For many companies, IT security issues are top-of-mind.
Organizations are using multifactor authentication to ensure the end user is who they say they are. They implement tokenization to try to stop man-in-the-middle hijacking of sessions. Businesses use encryption of data on the move and at rest, plus the use of VPNs for all sessions outside of the firewall. Enterprises also use anti-malware systems such as antivirus and distributed denial-of-service attack throttling. All are relatively common approaches to securing the organization's data and its availability to the right users. Many organizations have all of this in place, so are they secure?
Unfortunately, a pure IT security approach can lead to a problem some organizations call a perception of security. It is all well and good to create a Fort Knox approach to IT security, but if physical security is more like a Swiss cheese, the business is not secure and intellectual property can still leak out all too easily. As an example, look at the politicians who carry a sheaf of papers that any press photographer in the vicinity can easily photograph.
An organization needs to create a risk profile that it can form a full security policy around. In many cases, accidental information leakage by employees or others working with the organization, such as consultants and contractors, cause security issues within an organization. At a technical level, this can be dealt with through the use of tools -- such as data loss prevention (DLP) and digital rights management -- that can also help head off some of the more malicious attempts to redirect information.
However, this still leaves the less technical areas of information security. Facilities need to work with the business in order to secure other possible sources of weak security that may be more under their control, such as printers, where "pull printing" (using PIN codes or tokens to release a print job at a specific printer) can ensure that confidential papers are not left lying around or are taken by the wrong person. Fax machines should be replaced with multifunction devices that feed into the standard IT environment using scan-to-fax technology so that DLP systems can be brought to bear on these as well.
Even at a telephony level, it should be possible to put in systems that record a proportion of calls -- provided both the employee and the caller are aware the conversation may be recorded. Call recording cannot be used for dynamically cutting off a call, but can at least act as a deterrent for malicious security breaches, and can also be used for training purposes to show how a simple call can put at risk intellectual property through a slip of the tongue. All of these require facilities and IT to work closely together, as technology is brought in to help ensure the overall corporate security policy is more easily enacted.
Organizations need to write into their contracts of employment what the physical security policies are, and what willful disregard of these policies means for the employee. For example, an organization should retain the right to search an employee and their bags at any time, and open any physical mail sent from within the organization to an external address. Upon leaving the organization, an employee must return all items containing corporate data and information or, if held on a device the employee owns through a bring-your-own-device system, be provably destroyed. Even at the extremes of securing intellectual property where (as yet) technology cannot be brought to bear, employees and partners need to understand that using knowledge that is in their heads against the business will result in possible sanctions right through to criminal proceedings where necessary.
At the data center level, having great technical security still leaves the problems of physical security. Facilities can provide better data center security through the use of anti-ram raid bollards or barriers and high-quality closed-circuit television (CCTV) to put off those wanting to break in. This should be backed up with no windows in the facility -- this makes breaking in harder, but also stops anyone just looking into the facility and makes it harder to use vibration detection to pick up voice or RF detection to pick up electrical signals. Electricity and Internet cables should be armored as well to prevent malicious physical denial-of-service attacks.
Multilevel security systems can then be applied for those who should have access to the facility: multifactor security on entry doors, maybe using biometrics and/or one-time passcodes, and tracking capabilities within the facility based on, for example, near-field communication or smart-card systems. Tracking of people via CCTV again helps to ensure "tailgating," where two people go through a door with a single security pass, is avoided. Physical cages within the data center operated by electronic locks can open only for those who are authorized to access specific machines -- and contract engineers brought in to carry out work can be given time-limited access to the physical systems.
Total corporate security is not something that can be done through IT alone. This requires a mix of business-driven policy supported by physical and technical security operated in a seamless manner. To attain this, IT and facilities have to work more closely together -- or find themselves as the scapegoats when security is breached and the business demands to know why.
ABOUT THE AUTHOR: Clive Longbottom is co-founder and service director at Quocirca and has been an ITC industry analyst for more than 15 years. Trained as a chemical engineer, he worked on anticancer drugs, car catalysts and fuel cells before moving to IT. He has worked on many office automation projects, as well as Control of Substances Hazardous to Health, document management and knowledge management projects.