What does good physical security look like?
Cybersecurity gets a lot of attention today. With remote work more prevalent than ever, there’s a renewed focus on securing our digital and virtual workspaces, data, and more from seemingly far-away threats like the cyber mafia.
However, the physical access to your data center, data closet, or wherever you lock away the beating heart of your organization is just as important. But many businesses, especially those that have compliance requirements related to their physical security, are often not in line with best practices in their defenses.
In my 20 years focused on security and compliance, I’ve found that you learn to know a best practice when you’ve lived through it. Having helped businesses of all kinds in industries with compliance considerations like healthcare, manufacturing, legal, and finance, as well as others without, I know how difficult it can be to keep up with ever-changing requirements.
That’s why I recorded the video and wrote the article below: to help you understand why physical security is important, what good physical security looks like, and what it doesn’t look like. I’ll also talk about a specific piece of technology that can check off many of the feature boxes you’ll want to have as part of your physical security solution. All without the struggle of defining your own best practices only to find in reality that they’re only a best practice for utter disaster.
Watch my video here. Also, please forgive the lighting – consider it as an example of why you’d want a motion activated light in your data center and not just a light switch. We’ll dive into that in a bit.
Why is Physical Security Important?
The initiative for physical security is likely compliance driven. Most people would not start up a new physical security element unless they’re driven by a compliance requirement. But if you're not driven by compliance, you still need to apply the best practices to physical security to protect critical business assets.
Most people think of government data when they think about sensitive data, but any business data needs to be protected.
Just ask your competitor.
Anyone with a data center needs to be tracking by NIST standards or any other ingress and egress to your data center for a multitude of reasons. The most straight forward reason is because you need to control who has access to the keys to your kingdom. It is your kingdom, that data in your data center/closet is under your control and you need to control who has access to it.
You as an IT manager, CIO, IT director, individual IT contributor, or whatever your role may be can’t be the only one.
What Physical Security Best Practices Don’t Look Like
Some organizations think that blocking physical access to the data center, such as by having it behind a locked door with only one entrance or exit, is enough. However, there's quite a few more elements that would need to be involved there. Just tracking ingress and egress to the building or to the data center doors itself does not provide a full complement of security compliance.
If you’re not logging access to this secure area, you’re also missing some best practice (and likely compliance) requirements. The clipboard sign in sheet next to the door isn’t going to cut it here either. You want to be able to see point in time who accessed that area, when they accessed, where they went, and what they did.
Many log structures are done by badge access or biometrics. While these seem secure on paper, there are some definite flaws in just relying on them for physical security. Consider scenarios where a badge, key fob, etc. is lost or stolen. The badge is assigned to a certain person, so your logs say it was that person that accessed your data center when in reality it was likely someone with bad intent in that scenario.
You may contend that biometrics could fix that problem but they have their own blind spot: consider how that log would look if your employee was leading a customer tour or scanned a co-worker in while they were both chatting in front of the data center. Though these situations may not seem worrisome, a would-be criminal could employ social engineering tactics to plant themselves among that tour group and your employee may not be aware before they scanned that entire group in.
Typically, this is where something like video monitoring can help. You get recorded, historical insight into that secure area access. However, there’s also some underlying security issues with the typical video system setup that the average business uses.
Most video systems being used in the average business place is for ingress and egress. They're typically DVR associated systems and the cameras are mounted in strategic locations to track just access to the building. But putting that DVR device inside the data center – which isn’t uncommon - can defeat the whole purpose of having the cameras in the first place, since it's easy to steal and provides a single point of failure for the entire environment.
Another potential tripping point is lighting. As I mentioned above, having only a basic light switch controlling the lighting in your data center won’t do your video system much good as it’s unlikely an individual looking to do something unsavory is going to turn the lights on beforehand.
A better option is motion activated lights. These will automatically turn on when they detect movement within their coverage range - literally shedding some light on the situation as your video system rolls.
Based on the above, lets assume a business has this not uncommon setup: check-in at the front desk, badge-only access to the data center, a DVR video system in the data center with a camera mounted inside the data center, and standard lighting. This checks off many of the basics on paper. Here’s a common scenario that can play out with that setup:
This hypothetical organization hires a pen tester to evaluate their physical security. The pen tester, assuming the role of a criminal, gains access to the building by dressing up as a vendor representative wearing a shirt that they purchased directly from that vendor’s website. They’re friendly and nice with the people at the front desk so they don’t think twice when the pen tester checks in as a person from the vendor they’re pretending to be from.
The pen tester has a camera running so everything they’re seeing; the camera is too. They approach the data center door as an employee is accessing it, whether through badge or biometrics. The pen tester puts a little haste in their step and says, "Hey, wait a minute, hold on, I gotta get in there!" Most people are nice and trusting so the employee holds the door open for the pen tester. Once inside, the pen tester’s camera is picking up everything in your data center – the layout, the equipment, any information left out or credentials placed on a sticky note attached to the device it grants access to because it was assumed this was a secure area.
Eventually, the actual employee exists the data center with the pen tester citing some perceived legitimate reason as to why they are remaining in the data center – if they’re even questioned at all. Having seen the DVR video system and camera when they entered the data center, they know to seek out the base DVR device to disconnect it and take it with them thereby removing all evidence of their access to this secure area. Then, they’re free to do as they wish before slipping back out the door.
Fortunately, in that scenario it was a pen tester that was hired by the hypothetical company and they’ll take the vulnerability information learned from the pen tester to improve their physical security.
However, what if that wasn’t a pen tester but an actual criminal? All of the sudden that company could experience a data breach, find that their equipment was sabotaged or stolen, discover a rogue malicious device on the network now compromising their cybersecurity, or other more complex consequences to their business.
That company could then face severe direct financial loses, reputation damage, potential legal fees and associated remediation costs. If that company also needed to be compliant due to their work with certain clients, they’d likely lose those contracts and even possibly that entire line of business, and other potential fallout.
Worse still? Based on their physical security setup and the actions taken by the criminal, they’d have little to no idea as to what happened.
A Simple Way to Augment Physical Security
In general, video systems (when done correctly) are a great way to check off many of the boxes you’d be looking for when reviewing the needs of your physical security system. For example, most compliance requirements generally revolve around planning and logging. You need to have your plans and you need to have your logs. Video can help with that by providing evidence of access from a logging standpoint.
Making sure you have enough cameras to cover the area that you’re protecting, and proper lighting of those areas seems basic but is important. You want to have video coverage both inside and outside of your data center.
However, as we walked through above, there’s some inherent challenges with DVR-based video systems. Moving the DVR itself outside of the data center and into a different secure area is an important first step but there’s other inherent weaknesses. While these systems can be good for educational purposes and potentially for legal remediation, these recordings must be secure, irrefutable, and archivable.
This can present a challenge for DVR based systems as some don’t have built in archival capabilities (or at least ones that come easily), can be costly and cumbersome if they rely on physical media for archiving, can be difficult to pinpoint certain timeframes or track certain people of interest, and present security challenges based on their data storage, transfer, archiving, and connection protocols.
Smart Cameras are a Better Way Toward Physical Security
When it comes to physical security best practices, and utilizing video as a main component of those best practice and compliance considerations, smart cameras like those offered by Cisco in the Meraki MV series of products are simply a better option and an easier way to achieve enhanced security.
Though other smart cameras may have similar features, I’m specifically going to use the Cisco Meraki MV series as an example here because of my familiarity with it and because it’s a best of breed solution.
I mentioned above that for video to assist in legal remediation, it needs to be irrefutable, secure and capable of being archived (ideally, easily).
From a tracking/monitoring standpoint towards proving logged access, you get high definition video recording with remotely adjustable optical settings that’s logged. You have the option of motion activated recording and even motion alerting where the camera can alert you if it detects any activity in its coverage area. For example, you could place one in a data closet that is rarely ever accessed.
On top of that you also get functionality like motion heat maps, object detection, and anonymized analytics that can benefit your business in other ways beyond a basic camera keeping an eye on things. You can view these recordings from anywhere if you choose to setup your system with automatic network detection. These cameras never stop recording, even if the network connection fails, thanks to integrated solid state storage.
A quick note here that all that high definition video recording may sound like it could potentially clog up your bandwidth, but Cisco already accounted for that concern. These cameras use less than 50 kbps of data per camera when video isn’t being viewed and only uses WAN bandwidth when it’s needed. In the case of the motion activated recording setup – if there’s no movement, there’s no data being transmitted.
Much like many of Cisco’s products, security is baked in from the beginning. The Meraki MV series includes password access, which is not all that common in a DVR system. However, smart cameras like the Meraki MV series are cloud managed which may give some folks pause. In the case of the Meraki MV series, there’s full security access through their portal system and also multi-factor authentication making it a very secure platform for access.
All data handled by the Cisco Meraki MV system is encrypted in transit and at rest. Data is stored on the camera. The data that is stored on the camera is encrypted. That data is transmitted in chunks up to the cloud environment that is encrypted in transit, as well as in storage, in the cloud environment.
Beyond that, If the camera is removed from the network, the local video is deleted. The system also supports alerting if a camera goes offline or is changed so you’ll know immediately if something is amiss.
Finally, when it comes to archiving and retrieval, the cloud platform provides 30, 90, 180, and 365 day options and can even be set on a per camera basis.
Take Physical Security as Seriously as Cybersecurity
It’s tempting to say that with the transition to more remote workforces that there’s less of a need for physical security, but I’d argue that’s not the case – especially if you have compliance requirements. When looked at collectively, physical security is an important layer in a defense in depth strategy and strengthens your entire security posture.
If anything, it may be time to get more efficient with your physical security by reviewing your protocols, systems, and where you may have gaps and vulnerabilities. If you’re not using smart cameras like the Cisco Meraki MV series today, you may want to consider adding them to your environment if you have no video system today or replacing a legacy, standard system for improved performance and value.
I’ve been with Kelser for over 30 years and we’ve helped thousands of businesses across all industries tackle their security and compliance considerations – whether physical or cyber – in a way that has left our clients feeling confident, secure, and empowered.
If you have any questions about your physical security or cybersecurity, please feel free to reach out to myself and Kelser. We’re happy to help you navigate the ever-changing considerations of security and compliance.