Where are the modern demarks for Cyber and Physical Security?
In a time of unprecedented rapid change, we have been required to not only ensure our operating models are flexible but also adapt to cultural changes. Working anywhere, at any time has become mandatory in order for businesses to allow for flexibility, but with this your work force availability can change in uncontrolled swathes without notice. This core fundamental is now a requirement to survive as a corporation, resetting expectations in order to meet deliverables, leaving behind that rigid corporate mentality of staff being chained to desks at fixed locations between core hours, throwing the archaic rule book away reinventing the working world for generations to come.
People, Corporations and many facets of life have shown it is possible to adapt at impressive rates of change, although not everything can. Rigid requirements for compliance standards, legislation, security methodologies, don’t seem to be adapting quick enough to support new operating methods and models.
With this in mind what do you protect in this new modern world, when your services are in the “Cloud”, Data Centres providing services where your data could be in the south east of the UK in the morning and shifting to the north by the afternoon. The comms room that was in the office has now moved to a colocation facility hosting your legacy infrastructure through a VDI infrastructure that is hosted at an alternate site. Are the office locations that have been retained still being occupied in the same way or are they empty for long periods? Is this making our homes the new attack vector and are we at risk?
Home offices are already starting to be exploited, with homes being broken into to steal equipment. Planned attacks are also taking place on those that have built log cabins in their garden and have got their IT team to connect them with branch office site to site VPN’s, bridging them back to the corporate networks. These corporate networks would normally be cyber protected with firewalls, IDS systems and corporate equipment whilst also being physically protected by security guards, alarm systems, CCTV and layers of physical security. The difference now is that the only security in place is a 5 level lock in a timbre door at the bottom of the garden, where it is much easier to bump a lock then hack their way in or socially engineer the office environment, giving the hostile party access to systems within minutes, rather than days or months.
These issues lead to questioning the demarcation of Cyber and Physical Security and the roles and responsibilities for who delivers it as it now grows ever more opaque. The IT and communication systems transition more from physical to virtual, blending traditional infrastructures, with SaaS systems spread across multiple hyper-scale providers. The locations where you can reach out and touch data become more obscure. This obfuscation of these operationally required services, combined with rapidly changing requirements means that security can be slow to keep up, with the sprawl of shadow IT systems. There is now a need to lead to a shift in thinking, where you are not only considering remote access users, corporate LAN users and visitors to a model where you need to consider a geographic diverse user base that needs to access all classifications of data, in always on environments.
Awesome, sounds like a nightmare but if you are prepared to take a step back and consolidate your thinking between cybersecurity and physical security moving them from rigid committees to operational functions this enables the teams of people that are driving the changes to IT operating models the ability to make change to security models rather than trying to find ways to work around them while they catch up.
This may need some new tooling in the toolbox, training or additional product sets to work with but, combined physical and cybersecurity delivery at an operational level needs to be the way forward. This growth in remit means that automation will be critical, centralised SOC or MDR services collating information from all these new end-points becomes even more critical than it already was, but integrating physical security requirements as overlays becomes a must. Application and Infrastructure engineers are using vulnerability assessment and penetration tests against their areas in order to drive continual service improvements, reduce risk and identify vulnerabilities in advance and this should be the same for physical elements of your infrastructure, especially in times of change. Areas such as Automated Access Control Systems (AACS), Surveillance, Testing, Logs and Audit Trails, Risk Management, Training and awareness should all be considered as part of a Physical Security operating model, these can be combined with the cyber requirements to deliver an overall package.
Conclusion
So in conclusion the demarks expand massively in this new world of corporate operations with each attack surface and risk profiles change. Security needs to move from slow to change committees to a dynamic operations team which when in period of flux can flex methodologies and requirements to suit. Adding automation to create an increased overview of all information in centralised viewpoints, correlating events for Physical and Cyber allows forensic information to be acquired in order to deliver a suitable defensive strategy.
Recent Comments