CONNECTICUT THE IT IN SECURITY GUARD The "IT" in Security Guard

The "IT" in Security Guard

By Sonny Discini
October 30, 2007

IT security experts work tirelessly to secure computing assets from attacks. Most of the experts you speak to will tell you tales of the politics, budget issues and vendor software problems they've run into. And if that isn't enough, it seems that shifts in technology, attack vectors and business models have conspired to quietly transfer a critical function from the back seat and squarely onto their laps: physical security.

Physical security has traditionally served as a separate and distinct function from IT security. Traditional physical security departments consisted of security guards, closed circuit TV operators, building engineers and so on. On the other side of the table you had your IT security people who handled "computer" security.

Isn't it time that these two security disciplines lived under the same roof?

The goal is the same -- protect organizational assets. As IT security professionals, we've always been taught that if you have physical access, you're "owned." This makes the physical security guys and all the things they do instrumental to the strategic and tactical organizational plan. So how does this apply to physical security?

Years ago, security cameras used analog feeds to a terminal. Closed circuit systems did not touch organizational networks so IT security workers had an out-of-sight, out-of-mind attitude toward this tool. Security checkpoints had manned stations where a guard would check your ID and validate any other credentials needed to gain access. It's pretty clear that physical security and computer security were separate entities and many times operated out of sync.

Then the inevitable happened.

Much like the old Reese's commercial, physical security got their peanut butter in our chocolate. Or is it the other way around? The point is that the two converged; yet due to organizational lag, the two groups still operate separately.

The first thing we noticed is that physical access to buildings was no longer gained by passing a guard or using a key. Organizations rolled out badge reader technologies. What many non-technical managers glossed over is the fact that the equipment that makes badge access work rides over the organizational network. Like any other organizational asset, the badge reader system now has to be treated like any other computing asset.

Taking things farther, closed circuit surveillance systems are being replaced with IP based DVR (digital video recorder) technologies that run stripped-down Windows XP operating systems (Windows XP Embedded). In addition to the superior video quality, versatility and the vast options for storage, these systems also reside on the corporate network. Why? The consoles and the cameras, not to mention the archiving servers, all reside and utilize the organizational network. Once again, IT security professionals now have to treat this physical security tool like any other device on the wire.

Lately, you're seeing other physical security tools riding the corporate network. HVAC systems responsible for data centers, egress/ingress management software, IP-based communication devices and so on are all within the realm of computer security now.

As if this isn't enough to consider, when you add these systems to the network, clearly they are going to have to be treated as core systems. An unintended side effect is that these systems will fall under various regulatory compliance initiatives because these systems need to touch a wide swath of the organizational network.

After considering all of these things, management should clearly see that physical security and computer security should not be separate entities, rather, two operational arms of an overall security group. After all, we rely on physical security to keep the bad guys out and they are now relying on us to properly secure the tools they use in that mission.