Security On All Fronts

Much attention in the past few months has focused on how airports and airlines can use IT to improve security in terminals and on planes. Fingerprint-identification technology can be paired with a smart card to confirm a passenger's identity before issuing a boarding pass; radio-frequency identification tags can be affixed to suspicious checked luggage to pinpoint bags that must be searched before they're put on a plane; and digitally stored fingerprints of job candidates can be submitted to authorities before someone is hired for a position that requires access to secure areas.

But businesses also say they see value in using IT to help protect physical property. For example, some companies are looking at using smart access cards that authenticate network users to also restrict access to data centers, executive suites, or other potential terrorist targets on campus. As part of these efforts, companies also want to foster closer communications between IT-and facilities-security experts, who operate independently in most companies.

That connection will pay off as terrorists and other criminals plot new kinds of attacks. "We're going to see more sophisticated cyber and physical attacks," warns Harry DeMaio, director of enterprise risk services at Deloitte & Touche. "A group may launch a denial-of-service attack, or even a highly targeted virus, to attempt to disrupt communications the very moment it launches a physical attack." An acceleration of attempted attacks on a company's system that emanates from a particular geographic area may be the first clue a business has that it's targeted for worse things, and only quick communication between IT-and physical-security staff will help prevent damage to people and property.

Even before Sept. 11, companies believed most IT security breaches were the result of terrorist or computer-hacker activity. In InformationWeek Research's security survey, conducted last summer, 46% of 4,500 respondents worldwide put the blame on these parties, up from just 14% in 1998.

Eduard Telders, security manager at Pemco Financial Services, a line of independently owned insurance, credit union, and technology services companies headquartered in Seattle, understands the reasons behind coordinating physical and IT security. More than 13 years ago, Telders convinced Pemco's executives to bring all security efforts--IT and physical security, as well as contingency planning and safety programs--under one umbrella, to provide better risk management and eliminate budgetary infighting. Teams in each of the four areas report directly to Telders and oversee activity for each Pemco business unit.

Telders knows many companies that are considering reorganizing their operations the same way. "I get calls on the topic all the time," he says. The terrorist attacks and concern that more are to come have accelerated what he calls the natural progression of risk mitigation. "A tragic event like Sept. 11 crosses the boundaries of both physical and IT security, contingency planning, and safety," Telders says. "If you don't have comprehensive risk-management and response protocols, your company is going to lose."

An IT security officer at an international metals manufacturer, who requested anonymity, agrees that such protocols are needed, no matter what the circumstances. Recently, an employee's notebook PC was stolen at a hotel, but the incident was reported only to the company's physical security group. The IT security officer learned of the theft by chance. "We need to work more closely together on incidents like that. They the physical security staff have no idea what access the user of the notebook may have to our apps, nor did they ask him if he had any passwords in an open text file on his system. It was a major security breach through a lack of communication."

Today's guarded climate only magnifies the importance of security throughout a company, says Daniel Kesl, information security officer at Newmont Mining Corp. in Denver. "One of my chief goals is to work more closely with the physical security team," he says. The company isn't contemplating completely merging IT and physical security into a single unit, but Kesl wants to encourage the use of technology that can play a role in defending critical real-world resources.

Like many companies, Newmont equips workers at its mining sites in eight countries with proximity cards for gate entrance and employees at its headquarters with photo and proximity cards for building access. Workers rely on user names and passwords to be identified by the network. But Kesl envisions a better way to increase security on a variety of fronts--including ensuring that unauthorized and possibly dangerous individuals don't get on the property--as well as to reduce administrative costs. He's interested in deploying a single smart card that serves as photo ID and network-access identifier, one that's used in combination with password security for data access to add a layer of protection and that affords and limits access to the company's physical property.

"This type of identity management is a huge issue," Kesl says. A universal access card could reduce the number of databases necessary to manage access privileges among departments such as facilities and human resources.

The same thought has occurred to Rick Perry, director of enterprise security for the Burlington Northern and Santa Fe Railway in Fort Worth, Texas. Perry says the railroad is considering a single card that could act as a photo ID to identify users for access to buildings or certain areas of a building, as well as to let them log on to networks and telecommunications systems. Employees would carry their digital certificates within the smart cards, so they could access applications on the network from any system equipped with a smart-card reader. Plus, Perry says, "it could end up being cheaper to maintain and increase security" through instant deprovisioning, or removing user access privileges. Because all the access devices are combined in one card, it takes a single operation to remove user privileges, rather than having different departments separately decommission access.

Pemco hasn't taken steps to consolidate network-and building-access cards yet, but Telders says it's a goal. "The savings are obvious--streamlined processing, simplified request and control procedures, clear tracking capability for activity consolidating both physical and information access, and simplified cleanup after termination or retirement," he says.

Companies that plan to explore the use of a universal access card may want to keep an eye on the U.S. Department of Defense's rollout of its Common Access Card. The card will serve as the department's ID badge for both building and system access, as well as for access to individual benefits information. For secure transactions and communications, the card supports public key encryption and digital certificates that provide user authentication, electronically sign E-mail, and encrypt messages. If the rollout goes well, more than 4 million cards will be issued by October; eventually, the department may expand the program to include more than 23 million other users, including contractors.

Not all companies are comfortable with integrating a host of IT-and physical-security operations. Pedro Villalba, senior VP and chief technology officer of HIP Health Plan of New York, and Paul Ryan, managing director of information systems at the health-care provider, are discussing alternatives to identity management, but they're leery of a single card that provides universal access. "There's no doubt about it, one card makes it seamless and easy," Ryan says. "But you don't have one key for access to everything in your life." Integrating access to IT and physical sites poses a security risk, he says: "If you have one ID that gets you into 20 systems and areas, and that gets compromised, you're in trouble."

Another trend bringing the physical security team in closer contact with IT is the increasing use of closed-circuit surveillance systems running on IP networks, rather than on dedicated networks maintained by facilities staff. Such systems become more important as companies seek to ensure that unauthorized personnel aren't on the property. Among the advantages for digital video surveillance systems are reduced costs of installation from using the existing data network, Pemco's Telders says.

It's a delicate balance. Physical security teams need to coordinate with IT to ensure that the network not only has the bandwidth to handle increased video traffic, but also that IP-based surveillance systems are defended from threats such as hacking. "As these devices move away from their standalone networks, physical security teams need to be aware of the new dangers, such as someone capturing sensitive video and posting it on the Internet," Deloitte and Touche's DeMaio says.

But such considerations shouldn't deter companies from developing tighter coordination between IT-and physical-security staff, he says, especially given the potential for terrorists or criminals to set their sights on both parts of a company's operations. "During any type of attack, they're going to want to shut off your ability to respond so that a coordinated response becomes difficult, if not impossible," he says. To weather those coming storms, companies need to close the loops between diverse security operations, and fast.

Photo by Ray Ng