The Convergence of Physical and IT Security

July 31, 2006

The Convergence of Physical and IT Security

By Fran Howarth, Partner

In today’s world, technology is playing an ever-increasing role—at work, at home and as we move around. Yet the world has also become a more dangerous place and most technologies that we use today were developed at a time when security was not such a burning issue. IT systems are increasingly being attacked—and not in the way they used to be, by hackers concerned most with gaining the respect of their peers for their exploits, but by criminals intent on financial gain.

In addition to this, the heightened security threats that we face today—especially given the high levels of international terrorism that we face—affect huge parts of our lives. In recent years, public buildings, hotels, embassies and transport links have all been targeted by terrorists. And huge parts of our critical national infrastructures, including power, water and food supply, transport links and facilities, government and commercial facilities remain vulnerable, not just to terrorist attacks, but also to theft, sabotage and environmental disasters.

Governments around the world are promoting efforts to develop technologies that can provide enhanced prevention, protection, response and alert capabilities for improving the dependability and resilience of security control mechanisms applied to these infrastructures. Private companies are also looking to invest in physical security enhancements—both of their own private facilities, as well as the fact that much public infrastructure is owned and operated by the private sector.

As a result of this and through innovations being made by technology vendors, technologies are emerging that overlap physical and IT security. Most of this overlap is coming from the application of Internet protocol technologies to traditional technologies, ranging from perimeter controls, to surveillance and tracking technologies, access management and integrated communications systems.

This convergence is occurring as companies take a more holistic view of risk management in their organisations. They are realising that the security of their organisations is only as good as the weakest link. For example, identity management technologies form a key part of many firms’ security strategies, allowing companies to make their employees accountable for their actions by tying their identity to every electronic transaction that they perform. But, physical assets have ‘identities’ as well—it is critical to know what device is being used to connect to the corporate network and to ensure that only machines with the required security settings are authorised to view sensitive corporate information and applications. And logical network access should ideally be tied in with physical access control systems to provide integrated personnel surety, document authentication and access authorisation.

In thinking about physical security controls, there are really four areas to consider: the architecture of the facility, including perimeter boundaries and doors; security operations, including security policies, procedures and incident response guidelines; personnel, including monitoring and access control; and electronic devices, including sensors, turnstiles, surveillance systems and strong authentication technologies.

By applying Internet protocol technologies to these physical assets, companies can develop real-time decision support systems that can perform data collection, integration, analysis and visualisation of the security status of all assets in a corporate network. The ultimate goal is the ability to automatically perform surveillance of all assets contained in a network, including the use of sensors and other automation technology to monitor the status of physical assets. For example, a biotechnology firm could place Internet protocol based sensors on equipment such as fridges and freezers to ensure that a constant temperature is maintained. At a more advanced level, such networks would acquire self-healing capabilities so that problems can be remedied without the need for human intervention. Plus, the use of automated notification systems for networks can enable alerts to be raised for problems that require further actions to be taken, and an audit trail is generated that can help companies prove the security of their networks.

The convergence of IT and physical security is a phenomenon that is slowly emerging. One of the key reasons why growth is slow is that IT and physical security are handled by separate teams in most companies, often with different reporting structures and budgets. Only recently have firms began to see the advantages in terms of cost and completeness of security that combining the functions brings. In its 2006 security survey of financial firms, Deloitte found that just 12% of respondents have combined the two functions, although a further 25% have IT and physical security officers reporting to the same executive. There are also significant regional differences, with convergence much more advanced in Europe, and in Asia-Pacific in particular.

Another factor holding back this convergence is that many of the more advanced technologies are still in development—and, in the main part, they are being developed by companies not particularly known for their IT security prowess. But that is changing. Governments around the world are pushing for the development of new technologies in conjunction with private industry, with a particular emphasis being placed on technologies for improving security of national critical infrastructures. And technology vendors traditionally known for their IT security technologies are starting to embrace physical security technologies.

Among these are Cisco, long known as a vendor of networking and security technologies. In the IT space, Cisco has a vision of the Intelligent Information Network but, in parallel, it is researching and developing emerging physical technologies in areas such as communications interoperability systems, intelligent vision systems and optical sensors. Hurwitz & Associates believes that this is a good move by Cisco and one that other security vendors should take a good look at. As governments around the world mandate ever higher levels of security, this is a market that will provide almost unlimited opportunities for some time to come.

Newsletters 2006
About admin

Leave a Reply

Your email address will not be published.