Integrating IT & physical security systems

02 Mar 2009 00:00 IST

New Update

Advertisment

While security per se has always been a hot area in enterprise IT, the
gruesome events in Mumbai on 26/11 have altogether changed the security
paradigm. The focus on physical security aspect has increased manifold;
enterprises have stepped up surveillance measures and introduced integrated
security products as safety concerns rise across the country.

Nothing illustrated this better than the telling postscript at the end of the
Nasscom invite for India Leadership Summit in Mumbai: “At Nasscom, we understand
the security concerns that you might have, following the unfortunate incident in
Mumbai. In all our conferences, we ensure that the security measures are
stringent and foolproof to the best of our ability.” The note went on to list
the security measures being undertaken at the summit. Kasab and his cronies
might not have yet shaken up the somnolent government machinery, but they have
at least ensured a vibrant security market for enterprises notwithstanding
slowdown effects.

Post November 26, enterprises of all hues and sizes have begun to look beyond
IT-at the physical infrastructure. Their focus is now on three key areas:
security of the physical infrastructure, the resilience of the security system
and disaster recovery mechanism they have in place. Some of the key steps
initiated include closer checks on vendors and suppliers visiting office
premises. Such visitors are asked to provide adequate details so that the
individuals can be identified when they are within the office. Remember, the
terrorists who virtually assembled an arsenal in a Taj room were staying as
guests for a few days and must have been walking in and out several times.

Advertisment

There is now an added emphasis on background checking of new employees. The
National Skills Registry system to ensure individuals employed by organizations
have their background and antecedents verified to prevent the menace of fake
resumes, is being made mandatory by many companies. Entry and exit rules such as
recording one's arrival in the visitor's register are also being enforced more
strictly. In many organizations, visitors are escorted from the reception to
meeting place and then back to the reception.

10 Security Trends of 2009

The perimeter moves inside:

Traditional security postures define the perimeter as the exit/entry point
of the organization. With the business dynamics of partnerships,
outsourcing, etc, the perimeter has moved inside. This is between business
critical information/assets and other elements. This includes internal users
as they are also an area of potential risk.

Keep the good things in:

Traditional security postures are focused toward protecting organization
information and “keeping the bad out”. However internal information leakage
(intentional or accidental) is considered very important to “keep the good
things in”.

Enterprise risk management approach:

IT risk is traditionally considered in isolation due to its technical
complexity and constant change. However it needs to link up with the
business enterprise risk management postures as business is what would drive
all initiatives and investments specially in the current economic scenario.

Protection at the source:

Security investments at the infrastructure level have been focused on
already (eg, firewalls, AV systems, etc). With most vulnerability in the
applications the focus would now moved to secure applications or better
build secure applications. This would be significantly more important when
new age applications such as mobile banking, 3G applications, etc come up.

Focus on “Management” aspects of security:

Most organizations are challenged with the operational aspects of
security. It's easier to focus on security during high alert/risk times. How
can the same level of diligence be achieved during business as usual times
also?

Synergy of controls-physical and logical
security:

Physical security postures would integrate with IT or logical security
controls. A combined physical and logical security posture would help
organizations achieve higher and more relevant security levels.

Conscious security posture:

Several organizations have invested in security postures and know that they
are secure to an extent. This “extent” is most times now known which can be
called as a “non-conscious” security posture. Which we know we are secure,
not sure against what all and for how much time. Organizations would want to
move towards a more aware and conscious state of security.

Result oriented automation:

Automation of security controls has been done for years and is very
important to achieve scalability and reliability of controls. As new
security technologies emerge organizations would look at meaningful ways of
deploying them. It's not about what the technology or tools offer, but what
I want from them. This would be further driven by the need to derive more
from current investments, the new economic mantra.

Build up toward ROSI models:

ROSI (Return on Security Investment) is a concept which is yet to mature.
It's not something which can be developed and used effectively for some
time. However organizations would move towards trying to develop ROSI
models. The big difficulty in ROSI is security investments are not done so
that you get something; they are done so that we don't get somethings (eg
exposures, exploits, etc).

Build security into business:

Today, security is always external to business, which is we do business
activities in a way and then deploy security controls to protect what we do.
In an ideal world we should do business activities in a secure way itself.
This is building security into the business with the business owners owning
the security of whatever they do. This again is not easy, but organizations
would need to move towards it, with a small step being educating business
owners on their responsibility toward security.

Advertisment

Following the terror attacks, large enterprises have approached the Indian
government for CISF protection to their facilities. Only recently, the Indian
government (through an ordinance) has allowed CISF to guard private
installations. On its part, the government is in fact busy exploring new systems
for increased security. As per reports, scientists are evaluating a
state-of-the-art embedded security system to safeguard busy railway stations
across the country, some of which had been targets of terror attacks. The
security system comprises 14 sensors that carry out surveillance and detection
activities and would help do away with frisking of people. One sensor even
detects explosive material using Raman Spectroscopy.

Rising security concerns are boosting the demand for products that integrate
the existing security systems to offer better surveillance. The marriage between
IT and physical security is not just on the cards, but already being solemnized.
In the past, there were technologies but they were installed in a dispersed
manner. Today, these are being integrated to offer more effective and real-time
surveillance.

Integrated security solutÂions leverage technology to analyze incoming video
inforÂmation from cameras, pinpoint potential threats, and escalate information
through the established IP infrastructure to appropriate personnel or systems.
For instance, HCL Security recently introduced a unique concept called “Safe
State”. It is an architecture leveraging technology to build a security
framework that can safeguard life and infrastructure. It can help secure
vulnerable areas such as hotels, hospitals, IT companies and outsourcers,
educational institutions and railway stations.

Advertisment

Source: Dataquest

Advertisment