Convergence Q&A

Physical security for computing systems is getting increasing attention, partly because computers and network connections have moved out of environmentally secure locations (such as central computer rooms and tightly locked equipment closets) and into less environmentally secure offices, vehicles and homes.

Furthermore, the value of information available at any point of communication, storage or presentation keeps increasing. The motivations to attack computing systems grow higher as the rewards for doing so increase. Several practitioners have written asking questions like this:

Q: IT is telling me that they want to collaborate about physical security for computer and network systems. They want to know what security event logs (access control?) we have that are relevant to IT. They want to know if our access management and intrusion alarm zones account for areas containing sensitive information. And they are asking to see our security strategies and policies. Where are these questions coming from? Is there some kind of reference or standard they are referring to?

A: Such questions are becoming more common. Most security managers responsible for facility security operations and technology think of convergence from the technology perspective, relating to placing physical security systems onto the network, and having to comply with IT policy and standards. The questions coming from IT are about strategy and tactics. There are a number of references that could inspire such questions.

Developing a Plan for Physical Protection of IT Systems

An outstanding book that I have mentioned at least once before is Physical Security for IT by Michael Erbschloe (usually priced around $60 - and you can "look inside" the book on Amazon.com). Erbschloe provides specific advice on identifying physical security needs of network, computing and communication systems. The book includes guidance on how to design and implement security plans to prevent the physical destruction of equipment, or tampering with computers, network equipment and telecommunications systems.

More importantly, it includes an explanation of the processes for establishing a physical IT security function, and contains illustrations of the major elements of a physical IT security plan. This is the way that an IT group would (and should) approach physical security, and so readers will benefit by learning about sound strategy and planning approaches that also apply outside of the protection of IT systems.

Understanding Computing Systems Attacks and Defenses

To put a touch of reality on the kinds of attacks that are shown in movies and on TV, and get in-depth insight into computing systems attacks and defenses, download and read this 17-page paper: "Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defenses 2008" available at: http://atsec.com/downloads/pdf/phy_sec_dev.pdf.

The paper describes known physical attacks, ranging from simple attacks that require little skill or resource, to complex attacks that require trained, technical people and considerable resources. High-tech protections are examined very specifically, while low-tech approaches are only referenced as they are more commonly known.

About 50 percent of the content concerns very sophisticated technical attacks that are of interest to designers of chips and the packaging of electronic devices. But all of the material is in very plain language, and easily readable without having any background in IT. The paper definitely provides food for thought about both high tech and low tech methods.

Policy and Procedure Convergence

Many physical protective devices - especially low-tech devices - do not have electronic reporting mechanisms. Tamper-evident devices, for example, require visual inspection to observe evidence of tamper. This means that policy and procedure are critical to deploying such devices.

This is a point of policy and procedural convergence. For example, what kind of audit practice should be implemented to ensure that breaches or attack attempts are not missed? If an employee discovers there has been physical tampering of a laptop, where could it have occurred - was it at an airport or other location on a traveler security watch-list? Who will take the report? Who will investigate? Should employee instructions regarding travel security be revised?

The answers all relate to the value of the material being protected (both to the organization and to the attacker), and the impact of a breach or loss of data or a device. In other words, an information risk analysis is required to inform electronic and procedural security planning.

Most security measure selections are basic business-sense. Once you know the asset to be protected, its value to the business, the impact of loss or exposure, its vulnerabilities and attractiveness, the level of general attacker interest and likelihood of specific attack, then the degree and type of protections that various security measures can provide are one decision factor, along with the costs. The decision is a basic business decision.