Physical Security and Cybersecurity Need to Converge
Robert Bauman of Trusted Systems warns of a physical security gap that empowers the insider threat.
Greater concentration on separate physical security and cybersecurity has led to a major loophole characterized by the insider threat. Combining the two disciplines holds the key to protecting against devastating data breaches.
Cybersecurity protects from the inside-out, but a major loophole enables insider threats.—Robert Bauman, Trusted Systems Inc. #AFCEATechNet
— Bob Ackerman (@rkackerman) November 20, 2019
This point was hammered home in a presentation by Robert Bauman, president and CEO of Trusted Systems Inc., at TechNet Indo-Pacific 2019, held in Honolulu November 19-21. He noted that reliance on sensitive compartmented information facilities (SCIFs) and separate data encryption has not kept up with the evolving threat picture, leaving a security gap that opens the way to malevolent insiders.
“You can’t use the word ‘always’ very often,” Bauman offered. “But when it comes to security, it’s always a people problem.”
You can’t use the word “always” very often. But when it comes to security, it’s always a people problem.—Robert Bauman, Trusted Systems Inc. #AFCEATechNet
— Bob Ackerman (@rkackerman) November 20, 2019
Relying on the SCIF approach overlooks the presence of a bad cyber player inside the facility. Bauman calls for securing the network hardware, not the space. “Tie security to the network, not the facility. You want to attach yourself to the network, not to the room.”
And this security must extend seamlessly to the desktop, not just the wall, he emphasizes. “Secure online operation, not offline storage.”
Security is a perception. The reality of someone getting into a general’s office with a cellphone is very rare. The real issue is one of playing the odds.—Robert Bauman, Trusted Systems Inc. #AFCEATechNet
— Bob Ackerman (@rkackerman) November 20, 2019
His solution is to use information processing containers (IPS) approved by the General Services Administration (GSA). Resembling small safes, these armored computer cabinets come in several sizes and styles, and they can become mini SCIFs that provide network security for their internal network circuitry. They would prevent the threat from entering the shielded container, but they must be teamed with a data protection solution.
“The access is to the network, not the network equipment,” Bauman pointed out. “But you still must protect the network, just as you locked the SCIF.”
A system that provides biometric fingerprint and personal identification number (PIN) authentication on a desktop can streamline access without the need to access the IPS container. This approach reduces intervention by technicians, guards and other humans. Insiders would be able to access only the data to which they are entitled, and they could not access the main network box. A smart PDU can enable immediate remote power shutdown when an intrusion alarm goes off.
“It is for online unattended operation, not offline storage,” Bauman said of this approach. “Security is tied to the network, not the facility.”
