Since September 11, previously obscure security concepts such as biometrics and steganography have become front-page fodder. Cries for tighter security in all aspects of our daily lives are being met with the dull stare of condemned sheep.
What is the role of IT in a more security-conscious world? Will computer security specialists start dabbling in areas -- such as building access -- traditionally considered the province of other departments? Or will they find themselves in as much demand as Web designers were a few short years ago, only to find themselves pulling lattes after the fad subsides?
Clearly, businesses must implement basic security measures as part of their fiduciary responsibilities. Even in small and privately held companies, IT security is recognised as a responsibility that, although it doesn't look anything like the traditional physical security measures of gates, guards, and guns, is increasingly important today. Many IT departments are dealing with budgets that aren't going to expand to cover new responsibilities and in fact may shrink further before the impending global recession has run its course. So what can IT departments do to improve corporate security?
The most important thing is to put one's own house in order. Much of the threat of cyberterrorism stems from a perception that computer systems are not secure. This perception is usually true to some degree because the very act of networking computer systems implies that security has been compromised. The increasing pervasiveness of internet technology has only made matters worse; universally accessible technology means that it is available to the folks in the black hats as well as the ones in white.
Although most vendors issue patches for flaws in networking software and operating systems and even publicise the availability of these fixes, too often harried IT staff are pressured to keep systems up and running at the cost of necessary maintenance. IT organisations that let patch installation go by the wayside are leaving a backdoor open for anyone who wants to have a go at the computers. Most people wouldn't do this in the physical world, but in computing, even big names such as Lucent and Microsoft get caught with their pants down, as seen most recently during the Code Red outbreaks of July and August.
Patching is only a small part of securing the infrastructure. It is just as important to perform simple -- yet often neglected -- tasks such as cleaning up default software and hardware installations by removing sample code and unnecessary applications and services. It is also wise to take advantage of device features that improve security, such as using a router's filtering abilities to screen out traffic from forged addresses. The FBI and the SANS (System Administration, Network, and Security) Institute recently released an updated list of the most critical internet security vulnerabilities at the SANS website; many products will scan for these and other chinks in the armor.
Of course, there's more to IT securing its own turf than installing available patches and reconfiguring routers. Another important issue is the IT staff itself. Vetting staff before they walk in the door is critical. Background checks are an important part of the hiring process but are too often neglected. They're also important after the hire, when sensitive or trusted positions are involved. Of course, it's wise to be careful in going about this -- we always advise seeking legal counsel before starting or modifying a background-checking program -- because the price of jumping to false conclusions could be a defamation lawsuit.
But background checks are incapable of determining an employment candidate's true state of mind, and personal peccadilloes are often immaterial to one's suitability for a job. Arguably, the most dangerous employee is the one who doesn't have any loyalty to the company. Make sure that temporary IT staff come from a reputable body shop and ask about the shop's background checking. Remember that human beings are involved: If something questionable turns up in a background check, it can often provide an opportunity to gauge a candidate's honesty.
You can also improve security by throwing more technology at the problem. Wide-open lobbies with freely accessible elevators are becoming a thing of the past. Simple radio-based badge readers are already commonplace for controlling physical access to buildings and floors, and the first generation of smart cards is already delivering on the promise of integrated building and computer-access devices. The obstacle for many companies to adopting biometrics, smart cards, and the like for facilities and systems access is cost; with IT budgets stagnant or growing very slowly for the foreseeable future, gadgets running $100 per seat to $300 per seat, including installation and training, are going to prove a hard-sell unless there's a specific requirement for them.
Often it takes the heavy hand of government to force an industry to adopt costly security measures, as in the case of financial service and health care providers. We doubt that most companies will pick up the tab for a sweeping implementation of biometrics or smart-card technology until they absolutely must. If given the opportunity to do so, IT departments should work closely with facilities departments and other staff to ensure that the biometric/smart-card/new technology solution does not paint the company into a corner when computer systems are overhauled or when departments relocate. Facilities staffs are likely to continue to be responsible for basic security of the premises, but IT employees must be prepared to take a leading role in the integration of computer and physical security.
In general, the months to come will be good for IT security in that if any project will get funding during these turbulent times, it will be one pitched as a security improvement. But IT can do its part to bolster corporate security without spending big bucks on overhauling badge systems or looking for dirt on current and prospective employees. The best way to improve IT security is to properly maintain what's already installed.
Physically securing IT equipment and facilities isn't usually the IT staff's responsibility. In most organisations, a facilities department or an equivalent group handles that, and IT is simply one of their more demanding customers. But the rules for securing buildings may change in light of the September 11 attacks, and one of the outstanding questions concerns the degree to which IT staffs will be involved with future physical security enhancements.
Note the above choice of words: We don't foresee IT taking over responsibility for workplace security. Most facilities departments take appropriate measures -- heavily armed lunatics being an unpleasant reality -- and many have been on heightened alert since the terrorist attacks. Some have already signed purchase orders for new security devices. It's likely that many organisations will choose to bolt biometric and smart-card authentication readers onto their existing building access schemes because this is how many products are being marketed. Even with additional sophisticated security technologies, facilities departments will continue to hold the keys because there's been no reason to change a long-standing practice.
Planning for the future, however, will require facilities and IT departments to work together more closely. Upgrading to physical access systems presents an ideal opportunity to consider the benefits and pitfalls of a coordinated strategy that embraces both building access and computer access controls. Even though the convenience of a common access control certainly sounds tempting, beware the potential drawbacks as well.
For example, when building access and computer access are managed by separate systems, if one system is compromised, the other remains secure. Consider also the practical issues before implementing a mass access-control program: How well does a system handle the morning, lunchtime, and evening rushes for the doors? Perhaps most importantly, what does the fire marshal think about the plan? After all, the best security system in the world is useless when the fire department refuses to issue a certificate of occupancy, so organisations have a powerful incentive to get it right the first time.
One of the toughest chores of a security manager is determining what the appropriate course of action should be because overkill is almost as disruptive as taking no precautions whatsoever. Whereas some enterprise leaders may choose to integrate building access and computer access systems, most will deem it easier and wiser to keep the two separate. Although an additional layer of physical security may be appropriate in certain parts of buildings, such as server rooms, the usefulness of hardening physical security at all levels of every business in the absence of a specific threat is questionable.
PJ Connolly covers groupware, messaging, networking, and security for the InfoWorld US Test Centre.