Converged security, some shared physical security experiences from the trenches.

tumbler lock

 

Some background, about four years ago a recruiter came to me and asked if I thought I could take on a position that involved “converged security” at an entertainment company.  Having already done content protection and information security for what was the largest game publisher at the time for the prior ten years I thought “sure, what’s a few guards gates and guns” or the “3 G’s” as we call them.  After all, I have a background in law enforcement and have done my fair share of guarding people and places. 

 

So I reached out to other CSOs and CISOs that I know to ask them what I felt were quite important questions. 

 

  1. How much time do you spend focused on things like contracts with security companies and how involved is your interaction with the guards / management?
  2. What are your opinions on privatized vs. contract guarding services?
  3. How important is the physical security of your campus in relation to the protection of your data?
  4. Have you thought about video analytics and tying your cameras into your card readers to do facial recognition?  Or for that matter, has anyone thought of tying their door access control data into the system authentication data to validate logins?

 

Well I quickly found out a few things that kind of bothered me a bit.

 

  1. Few people if any had responsibility for information security AND physical security.
  2. Most everyone believed that physical security had little to do with their jobs, and furthermore there was a persistent stigma that physical security was “lowbrow” and a job best left to former law enforcement.
  3. Other than trusting that the doors to the data centers and network closets were “secure” few could rationalize what other benefit physical security gave to their data security, which after all is the limit of their responsibility.
  4. No one had heard of video analytics, facial recognition was something best left to science fiction or the government, and when I pressed things like matching up keycard entry to a building with system logins I was talking total science fiction that was still only meant for paperback books.

 

Ok, so quite clearly I was going to pioneer some new paths if I was going to take this job.  I like a good challenge, and at my former employer I wasn’t responsible for physical security and often found the rift between the two to be quite sophomoric when considering we were often working on the same problems. 

 

“Yes! I will do it, what a great sounding job this is!”  I told the recruiter after going through something like twenty interviews and realizing how big the company was that I was going to go work for.  Not only was I going to be responsible for converged security, I was going to do it internationally with what ended up being nearly seventy campuses of various sizes from a few thousand people to twenty or so and everything from film labs built in 1902 to modern offices filled with software developers.  Boy, if I could go back and tell myself how crazy hard and totally rewarding this was going to be I would probably only have been that much more excited.

 

With information security we deal with developers and users getting irked if we make something too complicated, or worse we slow down some process such as compiling or rendering by stealing CPU cycles from the workstation to power our endpoint clients.  But its an entirely new ball game when you start to try to control people, or rather their movements and access to things in the workplace.

 

I mentioned the international responsibility part, right?  This was nothing new either, my former company was quite global and I grew up in Europe so I kind of have a flair for travel.  So I took my travel time to do some studying of the physical security I was exposed to all the time, arguably physical security that should be driven by the best minds in our field considering the consequences.  So while I stand in line at airports and disrobe and divest myself of all metallic substances, I get to see the constant changes the TSA makes in various major airports in the United States.  Likewise I observe changes in other countries, and even pay attention to the security in customs, places like Down Town London, etc.  Why?  Well first, it’s good to see what works and doesn’t work, what is received well and what isn’t, when it’s someone else’s experiment.  Second, it’s what I do for a living and I basically can’t turn this off.  Kind of like how my brother, who is a master cabinet maker, can’t walk into a kitchen and not take note of the quality, craftsmanship, and ingenuity (or lack thereof) that he sees.  And just as most people don’t notice the two factor authentication used on the door, the PTZ cameras vs. the fixed cameras and what they are focused on, the various color codes of badges people have, or that some badges have smart cards and others are just proximity; I walk into a kitchen and the most I might notice is that I either like or dislike the choice in stain used on the wood and the material used for the countertops appears expensive.  There are other thoughts that go through my head when I do this too, just as there are with any number of security practitioners – normally identifying gaps and issues, but it’s not for me to point them out, and frankly it’s probably better for all of us that I don’t.

 

Some quick lessons I will share, as they relate to this blog post and don’t risk the security posture of the places I made the observations.

 

  • People naturally really hate being herded and treated like cattle.  But if they understand the purpose and value in it they will comply, all be it few will refrain from making snide comments.
  • Most people give security cameras and devices about as much thought and concern as a potted plant in the foyer of a nice hotel.  They just don’t care.
  • Everyone is in a rush, all of the time regardless of how early or late they truly are. 
  • Everyone can accept that there are areas in places they are visiting that they may not or cannot enter, but they are not so accepting of this fact when it is the workplace.
  • You can have different levels of security (from freakishly lax to overly draconian) and get similar end results.
  • You can’t replace good people with technology, ever.
  • You can’t substitute well thought out process by having an army of people; as stated in the prior point, you can’t blindly throw technology at it either.
  • “What if someone disregards, disrespects, or bypasses my single point of failure?” is a question apparently not thought of very often.

 

Needless to say, I am a huge fan of converged security models in companies, especially with my focus over the last thirteen years on content protection.   The use of technologies to determine if someone is physical present in the building they are logging in from (VPN excluded) is a big win, as are abilities by cameras to determine if someone piggy backed through a security door (and then of course identify them and email their supervisor to stop the problem are all great.  But when you can control and manage physical security to the degree you are isolating critical systems (read: workstations and servers), raw stock and blank media, and preventing access to work areas that help reinforce the logical segregations you develop inside of systems you are really starting to have a holistic security practice.  

.