Convergence: Yea or Nay?
If you've been thinking about the possibility of converging physical and data
security on your campus, it's time for a serious assessment of the pros and cons.
COLLEGES AND UNIVERSITIES can never be
too prepared, whether for physical attacks or data
security breaches. A quick data slice of over 7,000
US higher ed institutions, using the Office of Postsecondary
Education's Campus Security Data
Analysis Cutting Tool Website and cutting across public and private two- and
four-year schools, reveals some startling statistics: In 2006,
over 31,000 burglaries, 1,800 robberies, 2,900 aggravated
assaults, 2,700 forcible sex offenses, and 5,422 motor vehicle
thefts were reported on US campuses. And according to
nonprofit consumer organization Privacy Rights Clearinghouse, there have been more than
150 publicly disclosed data breaches at colleges and universities
since 2005. Probably more on target, the third
annual survey of 151 higher ed IT directors from technology
product and service supplier CDW-G reveals that, for the
second straight year, 58 percent of survey respondents
have experienced a security breach in the last year.
It may not be surprising, then, that a growing number of
colleges and universities are responding to these trends by
bringing logical (or data) and physical security together.
Though the process can be complicated at times, this convergence
merges IT with physical security programs such as
card access systems, mass notification systems, and network access control. The benefits? By bringing all of these
functions under one roof, controlling, containing, and reducing
security breaches of all kinds can be easier, more cost-effective
and, most importantly, more effective.
Interest in the converged approach is indisputably growing:
The CDW-G survey reported that convergence is now
a higher priority than in previous years, with 38 percent of
respondents claiming they spent more time on this convergence
in 2007 than they did in 2006. An even greater portion
of survey respondents reported that their institution is
primed for convergence: 86 percent noted that their campus
has the network infrastructure to support solutions that
manage both data and physical security together.
Specifically, schools such as Bryant University (RI) and
Golden West College (CA) are leading the charge. Still, converged
security isn't for all campuses. Security administrators
and technologists at Louisiana State University and Dartmouth
College (NH), for example, are hesitant to embrace
such convergence, insisting that keeping IT and physical security
separate makes each more secure. Still other campus IT
and security officials, notably at Penn State, don't believe convergence
should even be an issue, if security is approached
holistically. Here's a rundown on each approach.
At Bryant University, fixed video-surveillance cameras are connected
to the campus's converged IP network. The IT team can view images
from any camera on just about any web-connected computer
anywhere across campus, at any time, and incidents are archived to
be ever-accessible. Fire alarms are now connected to the network
as well: When an alarm is triggered, IT staffers can pinpoint the
source, use the cameras to identify the cause, and isolate the event.
HAIL, THE CONVERGED NETWORK!
Bryant University is an excellent example of how logical and
physical security are coming together: On this Rhode Island
campus, just about every technology-oriented process--
and that includes physical security surveillance-- now runs
over the campus's converged IP network. The network
started to take shape last year, when CIO Art Gloster and
his team partnered with Cisco Systems to make it a reality. Though the network is nearly 75 percent
complete, it is constantly evolving and takes on new
components just about every month.
Until recently, the highlight of the school's converged security
portfolio was a squadron of more than 20 Cisco fixed
video-surveillance cameras. All of the cameras (of various
models) are connected to the data backbone. Gloster explains
that because the cameras link up to the same network, he and
his team can see images from any camera on just about any
web-connected computer anywhere across campus, at any
time. He adds that Bryant stores all of the surveillance data on
16-terabyte data storage units from IBM.
"This system gives us a great way of using our data network
to enhance physical security on campus," says
Gloster, who anticipates as many as 40 cameras on campus
by the end of 2009. "IT has been good at safeguarding
and controlling data assets, so it makes sense for us
to get into physical assets, as well."
But cameras were just the start of the converged security
effort at Bryant; last year, the school also added fire
alarms from SimplexGrinnell to the IP network. The connections are complicated, but
essentially, Gloster's team interfaced the network directly
to fire alarm panels. Today, in the event of an incident (in
other words, when an alarm is triggered), the IT team is
able to use the network to pinpoint the source of the problem,
utilize the cameras to identify what set off the alarm,
and isolate the event or initiator.
The converged network also has prompted Bryant officials to rethink emergency radio contact-- an issue that has
plagued not only campuses nationwide, but municipalities
attempting to coordinate emergency response activities. In
the past, because the Bryant campus and various firstresponder
agencies used different radio frequencies for
communication, the school and town could not interoperate
and coordinate a timely response. Now, by deploying
Cisco's IP Interoperability and Collaboration System, Bryant
has linked disparate radio systems with campus phones
and PCs so that school officials can directly and efficiently
communicate with town agencies during an emergency.
As part of this project, Bryant has extended its IP-based
emergency response system to provide enhanced physical
security for eight communities in Rhode Island, two communities
in Massachusetts, and a regional dispatch center in
Connecticut. Additionally, the university has replaced deskbound
employees' "hard radios" with multi-channel, push-to-talk
services on a PC or laptop-- an efficiency move that
Gloster estimates has saved nearly $22,000.
"We're finding that a converged network is more effective
and cheaper to operate than the old approach ever
was," he says, explaining that campus administrators have
come to view endangered, exposed, or compromised
property of any kind as something to get to fast. "At the
end of the day, an asset is an asset, whether it's informational
or physical, and it's up to us to devise a way to
access those assets quickly and easily."
At California's Golden West College, the two-year institution has
blended data and physical security by distributing faculty laptops
equipped with software-based measures that not only ensure the
data stay safe, but that the equipment itself is useless to nonapproved
"appropriators." The result: more secure equipment, and
enhanced security across the entire network.
LOCKING DOWN LAPTOPS
While Bryant's approach to logical and physical security is
broad-based, converged security at the two-year Golden
West College has developed on a smaller scale. There,
technologists have blended the two security approaches
by distributing faculty laptops equipped with a variety of
software-based measures, to ensure not only that the data
on the computers stay safe, but that the computers are
physically useless to non-approved "appropriators." The
result has not only been more secure equipment, but
enhanced security across every corner of the network.
The laptops-- 175 of them in all-- were provided to staff
members last summer. Eighty-two of the computers came
with hard-disk encryption from GuardianEdge Technologies and the Computrace Complete
theft recovery, data protection, and secure asset tracking
service from Absolute Software.
Anthony Maciel, the school's director of technology support
services, claims this duo of software programs is a
cost-effective way of tackling both logical and physical
security simultaneously. "You never know when a faculty
member is carrying around student information on his or her
computer," says Maciel. "That's why we consider this
approach as converged security-- because we're physically
securing the laptop, but we're making sure whatever data
exist on that laptop are safe as well."
For starters, the GuardianEdge product secures the data.
Incorporating 256-bit encryption, the software requires
users to type in a password to access any of the data on a laptop's hard drive. Maciel has set up the system so that
users can take their laptops off the network, but when they
come back on, the software automatically checks with a
server to make sure its encryption is still up-to-date. If a user
strays from the network for more than 90 days, he or she
must visit the IT department to receive updates manually.
The Computrace service, which Maciel refers to as "LoJack
for laptops," ensures the physical security of the Golden West
machines. This program, which resides deep in the bios level
of the computer, kicks in the moment the computer is taken off
the school network, and automatically sends a signal back to
a central server, reporting on the equipment's whereabouts.
When a user reports a laptop as missing, authorities can use
this signal to pinpoint the location of the machine. "Luckily, we
haven't had to test the system with a real-world case yet,"
Maciel says. "When we do, we'll be ready."
STRENGTH IN SILOS
Despite clear benefits such as cost and improved efficiency,
not every higher ed institution has embraced the idea of
intertwining data and physical security. Many holdout
administrators say they support the idea of keeping the two
silos of security separate, for maximum efficiency of each
type of security initiative. Yet curiously, many of these campuses
do indeed make use of logical data for significant
impact on physical security-- accomplishments that certainly
support arguments for the benefits of convergence.
At Louisiana State University, for instance, the IT organization
worked closely with the Office of Public Safety
and Risk Management in the design of an Emergency
Operations Center (EOC) on campus. (The IT organization
also is part of the EOC operation, in the event of an
emergency.) Brian Nichols, the university's chief IT security
and policy officer, points out that representatives of his
department also provided support to the EOC in the
selection of the text-messaging system at LSU, rolled out
specifically for the purpose of alerting the campus in the
event of an emergency.
Recently, LSU technologists discussed implementing
sirens (from Whalen Engineering), to
augment the school's existing physical security/emergency
notification systems. Like traditional fire alarms, these
sirens would alert campus constituents in the event of an
emergency. Nichols says these devices will "spread the
load" of notification across a number of modes (some
already physically oriented) and thus lessen the reliance on
other, more IT-enabled means such as e-mail, voicemail,
and text messaging.
"The important point to remember is that institutions need
to ensure that all aspects of security are integrated in such
a way as to support the institution's mission," Nichols says.
"Maintaining the status quo actually means falling behind;
physical and IT security must be proactively managed, due
to the ever-changing nature of technology and threats."
At Dartmouth College, technologists have made the
clear-cut decision to keep data and physical security separate.
There, to handle data security, IT experts recently
built an authentication strategy around eTokens from Aladdin Knowledge Systems. This system
requires every user to insert a USB token and provide
a password before he or she can access the network and
the data it contains. PKI Administrator Scott Rea says the
initiative has virtually eliminated data security breaches. But
Rea and other campus technologists are hesitant to expand
this kind of initiative to include physical security. In almost
every department, Dartmouth still relies on proximity cards
from AccessID to control
building access and other forms of physical security. Rea
says that at some point, he and his colleagues considered
combining the two systems, but resisted because of high
turnover on the proximity cards. "Users were losing them
so frequently, it became a question of: How safe would a
converged system really be?" he remembers. "In the end,
keeping the data and physical security efforts separate
ensured greater safety in both spheres."
Penn State's Chief Privacy Officer David Lindstrom believes the
best way for higher education institutions to improve data and
physical security is to start with bulletproof policies that identify
vulnerabilities in the areas of both data and physical security.
A security committee then can administer deployment and
implementation. The committee should include at least one or
two students, so decision-makers are always considering issues
that are of importance to the institution's largest user group.
THE HOLISTIC APPROACH
For technologists at Penn State, one of the largest state
school systems in the country, the answer to the "Converge
or don't converge?" question has been to think
holistically from the get-go. David Lindstrom, the
school's chief privacy officer, believes that higher ed
institutions should take an all-encompassing approach
that renders irrelevant distinctions between different
kinds of security. Lindstrom, who also serves as co-chair
of the Higher Education KnowledgeNet for the International
Association of Privacy Professionals, says he sees security in general as a
way to minimize risk, and notes that in this context, worrying
about convergence isn't nearly as important as
investing time and money to maximize network defenses
across the board. "If my convergence solution doesn't
prioritize physical security, someone can figure out a way
to break onto my campus and steal my equipment," he
says. "But if my convergence solution doesn't prioritize
data security, a user doesn't even have to show up on
campus to hack into the system and steal data."
For Lindstrom, the best way for higher ed institutions
to improve data and physical security is to start with bulletproof
policies. The first step, he says, is to develop
institutional controls and protocols that give technologists
in each individual department advice on how best
to lock down critical assets. With these policies in
place, Lindstrom recommends that schools go in and
identify vulnerabilities in the areas of both data and
The final phase of his step-by-step approach is to put
together a privacy or security committee to administer
deployment and implementation. Lindstrom suggests that
institutions build this committee around managementlevel
individuals, and representatives from a variety of different
constituencies (or in Penn State's case, departments).
He notes that the committee should include at
least one or two students, so decision-makers are always
considering issues that are of importance to the institution's
largest user group.
"Buy-in from the people who will live with technology
every day is critically important for the success of any
security project," he says. "Without this connection to
the real world, even the best approaches to security
ultimately will fail." For more tips and best practices on
how to approach the question of converging data and
physical security, see "The Road to Convergence."