Dont Forget to Lock the Door

Opinion: The more sophisticated aspects of IT security get all the attention, but all the protection in the world won't help if the janitor can log on.

Its easy when dealing with IT security to get all caught up in the tech side of things: the crypto, viruses, phishing schemes and what not. Theyre intellectually challenging to identify and satisfying to fix. Theyre the kind of problem that looks good on your quarterly review when they are solved.

But theres another kind of problem that is continually ignored by IT professionals, and its one that can bite you bad while making you look really stupid: physical security.

The historical reason for the disconnect on physical security is usually that the physical plant of a location is usually under someone elses control other than the IT department. You know, those guys in the embroidered shirts that get called when a light bulb blows. And that is a problem right there. If the IT department cant control the physical security of its installation, it cant control security. Period. This kind of security is not just for some secret government lab in the basement of Fort Meade; its for everyone.

Lets take a "simple" scenario: access control. Does the IT department specify and control how access to the computer center is handled? It should. Does the IT department even know everyone that has a key to the computer rooms door? Really? How about that guy in the embroidered shirt that has a master key to the building? Can he get in at 3 a.m. without anyone knowing it should he want to do so?

If he can, you have an open and bleeding conduit present that can give all your confidential information to the competitor that can pay that guy enough to leak it. And you know that HR is really cheap when it comes to maintenance staff. Just think about Charlie Sheens maintenance ploy in Wall Street and how it worked for him.

/zimages/5/28571.gifCareless users challenge mobile security. Click here to read more.

Lets think about another scenario that was popularized in Wall Street: your trash. Do you even think about it, or does it just disappear at the end of the day? I know this guy named Chuck that long ago and far away used to make interesting discoveries in the trash of computer companies when he went "dumpster diving." Interesting things like future plans about unannounced products or financial spreadsheet printouts. Since he was and is an ethical guy, he just used the stuff that he found for his own personal knowledge and curiosity. But he could have made serious money selling it to competitors had he not been the person that he is. Are you sure you want to trust that everyone who might be able to go through your trash is as ethical as Chuck?

Perhaps mandatory use of a paper shredder doesnt sound so bad now.

Ill say it one last time: you must control all the physical attributes of your situation along with the more ethereal ones. To do less is to simply invite disaster to your doorstep.

Larry Loeb was consulting editor for BYTE magazine and senior editor of WebWeek. He serves as a subject matter expert for the Department of Defenses Information Assurance Technology Analysis Center, and is on the American Dental Associations WG-1 and MD 156 electronic medical records working groups. Larrys latest book is "Hackproofing XML," published by Syngress (Rockland, Mass.). If youve got a tip for Larry, contact him at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.