IT security gets physical

The cameras are watching when you drive up to IBM’s Watson Research Lab in Hawthorne, N.Y. They’re also noticing things … things such as the color of vehicle you’re driving and its license plate. When you get out of the car, another camera zooms in on your face, capturing its image and transmitting it (along with snapshots of your car and license plate) to third-party analytics systems, which then compare those bits against a database of lab employees and authorized visitors.

By the time you get to the door at Hawthorne, says Arun Hampapur, manager of IBM’s Exploratory Vision Group, the cameras have, in theory, already collected enough data to grant you access to the facility without you having to wave a key card or check in at the front desk.

This type of “Minority Report” scenario remains more myth than reality, but a number of factors have combined in recent years to put the merging of physical and IT security on the front burner. The advent of open, IP-based physical access systems, the appearance of new startups offering convergence solutions, along with an embrace of open applications platforms and Web services, may soon place true converged security solutions within reach of ordinary enterprises.

Physical threats
Even before the words “stolen laptop” started popping up in headlines, 9/11 increased the burden and cost of physical security — especially for companies with high visibility, says William Crowell, an independent consultant and former senior official at the U.S. National Security Agency.

But incidents such as the December theft of five laptops from the benefits consulting firm Towers Perrin, containing data on tens of thousands of retirement-plan participants, are motivating corporations to push for security integration. One company, Boeing, suffered three break-ins between November 2005 and December 2006, culminating with the theft of a laptop from an employee’s car that contained the names, salary information, Social Security Numbers, home addresses, phone numbers, and dates of birth of 382,000 current and former employees.

Rather than hack a well-defended corporate network, smart criminals in search of sensitive information have discovered it’s often more effective to focus on gullible employees and loosely guarded offices, says Cheng Tang, a consultant with System Experts, a security consulting firm. “Crime is always about finding the weakest link. It’s a lot easier to hack the physical and person-side of the security equation,” he says.

Some attacks combine both online and offline tactics, with attackers researching their target on the Web or rattling doors on the company’s public-facing servers before trying to compromise physical security protections to get what they want, says Dave Tyson, CSO for the City of Vancouver, who manages a joint physical and IT staff of 45 that includes 22 security guards and security contractors.

Unified operations like Tyson’s are rare. “In the past, there’s been this umbrella of security around physical security, where the building is locked down and the concerns of the security officer are taken care of,” says Peter Fehl, senior marketing manager for integrated security at Honeywell. “On the IT side, they have [anti-virus] and firewall. But in between the groups is where the cracks have developed.”