John Pescatore - SANS Director of Emerging Security Trends
Does Integrating Physical Security and Information Security Make Sense?
This week’s Drilldown will focus on an item (included below) from NewsBites Issue 21, focusing on a business interruption event caused by a data center fire that not only disrupted operations, but also resulted in the destruction of internal backups for some systems.
As far back as 2005, there have been predictions that physical security and information security would converge. After all, they both have “security” in their name, so why not?
Early in my career, after leaving NSA, I worked for the U.S. Secret Service where part of my job was doing “technical security” for protectee movements and trips. That involved taking classes on fire safety, elevator safety, alarm systems, and so on, as well as learning what the Secret Service agents in charge of personal security wanted/needed. After a few trips, I learned pretty quickly that physical security was a very different discipline than information security. There was no way I wanted those agents securing our networks and no way they wanted me to carry a gun!
When the “physical security and IT security should/will merge” hype really ramped up around 2007, Greg Young of Gartner and I published a Gartner Research note that included this:
Physical Security and IT Security Are Not Converging
Physical security and IT security are unaligned and different buying centers, answering most often to different parts of the organization. Security cameras, facilities access control, and physical access can utilize the IP network as a low-cost transport medium, but it is not convergence by any real definition. Enterprises moving to stronger building security technologies, such as video surveillance or card or biometric-based entry systems, should definitely have a coordinated IT plan for integrating such technology, but not drive organizational changes unless it makes business sense to do so.
The challenges of physical security are very different from IT security and require very different forms of control and management. Most physical safeguards cannot respond to attacks on IT, and IT security safeguards are not suited for physical defenses. Information can flow to a unified console, but the value of the integration is limited. IT security sales staff and channels will be challenged getting to the physical security decision makers, where technology refresh rates are long. (Source: Gartner, 2007; here)
This issue of a data center fire consuming backups reminded me of this. The simple advice is to say, “Never store backups near the primary system,” and that is good advice. But bad UPS maintenance and supply storage practices could easily lead to fires at both the primary and backup locations--still causing interruption of service and possibly still causing loss of data.
The use of battery systems as part of UPS systems has changed the facility demands for safe system layout and design, and few IT security analysts and specialists have that knowledge or even realize that they don’t have that knowledge. Coordination between physical security and information is definitely needed, but that does not require convergence any more than organizational convergence between software development and power system maintenance is required.
Do you know who to talk to on the physical security side of things that play a big part in today’s risks?
OVH Data Center Fire Occurred After UPS Unit Maintenance, Some Backups Non-Recoverable
A fire that destroyed an OVH data center in Strasbourg, France, was likely caused by problems with a UPS unit. Firefighters’ thermal cameras showed that a recently serviced UPS unit and an adjacent unit were burning. The company has also said that internal backups for some systems are “non-recoverable.”
When outsourcing functions, whether to a hosting center or a cloud provider, look carefully at geographic separation to prevent single points of failure. When services were in your data center, you had discussions about separations to prevent a single incident taking down your systems and you sent backups to an offsite facility for storage. The same risks apply here. Cloud services make it easy to have regional separations, most often considered for availability, but also consider separations for recovery as well, separate backups and services. Similarly, store backups in a separate co-location service from your hosted systems if you’re not retaining them in your data center.
Fire safety is usually outside the expertise of cybersecurity teams, but it is just as complex. The idea of putting one group in charge of both has been promoted, but often makes no sense. Many UPS systems involve batteries, and there are numerous scenarios where batteries can be mismanaged or undermaintained, potentially causing them to burst into flames. There are also many storage scenarios in which innocuous maintenance materials (antifreeze, fertilizer, burlap sacks, etc.) may be stored too close together and lead to fires. This is a good example to use to drive inspection if your group is responsible for fire safety.
Too many people feel that once their data is in the cloud they no longer need to worry about backups.