Slashdot Mirror
Physical and Network Security Merging?
MonMotha writes "CSO reports that physical and network security may be merging in an effort to eliminate redundant jobs, create a more secure security plan, and make security procedures more standardized across the company. This would seem to be a logical step forward as businesses become more and more dependent on their computers, and as the old adage goes, an attacker with physical access already has you owned."
I do network security for a living. I also know the physical security people in my company. We have completely orthogonal skill sets and cultures. Most (non-guard) physical security posititions require knowledge of police work, evidence handling, physical monitoring equipment, etc. (Good) Network security requires advanced understanding of network theory, operating systems, programming, algorithms, network protocols, etc. It's not about watching an intrusion detection system all day. It's about influencing how programs and entire systems and networks are designed and operated, outthinking attackers, and so forth.
When someone comes into your server farm with a gun and says "Let me access info I want or I'll blow your fucking heads off"! Then you will understand that security is security.
Plus the best place to hack a network is from the inside. Its not a "mission impossible" to get yourself access to a computer at any major financial institution here in the states.
Data is an asset that needs to be protected both in the physical world where it is stored and, and in the virtual world where it is acessed. The goal in each arena is the same, ignoring either is irresponsible. Thus the inevitability of these two departments combining.
The ASP I was working for last year was very forward thinking on this and ran both network and physical security as a simgle entity. Unfortunatly thinking ahead in security, didn't translate to thinking ahead when creating a sustainable business model.
I think the idea was not that sysadmins don't know that physical security is important, but rather that they don't have direct control over the physical security of their systems sometimes.
If the local IT security guy/gal gets privilages on the physical security side, he/she can do a much better job of keeping the systems physically secure.
Contrary to the parent poster's rather foolish statements, physical security people who help assess (perform threat/risk assessments) and implement solutions in physical security can be quite sharp and quite technically savvy.
For example, in evaluating a server room for the RCMP, I saw a physical security guy assess things like smoke detectors, fire extinguishers, construction of the ceiling, construction of the floor and walls, construction of the doorjamb and the locks used, etc. And he had to know his stuff as well as knowing what the pertinent standards for good practice (and in the case of government, for government standards for physical security). His prior job involved some assessments of some CSIS facilities (managing construction of same or something like that IIRC).
It is a very different skillset, but it makes total sense to combine expertise in both into one entity if organizational security is a requirement (and when is it not?). Ideally, in such a group, people will be cross-trained and particular experts in network/computer and site/physical/emission security will be retained. In practice, some poor sysadmins may get stuck trying to ensure physical security as well - depends on who is implementing the rationalization.
I recall reading a security text which devoted about twenty pages to encryption, network security, etc. and about 200 pages to other organizational security processes (including audits, risk assessments, emergency response plans, etc). If it costs me $100,000 to hack your network electronically or $5K to payoff a janitor, which do you think the bad guys will target?
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
On a serious note, consider the locations of all the hot network jacks at your employer. Are any of them in public locations that are empty at times, say conference rooms in common areas? How easy would it be for someone to go in, plug in a lap top, and start up a packet sniffer? There are aspects of your network that need physical consideration other than the server room.
Oh, give me a fuckign break. Do you have numbers or statistics to prove this? Of course you don't, you're just karma whoring by trying to make Linux look more secure. Well, let me clue you into something buddy, Linux survives a complete hard drive wipe as well as Windows or Mac. They couldn't care less what data is on the machine.
If the thief DOES care what is on the machine I truly believe they will either know how to hack into it or they will have someone they trust do it for them. The target will be specifically picked out (random dumb luck isn't a good way to run an operation like this) and a plan will be in place down to what to do with the data once they have it.
My problem with this is that physical security is not a sinecure for technological problems.
If this were *merely* to eliminate redundant management structures, it might be agreeable. But probably wouldn't be.
As a former IBM employee, I've had to deal with the management of firewalls by a seperate security organization; the result was a minimum of six weeks to get a TCP port other than 80 opened, if it's permitted at all.
XML was invented by IBM employees as a means of routing around these people by tunneling operations on port 80, which these people would permit by virtue of it being port 80, without concern for the content of the traffic over that port.
Given encryption on storage media, both active and backup, and multiple site replication, physical security is more and more meaningless for information technology.
IMO, eventually corporate networks will not exist at all, *except* as VPNs.
At that point, "physical security" means sending armed guards out on business trips with every schmuck with a laptop, and posting them outside the homes and telecommuting centers of every remote worker.
Frankly, a merger in this area feels more like the physical security people trying to defend against their increasing irrelevance, in the same way that RIAA and MPAA are attempting to defend their increasing irrelevance.
-- Terry
It is a very different skillset, but it makes total sense to combine expertise in both into one entity if organizational security is a requirement (and when is it not?). Ideally, in such a group, people will be cross-trained and particular experts in network/computer and site/physical/emission security will be retained. In practice, some poor sysadmins may get stuck trying to ensure physical security as well - depends on who is implementing the rationalization.
Different skill sets, but the approaches are analogous (perimeters, critical resources, etc.)
Personally I think that it would be a great idea if people had at least some contact and cross-training.
One caveat though-- This should not be about eliminating redundent jobs. Sure this means that you can operate more securely, but it really means you can buy better security for the same cost.
LedgerSMB: Open source Accounting/ERP
I don't think they will be a great loss of jobs, nor will guns be given to admins. More likely the management of both functions will be incorporated. I have consulted and managed security projects for my company and many clients. THe one item you usually have to work on with them is that the physical security is as important as the data security.
Once you cross this hurdle and good well rounded security expert can approach a building, office or room and address everything from the points of entry to the servers.
An example, when approaching a server room I look at the entry mechanism on the door, the hinges and jam. I look at the walls for material, thickness and accessiblity. Is the ceiling accessible? Once inside I look at the physical access to the hardware, the fire prevention equipment, etc. Then we move on to the data security. I have hired people that are experts in each field and they train each other.
In the end you end up with a much more secure environment and the same workforce minus maybe one manager.
I think this was inevitable.