Uncategorized

Access Control vs. Entry Control: The communication gap between physical and cyber security.

Background

I am a board certified ASIS Physical Security Professional (PSP), but recently decided to move out of my comfort zone and completed a B.S. degree in cybersecurity. As I progressed through the program I started to understand more about security than I did as just a physical security practitioner. One of the big differences I noticed between physical and cyber security is the terminology used to describe different security actions. Below are examples of definition from both a physical security and cybersecurity books. Notice the difference approaches to the same topic.

ASIS Protection of Assets: Physical Security Ch. 8 Entry Control:

“Entry control refers to the physical equipment used to control the movement of people or material into an area. Access control refers to the process of managing databases or other records and determining the parameters of authorized entry…”

Access Control, Authentication, and Public Key Infrastructure by Mike Chapple, Bill Ballard, Tricia Ballard, & Erin Banks Ch. 1 Access Control Framework:

Access refers to the ability of a subject and an object to interact…Access control is a formalization of those rules for allowing or denying access. Access controls define the allowable interactions between subjects and objects…”

Problem

As you can see from the example above the definitions and approaches to the same issue are totally different. The physical security book separates them into two different terms. While the cybersecurity book give a basic foundation definition that can be applied to both cyber and physical security. These examples also illustrate the communication gap between the two disciplines. I believe the physical security approach is not very efficient in today’s environment because of the heavy reliance on technologies to propel a business forward. Access control is both physical and logical thus, it should be defined as such.

For example it is common for physical security to use various technologies to augment the human element. Thus, it is becoming more common to integrate Physical Protection Systems (PPS) into an organization’s network so that security personnel have access to security devices/databases from remote locations. With this integration it is important for both disciplines to work together to ensure new products do not increase network risk. If the physical security practitioner believes access control only pertains to the process of managing databases and other digital records then they might overlook/not understand network requirements for new software to access the network. This can put design and implementation behind schedule, cause the new system not to function as needed, or put network at risk. On the other hand if the two disciplines are trying to say the same thing in a different way it could create more confusion when trying to decide on new PPS.

I was in a meeting with network security and physical security, and both were talking about dual authentication. The network security specialist kept referring to the three common factors of authentication while the physical security specialist kept referring specifically to security tokens and pin numbers. This discussion when on for about 15 minutes before both of them realized they were talking about the same topic. As the Internet of Things (IoT) and security technologies become common place in business, physical and cyber security are becoming more integrated. However, their lack of common terms and definitions creates a communication gap that could increase organizational risk.

Potential Solutions

Organize Physical and Cyber Security Under One Business Element.

Both disciplines share some of the same risks, vulnerabilities, and threats, and oftentimes have to work together to reduce organizational risk. As physical security practitioners use more technology they will have to collaborate with cybersecurity more often to ensure new produces meet network security requirements. Cybersecurity practitioners should work with physical security to ensure proper physical measures are in place to protect their network physical assets. However, putting both disciplines under the same business element is going to require strong leadership. This means CSOs need to have strong understanding of both physical and cyber security. We are already seeing a trend in this requirement in job posting for CSOs.

Develop Common Understanding Between Disciplines

Education and training is the best way to develop a common understanding of both disciplines. This can be accomplished by encouraging cybersecurity specialist to expand their security knowledge by taking physical security related courses. Since the first layer in defense in-depth (DiD) is physical security this will significantly enhance communication and understanding of this layer. Physical security specialist should be encouraged to take cybersecurity courses as well. This will help them better understand how implement PPS in a network, how to respond to cyber threats targeting the physical layer, and how to develop policies/procedures that cover the overlapping areas in both disciplines.