'

Time to marry network and physical security

Your network security is only as effective as your physical security. After all, security is security is security…

Businesses must realise the importance of marrying physical and digital security in the workplace, according to attendees at a recent Infosecurity show in London, U.K.

A 'these four walls' approach to security among IT managers and HR managers alike now represents one of the greatest threats to a company's network and only by accepting that security is a single issue – rather than breaking it down in terms of digital and physical security – will businesses start to combat the threats.

IT managers are being advised to ditch traditional notions of 'the perimeter' and those in charge of premises security are likewise being encouraged to understand that their responsibility doesn't stop once a trusted person enters the building.

The threat of accidental or deliberate data theft hangs over companies and while many may think they have robust perimeter security protecting their IT – and similar security protecting their premises – there are too many glaring holes where the two should seamlessly blend.

According to Simon Perry, divisional vice president of security strategy at Computer Associates, who cited figures from computer forensics experts Pinkerton, 70 per cent of data theft from a company is physical theft – from laptops and hard drives to CDs or increasingly higher capacity mini-storage units.

And while it perhaps sounds obvious, companies need to realise that all the firewalls in the world won't stop somebody unplugging a laptop and walking out of the building.

Furthermore, increased mobility and flexible working means taking such equipment off site is far from unusual - but companies need to cross-reference network behaviour and physical behaviour to spot anomalies that could be a sign of wrongdoing.

While the vast majority of employees may genuinely have the best interests of the company at heart, history has taught us that it only takes one bad apple to upset the whole cart.

According to Perry, part of the problem is far more basic than the high-tech solutions would have us believe.

"People too often go unchallenged. If people see somebody who they don't recognise accessing a PC in the office, many fail to challenge that person – assuming if they are there, then they must have a right to."

While human intervention can go some way towards resolving such issues, there are far more high-tech means of limiting access to buildings and systems that challenge the ability of somebody to trespass on both through the theft - or acquisition - of a swipe card and login-in details (and a recent survey revealed 70 per cent of users would swap such things for a chocolate bar).

Specifically we are talking about biometrics and smartcards that contain biometric data.

CA's Perry said: "Biometrics is the only form of identification which positively identifies the user as being the person they say they are."

You can have somebody's swipe card and log-in but without their fingerprint or iris you're not going to get far.

From the point at which an employee enters the building, there is therefore a digital record of their presence within the office (verified as being them - rather than somebody with their card), which along with digital records of their presence on a network will give a far better overview of employee behaviour and enable far quicker detection of potential problems.

Carl Gohringer, head of product development for NEC security solutions U.K., who is working closely on biometric technology for the U.K. passport office and large corporates, said: "What is the point of securing your infrastructure if you can't positively identify who is using that infrastructure?"

Gohringer extols the virtues of biometrics and smart-card technology in terms of ensuring employees' identities are verified at every stage of the process – from entering the building to logging on to their computer and accessing the network.

This is where the marriage between physical and digital security is most commonly needed.

The message is simple: IT security doesn't begin and end when a user logs on or logs off from their PC – nor does it end even when they leave the building. Similarly physical security is not just there to 'count them in and count them back out again'.