Levels of security

This issue's column follows up on January's topic, Security Layers, which describes an approach to relating security functions (prevent, deter, detect, delay, assess, respond and recover) to facility zones or areas. Below we go one step further to consider the various types of technology that could be applied in each area.

Q: What is multimodal security?

Multimodal means two or more modes or methods, which is a simple concept. If you send a package overseas, it can travel by truck, train, plane or ship to its destination, and that is multimodal transportation. The term "multimodal security," however, has actually been used in two ways. Sometimes it refers narrowly to a single device (a multimodal device); sometimes it means applying more than one security control or countermeasure at a single physical or logical point or zone of security (multimodal security design).

Multimodal Devices

The most common such usage is with regard to two or more means of identity authentication for access control purposes. An example is the plusID device by Privaris (privaris.com), which is a personal biometric token (it looks like a key fob) that emulates up to four smart cards or proximity cards (such as the HID Corporate 1000 card). Using this device, biometric access can be added to practically any access controlled door without changing the door's card reader. It can be an affordable way to add biometric access to executive suites, data centers and network equipment rooms, R&D areas and so on (space doesn't permit the description of the many other capabilities of plusID for both physical and logical security, which is why the Privaris Web site address is provided).

The plusID product is one example of how multimodal security can be applied in a single device. A card reader with a keypad and biometric scan is another example of a multimodal device.

While multimodal devices dominate Internet search results for "multimodal security," a highly important use of the term refers to the security strategy of applying of multiple security measures to an area or an access point. Multimodal security is an application of the defense in depth principle. This is also called levels of security or levels of protection. Although multiple levels of protection are sometimes referred to as "layers of security," it is more practical to save that term for the security being applied in physical or logical layers - like multiple rings or lines of protection - around a critical asset or along an access pathway, as described in January's column.

Layers and Levels

Multiple security measures can provide highly effective protective and response capabilities, and also provide redundancy so that if one level or layer of security fails or is bypassed, others are still in effect. For example, a highly confidential formula for a high-performance lubricant (or a research sample of it) could be safeguarded by the following security measures, providing multiple layers and levels of protection:

- A two-person safe access rule;
- A high-security electronic combination lock safe;
- Both in-safe and external logs of contents added or removed;
- Biometric access authentication;
- One-time use safe combinations;
- Two-person rule enforced by access control system;
- A safe room access log;
- Live video surveillance camera coverage;
- PIR motion detection;
- Video-based motion detection;
- Video recording;
- Motion-alert based observation by a monitoring security officer;
- Card reader access control for the room and the hall leading to the room;
- Security officer patrols;
- Strong background checks on the personnel who are given access to the area and to the safe itself, including the locksmith company personnel who install and service the safe;
- Firm policies governing the use of the safe and its access; and
- Periodic audits of safe access records.

Few areas or assets will require this many layers and levels of protection, but all critical assets should have an appropriate number of protection layers and levels established and documented.

A simple security project to assess the adequacy of security measures is to (a) identify the critical assets and pathways to them; (b) document the layers and levels of protection being applied to each; and (c) determine if improvements should be made. When considering improvements, the spectrum of security functions should be considered (prevent, deter, detect, delay, assess, respond and recover) from the perspective of improving the number and strength of security functions in play for critical assets and areas.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information, visit www.go-rbcs.com. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council.