The diagram shows two boxes, which represent the servers, sitting on the left. On the other side is the storage software, represented by a somewhat ephemeral cloud. In between are two arrows showing the path of the data through the application and into the server. There’s just one thing missing,
and Val Bercovici knows what it is.
“”What you don’t see here is any security,”” the chief technical architect at Network Appliance recently told the keynote audience at an industry conference in Toronto.
“”That’s because there isn’t any. Apart from physical access, there’s no security for this data.””
If the crowd of IT managers and resellers were surprised, they didn’t show it.
Perhaps they were already senior enough to know how frighteningly vulnerable most enterprise data is. Or perhaps they’ve just been keeping up with their national newspapers, where horror stories of major security breaches have become all too common.
One of the most recent — and high-profile — examples came in January, when reports surfaced about a missing hard drive from an Information Systems Management facility in Regina. Well-known ISM customers, like Co-Operators Life Insurance Co., were left to reassure thousands of customers that their personal information would be safe.
In March, British Columbia’s Ministry of Human Resources underwent a major security review after a server was stolen from one of its office buildings.
These are organizations which no doubt have talented IT people downloading the latest security patches and anti-virus products, but experts are beginning to call for a more comprehensive approach.
Why hack into a database, they ask, when you can just walk in the data centre’s door and take what you want?
“”We’ve really dealt with anti-virus systems and firewall systems, but our IT organizations realize very well today that security needs to be managed much better,”” says Russ Artzt, executive vice-president and co-founder of Computer Associates, which recently formed a partnership with security investigators Pinkerton International.
Artzt says physical access policies may exist in large enterprises, but they aren’t enforced consistently.
When employees enter a building and don’t have the proper badge, for example, that’s often a security violation. If an employee with a badge were able to enter the building’s day care centre without authorization, however, you need a different security policy, he says. “”If an employee that normally only works Monday to Friday comes in on a Sunday morning, that should raise an alert. There should be a central policy enforcer to deal with that,”” he says.
CA recently joined with several other organizations to create the Open Security Exchange (OSE), which will pair technology companies with traditional security specialists.
Among the latter organizations is HID Corp., which supplies access cards for physical security to a variety of Fortune 500 companies.
Joe Grillo, HID’s president, says many of his customers are looking for a single credential with multiple functions.
“”As well as opening a door to a protected area, they’d like to use the card for time and attendance purposes, perhaps cashless vending in a university environment, certainly as a photo ID which utilizes which utilizes in the latest technologies in anti-counterfeiting,”” he says.
While smart card projects have fizzled in the public sector, Alex Mandel, CEO of Gemplus, said they will play an increasing role in the physical access arena.
“”The smart card itself just has a lot more functionality, a lot more capability, and just some basic levels of integration and interoperability that make it possible to address this need,”” he said.
Some firms, like Somerset, N.J.-based Software House International, are focusing on application programming interfaces (APIs) that will allow users to tie access-control systems to digital video, human resources and even time and attendance systems.
“”If you had a server room where you had your most important and high-risk enterprise data, you could set up your room so there could never be one person in there at once,”” says Don Liman, Software House’s vice-president.
“”You could even say that if there are two people, one of them has to be an IT administrator at ‘X’ level.””
Employee awareness is as much a part of physical access security as IT security, and several vendors are taking steps to help educate their users.
In March, Symantec Corp. launched its Corporate Security Awareness Program, which will include tools to measure and track the participation and progress of employees.
The Open Security Exchange, meanwhile, has already began publishing white papers on its Web site,
opensecurityexchange.com, which offers tips on bringing physical and IT security closer together.
The picture might not be clear enough yet for Val Bercovici to include it in his next PowerPoint presentation, but at least the industry has begun to draw one.