scalability perspective, integrating security controls in a small, single-site infrastructure isn't too challenging because security managers are in a position to be hands-on. But large, distributed enterprises have a much harder time deploying converged security solutions.
For example, some companies may be able to integrate physical and IT access control systems in their home offices, but not to remote offices because of cost and infrastructure changes.
"A lot of our buildings have disparate readers at the doors," says O'Neill. "We need something that works with the majority of the infrastructure instead of having to replace existing physical controls."
Despite the cultural and technical hurdles, a growing number of physical security directors are trooping back to college for their master's degrees in information technology, says Mike Higgins, who teaches incident response and business continuity at George Washington University. Regulations such as HIPAA, GLBA and Sarbanes-Oxley are the driving force behind this movement.
"Traditionally, compliance has been managed under the physical security realm. Now, companies are asking these folks to get educated in the IT realm to keep up with recent compliance issues," Higgins says. "We're seeing physical security folks from health services, pharmaceutical and financial services agencies coming here. We're even seeing physical security folks from the big consultancies--Pinkerton, Booze, Allen & Hamilton, SAIC and others."
Teaching physical security managers the basics of logical security isn't difficult; risk models for both disciplines are similar. The understanding of risk as it's broken down into network layers, application management, etc., is the challenge.
Likewise, infosecurity managers need to immerse themselves in the ways of physical security, says Phil Curran, manager of information security at Cooper Health System in Camden, N.J. When he started his job a year ago, HIPAA was just being implemented, and he was charged with physically securing the data center and all wiring closets at Cooper's 300-bed medical facility and 70 affiliate locations.
"My first week on the job, I got to know the director of facilities security. I asked him what he would do, and he steered me to the right manufacturers for the cameras, locks and fire suppression systems I would need," says Curran.
Ultimately, the business should dictate how close the two units become, says Jim Litchko, a security consultant and former chairman of the American Society of Industrial Security's Information Technology Security Council. All security initiatives--physical, logical or both--should be couched in business terms, he says.
"When I talk to clients about security, they clam up as if I were the IRS," Litchko says. "But when I ask questions like, 'What's your business?' 'What's your mission?' 'How are you organized?' and 'Who are your customers?' they talk like crazy."
The best way to support the business is to understand core competencies and put the best team together to accomplish the mission.
"Nothing should happen without some sort of business analysis and ROI," says O'Neill. "A company should run on good, solid business principles, and nothing will happen unless there's a good business reason for doing things."
¹Harrison O'Neill is a pseudomym. The person didn't want his name or company published.
About the author:
Deborah Radcliff ([email protected]) is a freelance technology journalist based in California.