|  BlueWolf's Howl   | Comics and Art  | Higher Level  | Photography  | Poetry and Stories  |
|  Chess  |  Letterboxing  |
|  2003 Blogathon Archive  |   2005 Blogathon Archive  | 8th Layer Archive  | Blue702 Archive  |

BlueWolf's Howl

« Smart Security | Bluewolf's Howl | Hacker or Hero? »

December 10, 2006

PhysicaLogical Security

Interesting article in the Nov 23 Network Computing magazine (yeah, I'm a bit behind in my reading) on the trend to combine Physical and Logical Security.

All the advances in Physical Security have all been computer-based. The Facilities crew who used to be in charge of handing out keys and getting locks changed are now charged with badges and swipe devices that use a network and servers (often systems that are separate from IT) that they know next to nothing about. Lengths of video cable run throughout the campus without anyone really being in charge of it - except for the part where Security people view the monitors to perform their tasks. Meanwhile, the people who know how to run the servers and programs that are being used have no idea (and no time) to perform the physical security aspects.

An employee ID card is virtually worthless if no one verified that the person requesting the card is, in fact, who she says she is. This illustrates a fundamental problem with physical-logical convergence: It extends beyond technology to establishing and integrating business processes--in this case, a validation procedure.

I've always wondered about this - especially when I get processed into a company. Your manager takes you to the Security office and you pose for a picture... show your license or other form of identification. There's always such a formalized business process for integrating a new employee into a company. And I watch as the person designated to perform these tasks struggles with the software just to place a picture just right into the ID template and produce the golden ID card. Then it takes time to get you entered into 'the system'... Which is all separate from your Windows account -- which has a totally different process for verification and account creation. Combining these processes makes sense. Finding someone who can do both tasks is going to be the difficult part.

Do we train the Physical Security people in IT? Or do we train the IT people to learn the Physical Security processes? Are the same people who monitor the network going to eventually have to monitor the security cameras? Do they know what they're looking for?

In some ways it makes sense, but in other ways... It seems like the old thinking: "That computer on my desk is YOUR job - my job is separate from that. Why should I have to learn that new thing on my desk?" This cropped up when desktops started becoming commonplace. It's not IT's job to make your spreadsheet for you when you want one to analyze business information. It's not IT's job to make your Powerpoint presentation for you so you can present your information in an impressive way at YOUR meeting. And it's not IT's job to run YOUR security network that you won't allow them access to... Servers and databases are not 'set them and forget them' type of devices. You need someone with an interest and background in both worlds to really get that kind of job done properly.

Now ... let's take a look at SysAdmin pay versus Security personnel pay... Ah, there's the rub -- isn't it? No one wants to pay a Security Guard (or Security Guard Manager) enough to make it worth learning SysAdmin tasks, do they? No one wants to pay a SysAdmin more to take on those type of additional physical security responsibilities, either. Most trained Security Personnel (IT definition of Security) are up to their elbows in VPNs, Firewalls, etc... They know how to catch a hacker, but not a thief. The only people who are specifically trained in ALL aspects of security (Physical and IT Security) are CISSPs. They make 6 figures.

Although it's a trend in desire at the corporate meeting level, I doubt it will materialize. It will cost money. The only way this is going to happen is if they dump this on IT without additional training or resources. Any company that doesn't already have a CISSP on the payroll isn't going to put one there. So brace yourself, fellow geeks -- we're probably going to get the opportunity once again to 'do more with less'...

Posted by BlueWolf on December 10, 2006 11:20 AM