The illusion of security.

Author:McEnvoy, Neil

The biggest threat to corporate security today may well be the plethora of security products widely deployed. That is not to say that companies should not be investing in security but rather that more attention needs to be paid to matching solutions to requirements, ensuring that these solutions are not patchworked and finally administering them properly once they are installed.

There is no point in deploying a fantastic access control solution requiring the user to insert their chip card if the user is only going to leave it on their desk when they go home, thereby enabling any opportunist or lazy social engineer trouble free access to the corporate network. It is regularly observed that no matter how many times security professionals rewrite the corporate security policy document, no matter what penalties are imposed for non compliance, users continue to flout the rules. Perhaps it is time for a more practical approach, if it is important that users take their access cards away from their machines, require them for leaving and entering the building. The user no longer views removing the card as an inconvenience when the clock strikes five, but rather as a prerequisite for smooth and timely departure and trouble free entry. There is then the old problem of getting staff to secure the card. By enabling other applications for the card such as electronic purse for purchasing lunch or snacks on the premises the firm can give the staff member an increased incentive to secure the card whilst also ensuring that the card becomes more and more integrated to the lifestyle and habits of the user. Through careful planning the security manager has significantly increased the security of the firm. If the card policy for entry and departure is stringently enforced, then access is now controlled.

Now the administrator has a major security problem -- again people are presuming that the environment is relatively secure. Yet still if a card is stolen, the thief could theoretically enter the building, purchase a nice lunch, proceed to steal considerable confidential data, down a cappuccino and depart.

There are two ways in which the security manager can proceed. In terms of traditional methods the security manager could add a photograph to the card, with the cards then inspected by security personnel on the user entering and leaving the building.

For log-on the security manager could also request a password and challenge phrase to be used in conjunction with...

To continue reading