A Holistic Approach to Physical and IT Security - Feature Article

When a famous bank loses thousands of credit card numbers or a hospital loses medical records, the customers and patients do not ask whether the theft happened over the wire or because of a break-in. There is loss of trust and damage to the value of the brand regardless of the method of breach. But many businesses continue to treat physical and IT security as unrelated silos. This approach is no longer acceptable against the changing realities, and many companies are beginning to realize the value of an integrated approach to security.

Just as the ascetics of ancient India realized the value of a holistic approach to health (leading to yoga, which literally means union), the modern enterprise must embrace the notion of a holistic approach to security bringing together physical and IT security.

IT and Physical Security Converge

Historically, certain businesses such as those manufacturing sensitive equipment and materials have focused on physical security. On the other hand, financial services institutions, healthcare and other businesses with high value intellectual property have placed emphasis on securing their networks and information technology systems. However, recent incidents in the news have shown how securing just one of the two is a poor approach to security. For example, securing a network and server may give a false sense of security if the mobile laptops are not secured and tracked.

Let us illustrate this through an example. A health insurance company uses social security numbers and stores and tracks personal medical records. In addition, it provides automatic payment of premiums through direct debit and therefore stores checking account information. It is easy to see how this kind of information would be a very attractive target to a criminal hacker.

In order to secure data containing Social Security numbers and healthcare information, the network has to be secure so that hackers cannot gain access, the databases must be protected and the backup tapes must be transported and stored in a secure fashion; all this requires a concerted approach to security. There are four top practices and emerging trends for addressing the security issue, which include integrated identity infrastructure, centralized provisioning and de-provisioning, consolidated logging and auditing and the risk management approach.

Integrated Identity Infrastructure

In the past, businesses have relied on separate databases and directories to store identity information pertaining to their customers, employees and partners. This increases the cost of ownership and lowers the quality of data, but more importantly, it can lead to unauthorized access to critical systems. It is imperative that businesses consolidate their identity infrastructure and have a single source of truth for identity. The first step for many businesses is to audit identity use in the enterprise, and use that information to create a comprehensive list of where this data is stored. The next step is to agree upon the single source of truth for identity information. However, various attributes of identity may have different authoritative sources.

It is vital that the CSO and lines of business agree on who is responsible for what piece of data, as well as the processes for creation, updates and deletion. Some businesses may choose to have the identity data stored in a combination of HR databases and enterprise directories, but it may be more prudent to consolidate into a single enterprise-wide directory. Virtual directory technology that allows the exposure of multiple directories and databases as a single directory is becoming a popular tool for this.

SideBar: Best Practices

As businesses look to comply with regulations, secure important data and assets and lower business risk, consider the following best practices and emerging trends: