Convergence: Yea or Nay?

• By Matt Villano
• 07/01/08

If you've been thinking about the possibility of converging physical and data security on your campus, it's time for a serious assessment of the pros and cons.

COLLEGES AND UNIVERSITIES can never be too prepared, whether for physical attacks or data security breaches. A quick data slice of over 7,000 US higher ed institutions, using the Office of Postsecondary Education's Campus Security Data Analysis Cutting Tool Website and cutting across public and private two- and four-year schools, reveals some startling statistics: In 2006, over 31,000 burglaries, 1,800 robberies, 2,900 aggravated assaults, 2,700 forcible sex offenses, and 5,422 motor vehicle thefts were reported on US campuses. And according to nonprofit consumer organization Privacy Rights Clearinghouse, there have been more than 150 publicly disclosed data breaches at colleges and universities since 2005. Probably more on target, the third annual survey of 151 higher ed IT directors from technology product and service supplier CDW-G reveals that, for the second straight year, 58 percent of survey respondents have experienced a security breach in the last year.

It may not be surprising, then, that a growing number of colleges and universities are responding to these trends by bringing logical (or data) and physical security together. Though the process can be complicated at times, this convergence merges IT with physical security programs such as card access systems, mass notification systems, and network access control. The benefits? By bringing all of these functions under one roof, controlling, containing, and reducing security breaches of all kinds can be easier, more cost-effective and, most importantly, more effective.

Interest in the converged approach is indisputably growing: The CDW-G survey reported that convergence is now a higher priority than in previous years, with 38 percent of respondents claiming they spent more time on this convergence in 2007 than they did in 2006. An even greater portion of survey respondents reported that their institution is primed for convergence: 86 percent noted that their campus has the network infrastructure to support solutions that manage both data and physical security together.

Specifically, schools such as Bryant University (RI) and Golden West College (CA) are leading the charge. Still, converged security isn't for all campuses. Security administrators and technologists at Louisiana State University and Dartmouth College (NH), for example, are hesitant to embrace such convergence, insisting that keeping IT and physical security separate makes each more secure. Still other campus IT and security officials, notably at Penn State, don't believe convergence should even be an issue, if security is approached holistically. Here's a rundown on each approach.

HAIL, THE CONVERGED NETWORK!

Bryant University is an excellent example of how logical and physical security are coming together: On this Rhode Island campus, just about every technology-oriented process-- and that includes physical security surveillance-- now runs over the campus's converged IP network. The network started to take shape last year, when CIO Art Gloster and his team partnered with Cisco Systems to make it a reality. Though the network is nearly 75 percent complete, it is constantly evolving and takes on new components just about every month.

Until recently, the highlight of the school's converged security portfolio was a squadron of more than 20 Cisco fixed video-surveillance cameras. All of the cameras (of various models) are connected to the data backbone. Gloster explains that because the cameras link up to the same network, he and his team can see images from any camera on just about any web-connected computer anywhere across campus, at any time. He adds that Bryant stores all of the surveillance data on 16-terabyte data storage units from IBM.

"This system gives us a great way of using our data network to enhance physical security on campus," says Gloster, who anticipates as many as 40 cameras on campus by the end of 2009. "IT has been good at safeguarding and controlling data assets, so it makes sense for us to get into physical assets, as well."

But cameras were just the start of the converged security effort at Bryant; last year, the school also added fire alarms from SimplexGrinnell to the IP network. The connections are complicated, but essentially, Gloster's team interfaced the network directly to fire alarm panels. Today, in the event of an incident (in other words, when an alarm is triggered), the IT team is able to use the network to pinpoint the source of the problem, utilize the cameras to identify what set off the alarm, and isolate the event or initiator.

The converged network also has prompted Bryant officials to rethink emergency radio contact-- an issue that has plagued not only campuses nationwide, but municipalities attempting to coordinate emergency response activities. In the past, because the Bryant campus and various firstresponder agencies used different radio frequencies for communication, the school and town could not interoperate and coordinate a timely response. Now, by deploying Cisco's IP Interoperability and Collaboration System, Bryant has linked disparate radio systems with campus phones and PCs so that school officials can directly and efficiently communicate with town agencies during an emergency.

As part of this project, Bryant has extended its IP-based emergency response system to provide enhanced physical security for eight communities in Rhode Island, two communities in Massachusetts, and a regional dispatch center in Connecticut. Additionally, the university has replaced deskbound employees' "hard radios" with multi-channel, push-to-talk services on a PC or laptop-- an efficiency move that Gloster estimates has saved nearly $22,000.

"We're finding that a converged network is more effective and cheaper to operate than the old approach ever was," he says, explaining that campus administrators have come to view endangered, exposed, or compromised property of any kind as something to get to fast. "At the end of the day, an asset is an asset, whether it's informational or physical, and it's up to us to devise a way to access those assets quickly and easily."

LOCKING DOWN LAPTOPS

While Bryant's approach to logical and physical security is broad-based, converged security at the two-year Golden West College has developed on a smaller scale. There, technologists have blended the two security approaches by distributing faculty laptops equipped with a variety of software-based measures, to ensure not only that the data on the computers stay safe, but that the computers are physically useless to non-approved "appropriators." The result has not only been more secure equipment, but enhanced security across every corner of the network.

The laptops-- 175 of them in all-- were provided to staff members last summer. Eighty-two of the computers came with hard-disk encryption from GuardianEdge Technologies and the Computrace Complete theft recovery, data protection, and secure asset tracking service from Absolute Software.

Anthony Maciel, the school's director of technology support services, claims this duo of software programs is a cost-effective way of tackling both logical and physical security simultaneously. "You never know when a faculty member is carrying around student information on his or her computer," says Maciel. "That's why we consider this approach as converged security-- because we're physically securing the laptop, but we're making sure whatever data exist on that laptop are safe as well."

For starters, the GuardianEdge product secures the data. Incorporating 256-bit encryption, the software requires users to type in a password to access any of the data on a laptop's hard drive. Maciel has set up the system so that users can take their laptops off the network, but when they come back on, the software automatically checks with a server to make sure its encryption is still up-to-date. If a user strays from the network for more than 90 days, he or she must visit the IT department to receive updates manually.

The Computrace service, which Maciel refers to as "LoJack for laptops," ensures the physical security of the Golden West machines. This program, which resides deep in the bios level of the computer, kicks in the moment the computer is taken off the school network, and automatically sends a signal back to a central server, reporting on the equipment's whereabouts. When a user reports a laptop as missing, authorities can use this signal to pinpoint the location of the machine. "Luckily, we haven't had to test the system with a real-world case yet," Maciel says. "When we do, we'll be ready."

STRENGTH IN SILOS

Despite clear benefits such as cost and improved efficiency, not every higher ed institution has embraced the idea of intertwining data and physical security. Many holdout administrators say they support the idea of keeping the two silos of security separate, for maximum efficiency of each type of security initiative. Yet curiously, many of these campuses do indeed make use of logical data for significant impact on physical security-- accomplishments that certainly support arguments for the benefits of convergence.

At Louisiana State University, for instance, the IT organization worked closely with the Office of Public Safety and Risk Management in the design of an Emergency Operations Center (EOC) on campus. (The IT organization also is part of the EOC operation, in the event of an emergency.) Brian Nichols, the university's chief IT security and policy officer, points out that representatives of his department also provided support to the EOC in the selection of the text-messaging system at LSU, rolled out specifically for the purpose of alerting the campus in the event of an emergency.

Recently, LSU technologists discussed implementing sirens (from Whalen Engineering), to augment the school's existing physical security/emergency notification systems. Like traditional fire alarms, these sirens would alert campus constituents in the event of an emergency. Nichols says these devices will "spread the load" of notification across a number of modes (some already physically oriented) and thus lessen the reliance on other, more IT-enabled means such as e-mail, voicemail, and text messaging.

"The important point to remember is that institutions need to ensure that all aspects of security are integrated in such a way as to support the institution's mission," Nichols says. "Maintaining the status quo actually means falling behind; physical and IT security must be proactively managed, due to the ever-changing nature of technology and threats."

At Dartmouth College, technologists have made the clear-cut decision to keep data and physical security separate. There, to handle data security, IT experts recently built an authentication strategy around eTokens from Aladdin Knowledge Systems. This system requires every user to insert a USB token and provide a password before he or she can access the network and the data it contains. PKI Administrator Scott Rea says the initiative has virtually eliminated data security breaches. But Rea and other campus technologists are hesitant to expand this kind of initiative to include physical security. In almost every department, Dartmouth still relies on proximity cards from AccessID to control building access and other forms of physical security. Rea says that at some point, he and his colleagues considered combining the two systems, but resisted because of high turnover on the proximity cards. "Users were losing them so frequently, it became a question of: How safe would a converged system really be?" he remembers. "In the end, keeping the data and physical security efforts separate ensured greater safety in both spheres."

THE HOLISTIC APPROACH

For technologists at Penn State, one of the largest state school systems in the country, the answer to the "Converge or don't converge?" question has been to think holistically from the get-go. David Lindstrom, the school's chief privacy officer, believes that higher ed institutions should take an all-encompassing approach that renders irrelevant distinctions between different kinds of security. Lindstrom, who also serves as co-chair of the Higher Education KnowledgeNet for the International Association of Privacy Professionals, says he sees security in general as a way to minimize risk, and notes that in this context, worrying about convergence isn't nearly as important as investing time and money to maximize network defenses across the board. "If my convergence solution doesn't prioritize physical security, someone can figure out a way to break onto my campus and steal my equipment," he says. "But if my convergence solution doesn't prioritize data security, a user doesn't even have to show up on campus to hack into the system and steal data."

For Lindstrom, the best way for higher ed institutions to improve data and physical security is to start with bulletproof policies. The first step, he says, is to develop institutional controls and protocols that give technologists in each individual department advice on how best to lock down critical assets. With these policies in place, Lindstrom recommends that schools go in and identify vulnerabilities in the areas of both data and physical security.

The final phase of his step-by-step approach is to put together a privacy or security committee to administer deployment and implementation. Lindstrom suggests that institutions build this committee around managementlevel individuals, and representatives from a variety of different constituencies (or in Penn State's case, departments). He notes that the committee should include at least one or two students, so decision-makers are always considering issues that are of importance to the institution's largest user group.

"Buy-in from the people who will live with technology every day is critically important for the success of any security project," he says. "Without this connection to the real world, even the best approaches to security ultimately will fail." For more tips and best practices on how to approach the question of converging data and physical security, see "The Road to Convergence."