The Road to Convergence
From three security pros: 6 best practices for physical and
data security convergence.
TIP #1: Assess the Cable Plant
Before you can put data and physical security on the same
network, make sure your network is running into every
building on campus, and that the network has enough
bandwidth to carry the additional load, advises Phil Mullendore,
president of the Institute for Campus Safety, a consulting firm in Blue Jay, CA. Many
campuses skip this important step, he notes, only to find
out (after spending tens of thousands of dollars on convergence)
that they needed to upgrade their infrastructure
at stage one. "You can't bring together different kinds of
security on one network if the network can't support converged
security in the first place," he warns. The solution:
an up-front network assessment to compare capacity with
TIP #2: Choose Wisely
Just because you've decided to converge data and physical
security doesn't mean you should blend every aspect of
both. Peter Beardmore, product marketing manager at RSA, the security division of worldwide integrator EMC, says it's important for administrators
to think twice about which aspects of logical and physical
security they wish to merge, and for technologists to remember
that some systems and applications may be more effective
on their own. In particular, Beardmore suggests technologists
seek to create a situation where users are issued a
single credential when they log on-- and that credential provides
both access to data, and physical access to areas
of the campus, as well. "You want a system that ensures
there's role-based information that can proliferate out to each individual application," he says. "If you can't provide
that, you may want to keep some applications separate."
TIP #3: Be Patient
Converging different flavors of security onto one network
doesn't happen overnight; in many situations, particularly
at large public schools with tens of thousands of users,
the process can take years. "Even in well-planned implementations,
you have to allow for unexpected hurdles and
obstacles," Beardmore stresses. "These are never onesize-
fits-all, set-it-and-forget-it types of things." He adds
that every implementation is different, so the step-by-step
process that worked for one institution might not work for
yours. To overcome these obstacles, Beardmore says it's
always a good idea for technologists to employ a graduated implementation plan that establishes project milestones
from inception, and builds in time for surprises, whatever
they might be.
Benefits to having data
and physical security
running over the same
network are indisputable.
TIP #4: Engineer for High Availability
The benefits of having data and physical security running
over the same network are indisputable: increased efficiency,
cost savings, and more. If the network goes down,
however, the entire institution could be in a boatload of
trouble. Stephen Northcutt, president of the SANS Technology
Institute, a postgraduate information
security college in Bethesda, MD, says every school
that opts to converge disparate kinds of security must
engineer for high network availability, and develop a contingency
plan should the network fail. "Redundant power
supplies and asymmetrical routing are even more critical
when everything is riding on the same network," he says.
"You can never be too careful."
TIP #5: Test, Test, Test
Once you've blended data and physical security, it's critical
to test the converged network to make sure it works.
Northcutt says this process should be painstakingly comprehensive,
since securing the organization's assets is
perhaps the most important task facing technologists
today. "Testing the network should go well beyond ordinary
quality analysis," he says, suggesting that network
security administrators should perform a literal battery of
tests to make sure the network can withstand every kind
of attack. Northcutt notes that in many cases, it may
behoove an institution to hire an outside organization or
consultants to perform these tests. Another option: ethical
hackers, people employed by the school to find holes in
network defenses before truly nefarious users do.
TIP #6: Don't Forget the Humans
In the world of security, even the most sophisticated technologies
can't substitute for human intuition. Mullendore
insists that the most important factor in security is monitoring,
and that no automated system-- no matter how
bleeding-edge it might be-- possesses discretionary
decision-making on a par with that of a human being.
"Whatever kinds of security you've got on your network, a
living and breathing person has to receive each alarm and
make the decision to send somebody or ignore it," says
Mullendore, a former campus security officer who also
serves as executive director of the California College and
University Police Chiefs Association.
"Whatever you're spending on your security network,
never underestimate the importance of people."
Matt Villano is senior contributing editor of this publication.