[ISN] Get Physical About IT Security

[InfoSec News]

http://www.computerworld.com/securitytopics/security/story/0,10801,101220,00.html

Opinion by Douglas Schweitzer 
APRIL 25, 2005
COMPUTERWORLD

A San Jose-based medical practice recently notified about 185,000
current and former patients about the theft of their personal
information. Stored on two computers, the data was stolen from the
medical office during a burglary that occurred March 28.
 
Under California law SB 1386, the medical group was required to
publicly disclose the computer security breach because the
confidential information of California residents may have been
compromised. Unfortunately, that law promises to teach both businesses
and the public plenty of lessons about insufficient security practices
like those highlighted in the San Jose case.

Let's face it: Hardware and software are usually less secure when
they're located in an open workspace than they are when they're
located in a separate computer room. Security is further decreased
when the hardware and/or software is used within a network of
computers that aren't housed at a single location. And the level of
vulnerability is even higher when the network extends beyond the
organization's premises. Some assets -- like hardware devices and data
and software that are stored on file servers, PCs or removable media
like tapes and disks -- need to be secured physically. Part of
physical security is ensuring that only authorized personnel are
permitted to transmit data and access devices on LANs.

The National Computer Security Center's "Glossary of Computer Security
Terms" defines physical security as "the application of physical
barriers and control procedures as preventive measures or
countermeasures against threats to resources and sensitive
information."

According to security expert and author Kevin Beaver, CISSP, "You
cannot have any sense of information security if you don't implement
proper physical security measures."

Unfortunately, IT departments may disregard physical security, fearing
that it's too expensive or too much of a burden. But effectively
controlling physical access to an organization's facilities should be
the security staff's top concern.

When it comes to physical security, most organizations use one or a
combination of mechanisms. Security guards are at the front line and
should be trained to restrict the removal of assets from the premises.  
Among other things, they should be trained to record the identity of
anyone removing assets. In addition, an authorization procedure should
be established for those occasions when removing hardware and software
from the premises is necessary.

A traditional lock is, of course, one of the simplest ways to secure
physical access to IT assets. This ubiquitous security system has
effectively impeded access for centuries. While it's decidedly low
tech, this approach nevertheless remains appealing to those on a
budget, since it's simple and doesn't cost very much. If you wish to
add another layer to this security model, you can use keys that can't
be duplicated or build "mantraps" in which those who wish to gain
entry must pass through two doors, so only one person can enter at a
time.

Electronic key cards are another good option, and they provide a
higher level of security than the traditional lock-and-key approach.  
With this technology, a user gains entry by swiping an electronically
coded plastic card through a magnetic badge reader. An advantage of
key-card systems is that they eliminate some of the management
problems that arise when you use locks and keys. For example, if an
employee quits and walks off with his card, you don't have to change
the locks; you just deactivate his card.

Perhaps the most intriguing approaches to physical security are those
that utilize biometrics. Biometric authentication involves the
examination of physical traits of users. The examined feature is
compared with stored reference data. Identifiable traits include
fingerprints, hand geometry, voice patterns, facial patterns, and iris
and retina patterns. Biometrics, or at least the promise of the
various technologies involved, is currently at the forefront of
thinking about authentication. But organizations have been slow to
adopt biometrics, partially because the products available can be
expensive and aren't as foolproof as they should be.

Remembering that control procedures are necessary for all of the
hardware and software you use will go a long way toward protecting
less-secure environments. Of course, the level of access control you
choose will have to be adjusted depending upon the sensitivity of the
data being accessed. Other variables include the significance of the
applications processed, the cost of the equipment and the availability
of backup equipment.

Because laptops are portable and hence targets for theft and misuse,
they must be included in the security policy equation. Again, their
location and the amount of sensitive data they contain will determine
how much physical security they require.

This may sound basic, and it is. But any comprehensive security plan
has to start with physical security.