Physical Security: Access Control Systems

Introduction

The Physical Security Domain discusses the importance of physical security in the protection of valuable information assets of the business enterprise. It provides protection techniques for the entire facility, from the outside perimeter to the inside office space, including the data center or server room. In the early days of computers, much of the security focus was built on providing physical security protections.

Think of the data center that contained the mainframe servers and all the information processed and stored on the system. (Harold, 1550) In this environment, the majority of the protections were for physical protection of that one area, such as restricting personnel from the area, enforcing physical access controls with locks and alarms, and implementing environmental controls to ensure the equipment was protected from heat and moisture. The advent of distributed systems changed this focus; resources and information were now in various places within the organization, and in many cases, not even contained within the building. For example, mobile devices, such as laptops and personal digital assistants, provided the ability to carry information outside a limiting physical environment.

According to many information system security surveys, the majority of threats occur from insiders — that is, those individuals who have physical access to their own resources. Because of this, physical security is just as relevant today as it was 30 years ago. It is still necessary to protect server rooms by limiting access and installing appropriate locks. (Messaoud, 157) Another factor impacting physical security is the new government and private-sector initiatives to protect critical infrastructures, such as power and water supplies. Because information system assets require some type of power source to operate, the need for clean, constant power is a primary physical security concern.

Threats to infrastructures are evolving and pose different types of threats. Although this may appear to be dramatic, chemical and biological threats have become increasingly more viable methods of attack. One of the challenges for information system security professionals is to understand the security challenges associated with the physical environment.

Although physical security is documented according to some specific technologies, such as closed-circuit television (CCTV) and alarm systems, there has not been much literature that combines the physical security field with the information system security field. (David, 180) There is also a dichotomy between the “traditional” security professionals who focus primarily on personnel and access controls and the information system security professionals who focus on logical controls.

Many organizations still struggle for control over who will provide security — the traditional security divisions or the information management divisions. This lack of coordination and, in many cases, political maneuvering, has created difficulties for organizations to accomplish goals. However, as most security professionals will note, if both sides (security and information management) begin to work together, they will realize that indeed their goals are the same — and what is needed is better communication and coordination about how to achieve those goals. (Michael, 93)

That is, by capitalizing on the strength and knowledge of both functions, they will achieve the goals of information system security — protecting the organization’s valuable resources. Although the challenges have changed along with the technologies, physical security still plays a critical role in protecting the resources of an organization. It requires solidly constructed buildings, emergency preparedness, adequate environmental protection, reliable power supplies, appropriate climate control, and external and internal protection from intruders. (Andrew, 278)

When one thinks of security, one often thinks of it only in terms of implementation. In IT security, one thinks of passwords and firewalls. In personal security, one thinks of avoiding rape and muggers by staying away from dark alleys and suspicious-looking characters. However, to place physical security in the context of IT security, one must examine what security is — not just how one implements it.

In the simplest of terms, it boils down to security is controlled access. Implementing security, therefore, is the process of controlling access. Passwords and firewalls control access to network and data resources. Avoiding dark alleys and suspicious characters control access to our bodies and possessions. Likewise, security in the home generally refers to locks on the doors and windows. With the locks, one is controlling the access of persons into the protected area.

Everyone is denied entry unless they can produce the proper key. (Messaoud, 160) By issuing keys to only those persons one desires, one is controlling access. Because one normally does not want anyone entering through the windows after-hours (although a teenager may have a different viewpoint), there is typically no key lock on windows and the level of control is total denial of access. Home alarm systems are gaining increased popularity these days. They also control access by restricting the movements of an intruder who is trying to avoid detection. The definition of security as controlled access also holds true for the familiar information security concepts of availability, integrity, and confidentiality. Availability is ensuring access to the data when needed. (Mary, 89)

Integrity implies that the data has been unmodified; thus, access to change the data is limited to only authorized persons or programs. Confidentiality implies that the information is seen only by those authorized. Thus, confidentiality is controlling access to read the data. All of these concepts are different aspects of controlling access to the data. In a perfect world, one could equate assurance with the degree of control one has over access.

However, this is not a perfect world, and it may be more appropriate to equate assurance with the level of confidence one has in the controls. A high level of assurance equates to a high level of confidence that the access controls are working and vice versa. For example, locking the window provides only moderate assurance because one knows that a determined intruder can easily break the window. But a degree of access control is gained because of the intruder risks detection from the sound of breaking glass. (Earl, 221) Bear in mind, and this is important, that more security is not necessarily less access. That is, controlled access does not equal denied access.

The locked window is certainly a control that denies access — totally (with respect to intent, not assurance). On the other hand, Social Security provides security by guaranteeing access to a specified sum of money in old age, or should one say the “golden years.” (Mary, 144) (However, the degree of confidence that this access control will provide the requisite security is left as an exercise for the reader.) It is obvious that practically all controls fall somewhere in between providing complete access and total denial. Thus, it is the level of control over access — not the amount of access — that provides security. Confidence in those controls provides assurance. This leads to the next topic: a layered defense.

A Layered Defense

A layered defense boosts the confidence level in access controls by providing some redundancy and expanded protection. The details of planning a layered defense for physical security is beyond the scope of this chapter and should be handled by an experienced physical security practitioner. However, the IT security specialist should be able to evaluate the benefits of a layered defense and the security it will and will not provide.

When planning a layered defense, the author breaks it into three basic principles: breadth, depth, and deterrence. Think of applying “breadth” as plugging the holes across a single wall. Each hole represents a different way in or different type of vulnerability. Breadth is used because a single type of control rarely eliminates all vulnerabilities. Relating this first in the familiar IT world, suppose one decides to control read access to data by using a log-on password. But the log-on password does not afford protection if one sends the data over the Internet. (Harold, 1562)

A different type of control (i.e., encryption) would therefore provide the additional coverage needed. Physical security works much the same way. For example, suppose one needs to control access to a hot standby site housed in a small one-story warehouse. The facility has a front door, a rear door, a large garage door, and fixed windows that do not open. Locks on the doors control one type of pathway to the inside, but offer no protection for the breakable windows.

Thus, bars would be/could be an additional control to provide complete coverage. The second principle, depth, is commonly ignored yet often the most important aspect for a layered defense. To be realistic with security, one must believe in failure. Any given control is not perfect and will fail, sooner or later. Thus, for depth, one adds layers of additional access controls as a backstop measure. In essence, the single wall becomes several walls, one behind the other. (David, 183)

To illustrate on the familiar ground, take a look at the user password. The password will not stay secret forever, often not for a single day, because users have a habit of writing them down or sharing them. Face it; everyone knows that no amount of awareness briefings or admonishments will make the password scheme foolproof. Thus, we embrace the common dictum, “something you have, something you know, and something you are.” The password is the “something you know” part; the others provide some depth to the authentication scheme. (Mary, 152)

Depth is achieved by adding additional layers of protection such as a smart card — “something you have.” If the password alone is compromised, access control is still in place. But recognize that this too has limitations, so one invokes auditing to verify the controls. Again, physical security works the same way. For physical security, depth usually works from the outer perimeter, areas far away from the object to be protected, to the center area near the object to be protected. (Andrew, 263)

In theory, each layer of access control forms a concentric ring toward the center (although very few facilities are entirely round). The layers are often defined at the perimeter of the grounds, the building entrance and exterior, the building floors, the office suites, the individual office, and the file cabinets or safes. Deterrence , the third principle, is simply putting enough controls in place that the cost or feasibility of defeating them without getting caught is more than the prize is worth.

If the prize to be stolen is a spare $5000 server that could be sold (fenced) in the back alleys for only $1000, it may not be worth it to an employee to try sneaking it out a back door with a camera on it when loss of the job and jail time may cost that employee $50,000. Notice here that the deterring factor was the potential cost to the employee, not to the company. (Mary, 93) A common mistake made even by physical security managers is to equate value only to the owner. Owner value of the protected item is needed for risk analysis to weigh the cost of protection to the cost of recovery/replacement. One does not want to spend $10,000 protecting a $5000 item.

However, the principle of deterrence must also consider the value to the perpetrator with respect to their capability — the bad guy’s own risk assessment. In this case, maybe an unmonitored $300 camera at the back door instead of a $10,000 monitored system would suffice. (Earl, 220) A major challenge is determining how much of the layered defense is breadth and depth in contrast to deterrence. One must examine each layer’s contribution to detection, deterrence, or delay, and then factor in a threat’s motivation and capabilities. The combined solution is a balancing act called analytical risk management.

Preventive Technical Controls

Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources. Examples of these controls include:

• Access control software
• Antivirus software
• Library control systems
• Passwords
• Smart cards
• Encryption
• Dial-up access control and callback systems

Access Control Software

The purpose of access control software is to control sharing of data and programs between users. In many computer systems, access to data and programs is implemented by access control lists that designate which users are allowed access. Access control software provides the ability to control access to the system by establishing that only registered users with an authorized log-on ID and password can gain access to the computer system. After access to the system has been granted, the next step is to control access to the data and programs residing in the system. The data or program owner can establish rules that designate who is authorized to use the data or program.

Anti-Virus Software

Viruses have reached epidemic proportions throughout the microcomputing world and can cause processing disruptions and loss of data as well as significant loss of productivity while cleanup is conducted. In addition, new viruses are emerging at an ever-increasing rate — currently about one every 48 hours. It is recommended that anti-virus software be installed on all microcomputers to detect, identify, isolate, and eradicate viruses. This software must be updated frequently to help fight new viruses. (Harold , 1575) In addition, to help ensure that viruses are intercepted as early as possible, anti-virus software should be kept active on a system, not used intermittently at the discretion of users.

Library Control Systems

These systems require that all changes to production programs be implemented by library control personnel instead of the programmers who created the changes. This practice ensures separation of duties, which helps prevent unauthorized changes to production programs.

Passwords

Passwords are used to verify that the user of an ID is the owner of the ID. The ID–password combination is unique to each user and therefore provides a means of holding users accountable for their activity on the system. Fixed passwords that are used for a defined period of time are often easy for hackers to compromise; therefore, great care must be exercised to ensure that these passwords do not appear in any dictionary. Fixed passwords are often used to control access to specific databases. In this use, however, all persons who have authorized access to the database use the same password; therefore, no accountability can be achieved. (David, 185) Currently, dynamic or one-time passwords, which are different for each log-on, are preferred over fixed passwords. Dynamic passwords are created by a token that is programmed to generate passwords randomly.

Dumb Cards

For many years, photo identification badges have sufficed as a credential for most people. With drivers’ licenses, passports, and employee ID badges, the picture — along with the individual’s statistics — supplies enough information for the authentication process to be completed. Most people flash the badge to the security guard or give a license to a bank teller. Someone visually matches the ID holder’s face to the information on the card. (William 387)

Smart Cards

Smart cards are usually about the size of a credit card and contain a chip with logic functions and information that can be read at a remote terminal to identify a specific user’s privileges. Smart cards now carry prerecorded, usually encrypted access control information that is compared with data that the user provides (e.g., a personal ID number or biometric data) to verify authorization to access the computer or network. The automatic teller machine (ATM) card is an improvement on the “dumb card”; these “smart” cards require the user to enter a personal ID number (PIN) along with the card to gain access.

The ATM compares the information encoded on the magnetic stripe with the information entered at the ATM machine. (Earl, 217) The smart card contains microchips that consist of a processor, memory used to store programs and data, and some kind of user interface. Sensitive information is kept in a secret read-only area in its memory, which is encoded during manufacturing and is inaccessible to the card’s owner. Typically, these cards use some form of cryptography that protects the information. Not all smart cards work with card readers. A user inserts the card into the reader, the system displays a message, and if there is a match, then the user is granted access. (Andrew, 263)

Types of Access Cards

Access cards employ different types of technology to ensure authenticity: • Photo ID cards contain a photograph of the user’s face and are checked visually. • Optical-coded cards contain tiny, photographically etched or laser burned dots representing binary zeros and ones that contain the individual’s encoded ID number. The card’s protective lamination cannot be removed without destroying the data and invalidating the card. • Electric circuit cards contain a printed circuit pattern. When inserted into a reader, the card closes certain electrical circuits. • Magnetic cards, the most common form of access control card, contain magnetic particles that contain, in encoded form, the user’s permanent ID number. Data can be encoded on the card, but the tape itself cannot be altered or copied. • Metallic stripe cards contain rows of copper strips. The presence or absence of strips determines the code.

Encryption

Encryption is defined as the transformation of plaintext (i.e., readable data) into ciphertext (i.e., unreadable data) by cryptographic techniques. Encryption is currently considered to be the only sure way of protecting data from disclosure during network transmissions. Encryption can be implemented with either hardware or software. Software-based encryption is the least expensive method and is suitable for applications involving low-volume transmissions; the use of software for large volumes of data results in an unacceptable increase in processing costs. Because there is no overhead associated with hardware encryption, this method is preferred when large volumes of data are involved. (Frederick, 528)

Dial-Up Access Control and Callback Systems

Dial-up access to a computer system increases the risk of intrusion by hackers. In networks that contain personal computers or are connected to other networks, it is difficult to determine whether dial-up access is available or not because of the ease with which a modem can be added to a personal computer to turn it into a dial-up access point. Known dial-up access points should be controlled so that only authorized dial-up users can get through. (Wenbo, 248)

Currently, the best dial-up access controls use a microcomputer to intercept calls, verify the identity of the caller (using a dynamic password mechanism), and switch the user to authorized computing resources as requested. Previously, call-back systems intercepted dial-up callers, verified their authorization and called them back at their registered number, which at first proved effective; however, sophisticated hackers have learned how to defeat this control using call-forwarding techniques.

Tokens

As human security forces shrink, there is more need to ensure that only authorized personnel can get into the computer room. A token is an object the user carries to authenticate his or her identity. These devices can betoken cards, card readers, or biometric devices. They have the same purpose: to validate the user to the system. The most prevalent form is the card, an electric device that normally contains encoded information about the individual who is authorized to carry it. Tokens are typically used with another type of authentication. Many cipher locks have been replaced with token card access systems.

Challenge-Response Tokens

Challenge-response tokens supply passcodes that are generated using a challenge from the process requesting authentication (such as the Security Dynamics’ SecurID). Users enter their assigned user IDs and passwords plus a password supplied by the token card. This process requires that the user supply something they possess (the token) and something that they know (the challenge/response process). This process makes passcode sniffing and brute force attacks futile. Challenge-response is an asynchronous process. An alternative to challenge-response is the synchronous token that generates the password without the input of a challenge from the system. It is synchronized with the authenticating computer when the user and token combination is registered on the system.

Biometric Devices

Every person has unique physiological, behavioral, and morphological characteristics that can be examined and quantified. Biometrics is the use of these characteristics to provide positive personal identification. Fingerprints and signatures have been used for years to prove an individual’s identity, but individuals can be identified in many other ways. Computerized biometrics identification systems examine a particular trait and use that information to decide whether the user may enter a building, unlock a computer, or access system information.

Biometric devices use some type of data input device, such as a video camera, retinal scanner, or microphone, to collect information that is unique to the individual. (David, 181) A digitized representation of a user’s biometric characteristic (fingerprint, voice, etc.) is used in the authentication process. This type of authentication is virtually spoof-proof and is never misplaced. The data are relatively static but not necessarily secret. The advantage of this authentication process is that it provides the correct data to the input devices.

Fingerprint Scan

The individual places a finger in or on a reader that scans the finger, digitizes the fingerprint, and compares it against a stored fingerprint image in the file. This method can be used to verify the identity of individuals or compare information against a database covering many individuals for recognition. Performance: • False rejection rate = 9.4% • False acceptance rate = 0 • Average processing time = 7 seconds.

Retinal Scan

This device requires that the user looks into an eyepiece that laser-scans the pattern of the blood vessels. The patterns are compared to provide positive identification. It costs about $2,650. Performance:

• False rejection rate = 1.5%
• False acceptance rate = 1.5%
• Average processing time = 7 seconds.

Palm Scan

The system scans 10,000 points of information from a 2-inch-square area of the human palm. With the information, the system identifies the person as an impostor or authentic. The typical price is $2,500. Performance:

• False rejection rate = 0
• False acceptance rate = 0.00025%
• Average processing time = 2-3 seconds.

Hand Geometry

This device uses three-dimensional hand geometry measurements to provide identification. The typical price is $2,150. Performance:

• False rejection rate = 0.1%
• False acceptance rate = 0.1%
• Average processing time = 2 to 3 seconds.

Facial Recognition

Using a camera mounted at the authentication place (gate, monitor, etc.) the device compares the image of the person seeking entry with the stored image of the authorized user indexed to the system. The typical price is $2,500. Performance: • Average processing time = 2 seconds.

Voice Verification

When a person speaks a specified phrase into a microphone, this device analyzes the voice pattern and compares it against a stored database. The price can run as high as $12,000 for 3,000 users. Performance:

• False rejection rate = 8.2%
• False acceptance rate = 0.4%
• Average processing time = 2 to 3 seconds (response time is calculated after the password or phrase is actually spoken into the voice verification system).

Physical Security Technology Security Components Locks

Physical security controls are largely comprised of locks (referred to as locking devices by the professionals). In terms of function, there are day access locks, after-hours locks, and emergency egress locks. Day locks permit easy access for authorized persons — such as a keypad or card swipe. After-hours locks are not intended to be opened and closed frequently and are often more substantial.

Examples are key locks, locked deadbolts, padlocks, combination padlocks, or high-security combination locks like one would see on safes or vault doors. Emergency egress locks allow easy access in one direction (i.e., away from the fire), but difficult access in the other direction. A common example is the push or “crash” bar style seen at emergency exits in public facilities. Just push the bar to get out, but one needs a key to get back in. In terms of types, locks can be mechanical or electrical. (Robert 427) A mechanical lock requires no electric power. Most of the locks used daily with a key or combination are mechanical.

An electric lock requires electricity to move the locking mechanism, usually with a component called a solenoid. A solenoid is a coil of wire around a shaft. The shaft moves in or out when electric current flows through the coil. (William 392) Another type of electric lock uses a large electromagnet to hold a door closed. The advantage is few moving parts with considerable holding power. The way people authenticate themselves to a lock (to use an IT term) is becoming more sophisticated each day. (Wenbo, 243)

Traditionally, people used a key or mechanical combination. Now there are combination locks that generate electricity when one spins the dial to power internal microprocessors and circuits. There are also electronic keypads, computers, biometrics, and card keys to identify people. Although this is more familiar territory to the IT security professional, it all boils down to activating a locking device. Collectively, authentication combined with door locking devices is referred to as a “door control system.”

Barriers

Barriers include walls, fences, doors, bollards, and gates. A surprising amount of technology and thought goes into the design of barriers. The physics behind barriers can involve calculations for bomb blasts, fire resistance, and forced entry. Installation concerns such as floor loading, wind resistance, and aesthetics can play a role as well. Making sense of the myriad of options requires the answer to the following question: Who or what is the barrier intended to stop, and for how long?

To supply the answer, think of the barrier as an element of access control. It is not a door to the office, but something to control “whom” or “what” is allowed into the office. Is valuable data stored in the office, such as backup tapes, or is the concern with theft of hardware? Is the supposed thief an employee, or is it a small company where a break-in is more likely? Is the office in a converted wooden house where liability for data lost in fire is the primary concern? If so, how long does one need to keep the fire at bay (i.e., what is the fire department response time)? Know these answers.

Alarms

Barriers and the locks that secure them directly control access. Alarms are primarily for letting us know if that control is functioning properly — that is, has it been breached? Alarms tell us when some sort of action must be taken, usually by a human. A fire alarm may automatically activate sprinklers as well as the human response by the fire department. In terms of a layered defense, the presence of alarms also adds to the deterrence.

Alarms are usually divided into two parts: the controller and the sensors. The sensors detect the alarm condition, such as an intruder’s movements or the heat from a fire, and report it to the controller. The controller then initiates the response, such as an alarm bell or dialing the police department. A facility that monitors several control units is referred to as a “central monitoring” facility.

As indicated, sensors usually detect environmental conditions or intrusion. (Messaoud, 163) Environmental conditions include temperature, moisture, and vibration. Temperature not only protects against fire, but can alert us to the air conditioner failing in a server room. Moisture may indicate flooding due to rains or broken plumbing. Vibration sensors are used both in environmental sensors, to protect sensitive hardware, and in intrusion detectors such as glass breakage sensors or on fences to detect climbing.

Other intrusion sensors detect human motion by measuring changes in heat or ultrasonic sound within a room. In fact, many intrusion sensors are really just environmental sensors configured for human activity. Thus, innocuous items such as coffee pots not turned off or room fans can generate false alarms. Doors are usually monitored with magnetic switches. A magnet is mounted on the door, and a switch made of thin metal strips is mounted on the doorframe.

When the door is shut, the magnet pulls the metal strips closed, completing a circuit (or pushes them open to breaking a circuit). The perimeter of an area can be monitored with microwave or infrared beams that are broken when a person passes through them. Cables can be buried in the ground that detects people passing over top. Animals are a source of false detection for these perimeter sensors. An important feature of many alarm systems is how the sensors communicate with the controller — wireless or wired. (Wenbo, 247) Wireless systems are generally cheaper to install, but can suffer radio frequency interference or intentional jamming. Wired systems can be expensive or impractical to install but can be made quite secure, especially if the wires are in conduit.

Whether wired or wireless, the better systems will incorporate some method for the controller to monitor the integrity of the system. The sensors can be equipped with tamper switches and the communication links can be verified through “line monitoring.” The key question for alarms is: who and what is it supposed to detect, and what is the intended response? The “who” will define the sophistication of the alarm system, and the “what” may dictate the sensitivity of the sensors.

Provided with this, the alarm specialist can then determine the appropriate mix and placement of sensors. A major task of the alarm controller is to arm and disarm the system, which really means to act upon or ignore the information from the sensors. With such a vital function, one must have some means to authenticate the person’s authority to turn off the alarm system. As the locks in the previous section, the methods to do this are essentially the same as for authenticating to any information system, ranging from passwords to smart cards to biometrics, with all the same pros and cons. (Frederick, 534)

Lights and Cameras

Lights and cameras are combined because they serve essentially the same function: they allow us to see. In addition, lighting is a critical element for cameras. Poor light or too much light, such as glare, can mean not seeing something as big as a truck. Proper camera lighting is a field unto itself; and for high-security situations, data from lighting and camera manufacturers should be consulted. A common misuse of cameras is assuming that they will detect an intruder. With a camera, the possibility certainly exists; in terms of deterrence, both lights and cameras increase the risk to perpetrators that they will be seen. (Wenbo, 250)

For many low-threat situations, this is sufficient; however, a threat or risk increases, they cannot be relied upon. If a guard’s attention is focused elsewhere (and often is), the event will go unnoticed. If ever in doubt, try putting a camera outside an access door without a buzzer for people to ring. People will become rapidly annoyed that the guard does not notice them and open the door fast enough. Cameras are best suited for assessing a situation — a tool to extend the eyes (and sometimes ears) of the guard force.

Antitheft, Antitamper, and Inventory Controls

It is obvious that the theft of computers and peripherals can directly affect the availability and confidentiality of data. However, tampering is also an issue, particularly with data integrity. Physical access affords the opportunity to bypass many traditional IT security measures by inserting modems, wireless network cards, or additional hard drives to steal password files, boot up on alternate operating systems, and allow unauthorized network access — the list goes on and on.

Physical access to security peripherals such as routers may enable someone to log in locally and modify the settings. The retail and warehouse industries have created a wide range of products to prevent theft and tampering. Antitamper devices control access to ensure the integrity of the protected asset, whereas antitheft devices and inventory controls are intended to limit movement to a confined area.

The technologies behind these products have rapidly spilled over into new product lines designed to protect IT assets. Antitheft devices include locked cages, cabinets, housings, cables, and anchors. Labels and inventory controls such as barcodes discourage theft. More sophisticated devices include vibration or motion sensors, power line monitoring, and electronic article surveillance (EAS) systems. (Wenbo, 254)

Power line monitoring alerts us when someone has unplugged the power cord of a computer or other protected asset. EAS systems alert us when a protected asset is moved from a designated area. The most familiar EAS devices are probably those little tags attached to clothes or merchandise in retail stores. They cause that annoying alarm when one departs the store if the clerk forgets to disable it. Antitamper devices include locked cabinets, locking covers, microswitches, vibration or motion sensors, and antitamper screws.

The Role of Physical Security

A basic role of physical security is to keep unwanted people out, and to keep “insiders” honest. In terms of IT security, the role is not that much different. One could change “people” to “things” to include fire, water, etc., but the idea is the same. The greatest difference is expanding the assets to be protected. Physical security must not only protect people, paper, and property, but it must also protect data in forms other than paper. So where does one start?

Recall the above descriptions of depth in a layered defense where one countermeasure or barrier backstops the preceding one. In a textbook analysis, sufficient depth is determined by security response time. (Michael, 87) The physical security practitioners view each control or countermeasure as a delaying action. The amount of the time it takes for the guard force to respond is equivalent to the minimum delay needed. Although a tried and true strategy in the physical security realm, it was only recently proposed as an IT security strategy.

For the physical world, it works like this. Suppose one has an estimated response time of ten minutes by the local police. One discounts the perimeter wall as only a deterrent because there are no alarms there. The first alarm is at the front door, which one estimates will take two minutes to get past. Thus, one needs an additional eight minutes worth of inside layers between the door and the cash for the police to apprehend the thief.

For the IT world, layering brings to mind firewalls backed up by routers, backed up by proxies, etc. Notice that physical controls were backed up by additional physical controls and “cyber” controls were backed up by more cyber controls. This is okay to a point; but for data security, the roles of physical and cyber controls should be to complement one another. They become interleaved in a multidisciplinary defense. (Robert 422)

Conclusion

Policies created to fulfill the “know it” tenet provide the necessary roadmaps to implement the other tenets. Policies instruct us to take the steps outlined in the other tenets. With each tenet, there were physical security examples and corresponding IT security examples. Thus, the policies to protect information must address both physical and IT security requirements. Why protect information in digital form, and then not write policy to protect it in paper form? Policy should cover both.

They should be consistent in approach, but not always identical in application. For example, suppose there is a policy to ensure that project confidential information is delivered securely to project partners. For the paper world, a sealed envelope might be sufficient; but for the digital world, robust encryption is needed. So why not encrypt the envelope as well?

Certainly, the delivery cyclist is capable of tearing open an envelope; so should it not have the same protection? The reason is the scale of risk. The cyclist can be identified, is probably bonded, and if he or she should drop it, very few people would likely ever see the contents. However, when sending data across the Internet, one has no idea who might come in contact with it, and it can be replicated and redistributed in enormous quantities with amazing speed at virtually no cost to an unethical person.

The approach to the “secure it” tenet is the same for digital and nondigital information: deliver it securely; however, the implementations for each are tailored to individual risk. On the digital side of policy, one cannot divorce oneself from physical access control. For example, a high level policy states: “Users must be uniquely identified for gain network access.” From this emerge standards for passwords, password receipts, and password storage.

However, as illustrated previously in the payroll scenario, success for the high-level policy is not assured until one includes standards for protecting physical access to the computer, be it disabling floppy drives or locking the office door. Ensure that IT security policies and standards address avenues of access control in both the physical and digital worlds; this enhances the depth and breadth. Breadth is also improved if standards and policies are applied across the board.

If the standards were applied to all networked computing assets in the payroll scenario, the alarm system computer would be covered as well. Access control systems provide a significant increase to the security level of a facility. As with all security systems, any increase in the level of security brings with it an increased level of inconvenience. The trick is to balance the need for access control with need for facility protection and keep the inconvenience to a minimum.

Works Cited

Andrew Jaquith. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Publisher: Addison-Wesley Professional; 2007: 263-279.

David F. Ferraiolo, D. Richard Kuhn, Ramaswamy Chandramouli, Role-Based Access Control. Publisher: Artech House Publishers; 2 Edition, 2007: 179-185.

Earl Carter, Jonathan Hogue, Intrusion Prevention Fundamentals. Cisco Press; 2006: 217-224.

Frederick Gallegos, Daniel P. Manson, Sandra Senft, Carol Gonzales. Information Technology Control and Audit, Second Edition. Publisher: AUERBACH; 2 Edition, 2004: 521-534.

Harold F. Tipton, Micki Krause. Information Security Management Handbook, Sixth Edition. Publisher: AUERBACH; 6 edition, 2007: 1547-1580.

Mary Lynn Garcia, The Design and Evaluation of Physical Protection Systems. Publisher: Butterworth-Heinemann; 2001: 87-96.

Mary Lynn Garcia, Vulnerability Assessment of Physical Protection Systems. Publisher: Butterworth-Heinemann; 2005: 144-158.

Messaoud Benatar, Access Control Systems: Security, Identity Management and Trust Models, Publisher: Springer, 2005: 154-164.

Michael Khairallah, Physical Security Systems Handbook: The Design and Implementation of Electronic Security Systems. Publisher: Butterworth-Heinemann; 2005: 78-83.

Robert Fischer, Introduction to Security. Publisher: Butterworth-Heinemann; 7 Edition, 2003: 412-427.

Wenbo Mao, Modern Cryptography: Theory and Practice. Prentice Hall, 2003: 240-252.

William P Crowell, Brian T Contos, Colby DeRodeff, Eric Cole. Physical and Logical Security Convergence: Powered By Enterprise Security Management. Publisher: Syngress; 2007: 384-399.