Network Security Gets Physical
The need is being driven partly by the heightened focus on overall security since the creation of the Department of Homeland Security and the establishment of regulations such as HIPAA and Sarbanes-Oxley, as well as by the availability of network-monitoring tools that centralize the administration of disparate systems.
That doesn't necessarily mean mom-and-pop hardware stores will have their networks, security cameras and alarm systems running from one centralized console, or that security guards and IT personnel will be interchangeable any time soon. But the roles of these employees are beginning to overlap like never before, and, typically, the organizations looking most closely at these technologies are primarily found in the government, banking and health-care sectors.
"We're seeing the convergence of physical security with cybersecurity," says Mo Bakheit, practice manager for mobility and information assurance at GTSI, a Chantilly, Va.-based government solution provider that is working with some 30 other technology vendors to set up security at next year's Super Bowl in Jacksonville, Fla. "We're developing the highest-level security framework we can, based on Homeland Security specifications, to help protect people from both kinds of threats." In the financial sector, banks can get more favorable insurance rates by demonstrating robust security systems. The result is that high-profile banks"not so much at local branches, but at corporate offices in urban centers"are setting up more comprehensive security systems.
Paul Stitch, CEO of Counterpane, a managed-security services provider in Mountain View, Calif., cites one New York-based bank that has X-ray machines and security cameras on-site that are linked to the company's network security systems. (The bank also has bomb-sniffing dogs on the premises, but presumably no one has yet discovered a way to hook them into the network.)
"The bank got a $5 million savings on its insurance policy by having all these things in place," he says. "By complying this way, it's possible to turn security into a profit center. We've been asked by some customers to monitor their physical facilities, and network security has become a component of their overall security policy."
The emergence of wireless networks and telecommuters also is a factor. Indeed, something as simple as remote-access workers connecting a home PC to their corporate networks may technically run afoul of Sarbanes-Oxley-type regulations.
"The regulators don't want people using their home PCs to connect to a network, but it happens all the time," says Craig Isaacs, president of Neon Software, a network-management software developer in Novato, Calif. "And when you plug a PC into a wireless connection, it opens up the whole network and can be just as bad as a breach."
Tip of the Iceberg
The aforementioned examples deal chiefly with big organizations with vast networks and grave security concerns, but tools are beginning to emerge that are uniting physical and network security in more everyday ways. For instance, Neon Software has created LANsurveyor, a tool that helps map networks so IT managers can see who has access to any port on a system, giving a clearer view to who's accessing what and from where.
"Now that the practice knows which port the hacker was connected to, they can start recording video of where the port is," Isaacs says. "We're not exactly sure yet what people will want to do with the technology, but we know the software can help them get to where they want to go."
Isaacs says an increasing number of customers have been asking for ways to integrate their security systems. LANsurveyor accomplishes this by correlating Layer 2 and Layer 3 switching protocols, making it easier for network monitors to not only spot an intrusion attempt, but to see which actual physical port on the network is being violated. As in the case of a Tulsa, Okla.-based medical practice that used the tool to isolate a network intruder (see "Pinpointing Attacks Becomes More Exact" on page 40), Isaacs says LANsurveyor is the kind of product that can show managers how to make the two types of security systems work better together by giving a clearer overview of what's happening at any point on a network. Isaacs says more tools that help security convergence move toward reality will become available before the end of the year. For now, it's still a niche area populated by companies such as Neon and Axis Communications, a Swedish developer of networked security cameras, print and video servers. But more are likely to follow suit.
"You could have an application that shuts down exits or triggers alarms throughout a facility," Isaacs says. "Any system that has a Windows-type icon that you can double-click on, we should be able to make a tool or a system that can connect to it."
But not everyone thinks a complete integration of physical and network security systems is in the cards. For example, even though Counterpane has had the chance to increase its physical security expertise, Stitch says the company will do so only to a point.
"It's not our plan to monitor a bunch of buildings; for now, we probably won't do much more than monitor power grids for public utilities," he says. But Stitch does admit that more products seeking this space in the market will start to emerge in the coming year.
Others are even less convinced that security convergence is imminent. Clarence Briggs is CEO of Advanced Internet Technologies (AIT), a Web-hosting and e-commerce solution provider in Fayetteville, N.C., that is an example of a company whose network and physical assets work together. With more than 80 percent of its staff having a military background—Briggs himself is a retired Army major—and residing near a major military base, AIT is about as secure as any private-sector business could be.
The company's hierarchy is organized along military lines, with officer boards and cross-training across disciplines; razor wire rings its physical facility, in addition to armed guards, integrated security, alarm systems and window barriers, with all the points of the physical facility linked together whenever possible across a centrally monitored network.
"Most of our competing Web hosts claim they're secure, but they don't have anything like we do," Briggs says. "Sometimes the system can be a little intrusive to visitors, but most of our customers say they appreciate the security of it."
Despite being a poster child of sorts for security convergence, Briggs is skeptical that the two types of systems can be seamlessly integrated. "Everyone's looking for a security magic wand, but they'll never find it," he says. "You could tie in and manage all your security systems under one console, but threats are constantly changing, so security tools must remain dynamic."
The other aspect that is unclear for now is how easy it will be to actually integrate physical and network security systems whose underlying protocols may be incompatible. For instance, Radiant Logic, a Novato, Calif.-based developer of virtual directory server solutions, is in talks with a "brand name" physical security company that has expressed interest in expanding its expertise into network security.
"There's no reason they can't get into network security, but they're probably two years away from seeing jointly developed products, primarily because they're a bigger company that moves a little slower," says Dieter Schuller, Radiant's vice president of sales and business development.
Schuller says that regardless of the timetable, the desire to converge physical and network security systems is strong across the board. "Almost all customers are focused on having a centralized policy engine that can oversee what everyone has access to physically and logically," he says. "It's everybody's Holy Grail. The technology's not there yet, but it's on the drawing board of all our customers."