Working as a security consultant, I have assessed a range of clients of all shapes and sizes, and encountered just as many different security postures. One client was a five-man startup, with all security (and information technology) handled by a single individual; at the other end of the spectrum, I have worked with Fortune 500 companies employing standalone security departments with several people handling application security, vendor security, physical security, etc. Today, I’ll highlight some of my experiences with smaller clients.
The cloud computing revolution has certainly changed the way companies conduct business. Now, enterprises can outsource a major part of the underlying IT infrastructure (and associated problems) and instead focus on core competencies. Further, it also allows enterprises to convert heavy capital expenditures into scalable operational expenses that can be accelerated or decelerated on demand. This flexibility is especially helpful for smaller companies – they can now access technologies previously only been available to enterprises with million-dollar IT budgets.
One area where the impact has been greatest—information security. Cloud providers such as Amazon, Google and Microsoft are continually updating their environments, making them more secure. So many of these security responsibilities can be handed over to the cloud providers. Of course, this includes physical security as well, with enterprises no longer needing to secure expensive data centers.
Even so, there is still a need for physical security in the operating environment. But this need is not always well understood. For example, a client CEO once said to me, “Everything is in the cloud; why do I need physical security?” My response offered a scenario to consider. “Let’s say you’re logged into your AWS admin account on your laptop and step away for a cup of coffee; I walk in and walk away with your laptop. Will that be a security issue for you?” This client had multiple entry points to its office with no receptionist, security guard or badged entry, so I consider this scenario realistic instead of just hypothetical.
At some client locations, I have signed in on a tablet with my name and who I’m supposed to meet, that person was notified, and I was subsequently escorted into the inner office. Note: At no point in this process was I required to verify my identity. Considering the IAAA (Identification, Authentication, Authorization, Auditing) model, I provided an Identity, but it was not Authenticated. Looking at it another way, if somebody else signed in under my name, that person would have gained access to the facility because the client was expecting someone with my name to show up around that time.
Here’s another example: One of my clients, whose company handled sensitive chemicals, had doors alarmed and CCTV-monitored. However, their windows were unguarded, and at one point a drug addict broke in and stole materials worth several thousand dollars.
Obviously, smaller companies have smaller budgets, so they want to limit their spend on security. When their production environments are in the cloud, physical security of office environments is often the last thing on their minds. However, most of them have valuable physical assets that could be secured with some minimal spending. Consider these options:
- Make sure you have only a single point of entry during normal operations. Installing an alarmed emergency exit is also highly recommended
- Ensure that the single point of entry is monitored by a camera. If a live feed is too cost-prohibitive, store time-stamped footage offsite and retain the footage for at least three months so that it can be reviewed later if needed
- Install glass breakage alarms on windows and motion sensors
- Set alarms to detect forced entry or if a door held open for more than 30 seconds. Train employees to prevent tailgating through entry points
- Require employees and contractors to visibly display identification badges at all times
- Verify the identities of all guests and vendors prior to granting entry. Use different-colored badges and encourage employees to alert management if anyone without a badge is on the premises
- Establish and enforce a clear screen, clean desk and clear whiteboard policy
- Put shredding bins adjacent to printers. Shred contents and any unattended papers at close of business.
- Mandate the use of laptop locks
Please note: The above recommendations are not expensive to implement. Some are process-based and therefore will require employee training, but most options require minimal investment in off-the-shelf equipment. In addition, there are varying degrees of implementation – for example, contracting with a vendor to monitor and act on alarms will cost more than just sounding the alarm.
In summary, while physical security requirements have definitely been reduced by moving to the cloud, it would be foolhardy to believe they have disappeared.