The Convergence of Physical Security and the IP Network is Expanding the Attack Surface: Half of the top 12 global exploits targeted IoT devices, and four of the top 12 were related to IP-enabled cameras. The adage “monitor the monitoring devices” is quite apropos for organizations here.
For some crazy reason, we do not usually view logical security and physical security together. The facts are, physical access control (PACS) and network access control (NACS or sometimes called LACS for logical access control) share much in common. Further, it could be argued that each is only as strong as the other.
Physical Access Control can be defined as an automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules (e.g., allows access to controlled buildings).
Logical Access Control can be defined as an automated system which controls an individual’s ability (or device) to access a workstation, network or application. It requires identity validation through a PIN, card, biometric or other token (certificate) and can assign different access privileges based on roles and responsibilities.
Physical security has traditionally been in the purview of the guys walking around with big key chains and construction boots. These guys also typically have responsibility for things like lighting, HVAC, building automation, life safety and so forth. Not usually IT guys.
In recent months, with the proliferation of networked devices (20 billion connected by 2020) once proprietary non- IT networks have converged around IP. Things have changed (no double entendre intended). IT not only has a voice at the table when it comes to physical security but in many cases they have absorbed the function into their organization. In the federal government, the recent revision to OMB Circular A-130 mandates that the CIO of each federal agency become the accountable party for (among other things):
- Logical and physical access control
- Identity management
- Credentialing systems
- All associated security systems, and
- Embrace the NIST SP 800-137 model to a near-real time monitoring model
A somewhat newer wrinkle in the PACS/NACS discussion involves user behavior. Physical security adds much in the way of contextual data based on things like physical location and establishing normal patterns for the way employees act. Physical security add richness in the areas of diagnostics, analytics, and reporting. Think “why is this employee in the executive sweet on a Sunday at 2 am?”
Our friends in the federal government appear to be very-much ahead of the commercial IT market in this regard. It is time for similar adoption to take place outside of the public sector.