How Integrated are Your Physical and Technical Controls?

It’s often forgotten there are three types of security controls.  Administrative controls in terms of policies are easy to remember, since this is usually first on an auditors list of requested artifacts.  IT staff is typically all over technical controls, at least to the limits imposed by budgetary constraints.  However, physical security, that legacy security control which has existed since the time of the first burglar, is often left on its own.  The steps needed to mesh physical, administrative, and technical controls are often not included in information security strategies.

A prime example of how this becomes a problem surfaced recently during the Los Alamos computer theft. 

The problem was that the theft was treated as a property management issue rather than a cyber security incident. And that was just the tip of the iceberg. “LANS has reported that 13 computers have been stolen or lost in the past 12 months, and that 67 computers are currently ‘missing.’ The magnitude of exposure and risk to the laboratory is at best unclear as little data on these losses has been collected or pursued given their treatment as property management issues as well.”

Source: Physical Security and cybersecurity go hand in hand, William Jackson, Government Computer News, 17 February 2009

The private sector has its problems too, as I explored in Anatomy of a physical security breach.  In this case, equipment was stolen from a data center while security guards were on duty.  However, it appeared there was a lack of overlapping preventive, detective, and response controls as well as weak guard policies.

The most insidious physical security breaches, however, are those which go unnoticed.  In many cases, technical controls are so strong only physical access to a device will provide an attacker with access to sensitive information.  Keeping an attacker far away from servers or end-user devices is a key element in any security program.  Otherwise, information can be removed from where it’s processed or stored and carried from the building in a number of ways, all very difficult to detect.

It isn’t that information security managers don’t understand these things.  Rather, organizations fail to understand the close relationship between physical, technical, and administrative controls.  In many cases, physical and information security efforts are managed by different directors, in two different chains of command, with different assigned priorities. 

For example, a security vendor was recently asked to perform a penetration test of a major corporation.  However, the IS director requested that the effectiveness of entry control at the corporate headquarters building not be checked.  Neither the IS director nor the IS security manager had any control over building security.  Further, there were issues in the relationship between building management and IS, so the IS director was hesitant to cause further tension.

During the penetration test, however, two consultants “inadvertently” walked past the security desk without being challenged, gained entry to the data center, and sat there for about 15 minutes before an engineer happened by and asked who they were.  This demonstrated a clear lack of physical security enforcement, but it was never reported to building services nor included in the test report.

Most security managers don’t have the clout to force collaboration with facility security.  However, there is a clear need to do so.  I guess all we can do is continue to tell the story to executive management and hope they eventually see the value in treating physical and technical security as two sides of the same proverbial coin.