The average person doesn’t immediately think of physical controls as information security measures. But clearly, limiting physical access is just as important as implementing technical and administrative controls. After all, if someone could walk out the front door with one of your servers—blade servers are pretty small, for example, and could nearly fit into the armpit of an exceptionally large guy posing as a package delivery person—in time the culprit would be able to break through your electronic defenses. So, secure the castle. Build fences. Lock doors. Install cameras. Hire guards. Require employees to carry and use badges.
I think most of us “get” physical security. Still, a few basic (and a few not-so-basic) physical security controls worth discussing include:
Room design. A typical office building has drop ceilings and raised floors. Great for wiring, heating and air conditioning, but bad for security. Anyone who has seen almost any spy or high-tech heist movie must surely be aware that ceilings frequently have enough space through which people can crawl. The moral of the story is that putting something really valuable behind a locked door will deter only someone who does not realize that he might be able to go over, under, or around the door. And if every dime-store novelist has figured it out, rest assured that the bad guys have as well.
Cameras. Depending on governing law and the prevailing corporate culture, many companies have policies which prohibit the taking of pictures on the premises. In certain countries people have no expectation of privacy, and everyone pretty much assumes they are being watched at all times. In others, most notably the U.S., people have an expectation of personal privacy, and the issue is touchier. Some companies ban cameras altogether…a great concept, though one which is not very practical in the face of modern cell phones. But why would a corporation’s security team care about pictures taken inside of an office building? Well, one reason is that a seemingly innocuous photo snapped in a hallway could show the type and placement of security cameras, information that could be extremely valuable to a 007-type professional-class thief, or even a bumbling intruder with half a brain.
Access cards. Many corporations now ask employees to swipe in and swipe out, not unlike the old white board version where people signaled their presence in the office by moving a peg or a magnet from one column to the next as they breezed through the doorway. Swiping in, clearly, allows the back-end systems to confirm that the card belongs to someone who was not fired yesterday. Swiping out allows the system to make note of who has left the building. Although theoretically that information could be used to determine who needs to be accounted for in the event of an evacuation, the main reason for swiping out is so logical access can be suspended. If I swipe out and leave the building, and ten minutes later my ID is trying to log into a system from inside the facility, rather than remotely, alarm bells should sound.
Biometrics. Biometrics are the wave of the future for access control. There are various kinds of biometric technologies for which a given bodily or behavioral characteristic is recorded, digitized, and stored. They fall into two main categories – physiological and behavioral. Physiological factors include the face, fingerprints, hand, iris, and even DNA. Behavioral factors include keystroke speed, signatures and voice. In reality, the entire hand, face, or whatever is not entered into the database. Only specific data points are recorded. Then, when a user needs access, he presents his hand, face, whatever to a reader, and the relevant data points are gathered and compared to the stored data. Close enough match? You’re in! For users, otherwise known as people or human beings, acceptance usually hinges on how “intrusive” the technology feels. Most people see fingerprints as fairly innocuous. Retinal / iris scanners, which require you to put your face into a contraption, are less well received. While acceptance by users is key for adoption, even more critical for the organization is reliability. Face and voice recognition tend to have a lot of false rejections, that is denying access to someone who is authorized. Keystroke recording, on the other hand, has a higher rate of false acceptance. While false rejections are an irritating inconvenience, false acceptances undermine the integrity of the system.