The Road to Convergence

• By Matt Villano
• 07/01/08

From three security pros: 6 best practices for physical and data security convergence.

TIP #1: Assess the Cable Plant

Before you can put data and physical security on the same network, make sure your network is running into every building on campus, and that the network has enough bandwidth to carry the additional load, advises Phil Mullendore, president of the Institute for Campus Safety, a consulting firm in Blue Jay, CA. Many campuses skip this important step, he notes, only to find out (after spending tens of thousands of dollars on convergence) that they needed to upgrade their infrastructure at stage one. "You can't bring together different kinds of security on one network if the network can't support converged security in the first place," he warns. The solution: an up-front network assessment to compare capacity with potential demand.

TIP #2: Choose Wisely

Just because you've decided to converge data and physical security doesn't mean you should blend every aspect of both. Peter Beardmore, product marketing manager at RSA, the security division of worldwide integrator EMC, says it's important for administrators to think twice about which aspects of logical and physical security they wish to merge, and for technologists to remember that some systems and applications may be more effective on their own. In particular, Beardmore suggests technologists seek to create a situation where users are issued a single credential when they log on-- and that credential provides both access to data, and physical access to areas of the campus, as well. "You want a system that ensures there's role-based information that can proliferate out to each individual application," he says. "If you can't provide that, you may want to keep some applications separate."

TIP #3: Be Patient

Converging different flavors of security onto one network doesn't happen overnight; in many situations, particularly at large public schools with tens of thousands of users, the process can take years. "Even in well-planned implementations, you have to allow for unexpected hurdles and obstacles," Beardmore stresses. "These are never onesize- fits-all, set-it-and-forget-it types of things." He adds that every implementation is different, so the step-by-step process that worked for one institution might not work for yours. To overcome these obstacles, Beardmore says it's always a good idea for technologists to employ a graduated implementation plan that establishes project milestones from inception, and builds in time for surprises, whatever they might be.

TIP #4: Engineer for High Availability

The benefits of having data and physical security running over the same network are indisputable: increased efficiency, cost savings, and more. If the network goes down, however, the entire institution could be in a boatload of trouble. Stephen Northcutt, president of the SANS Technology Institute, a postgraduate information security college in Bethesda, MD, says every school that opts to converge disparate kinds of security must engineer for high network availability, and develop a contingency plan should the network fail. "Redundant power supplies and asymmetrical routing are even more critical when everything is riding on the same network," he says. "You can never be too careful."

TIP #5: Test, Test, Test

Once you've blended data and physical security, it's critical to test the converged network to make sure it works. Northcutt says this process should be painstakingly comprehensive, since securing the organization's assets is perhaps the most important task facing technologists today. "Testing the network should go well beyond ordinary quality analysis," he says, suggesting that network security administrators should perform a literal battery of tests to make sure the network can withstand every kind of attack. Northcutt notes that in many cases, it may behoove an institution to hire an outside organization or consultants to perform these tests. Another option: ethical hackers, people employed by the school to find holes in network defenses before truly nefarious users do.

TIP #6: Don't Forget the Humans

In the world of security, even the most sophisticated technologies can't substitute for human intuition. Mullendore insists that the most important factor in security is monitoring, and that no automated system-- no matter how bleeding-edge it might be-- possesses discretionary decision-making on a par with that of a human being. "Whatever kinds of security you've got on your network, a living and breathing person has to receive each alarm and make the decision to send somebody or ignore it," says Mullendore, a former campus security officer who also serves as executive director of the California College and University Police Chiefs Association. "Whatever you're spending on your security network, never underestimate the importance of people."