Dealing with IT Standards and Requirements

For some years now, IT departments have had compliance software available to them that goes out onto the network and automatically examines connected equipment, identifying any that do not meet IT's requirements.

When I received the answers in response to this column's question — which asked if you have ever put security systems onto the corporate network without collaborating with IT first — I realized that an introduction is in order about this kind of technology. James Connor, currently the principal of security consultancy N2N Secure (www.n2nsecure.com), and formerly the senior manager of Global Security Systems at Symantec, provided the introducton above — sooner or later, every security manager with security systems can expect to be affected by compliance software.

Any new electronic product that hits the shelf from now on will be looking to leverage the network and take advantage of the capabilities that come with a more mainstream approach to what will essentially be just another "endpoint," as our IT department counterparts call them. Computers, printers, conference phones and so on are called endpoints because they are a point at which data is received, processed, and sent back to other devices on the network. They are an active device at the end of a network connection. Now cameras and card readers, for example, are becoming network endpoints. Endpoints that are not subject to a service level agreement (SLA) with IT, and which are not actively being managed by IT or by a contracted service organization according to IT requirements, are referred to as "orphan endpoints."

One truth is that we will be able to move forward from our traditional world of propriety security devices and systems solely because we want the capabilities of new technology. A primary driver is that new IP products are offering a lower total cost of ownership (TCO) by utilizing what every company already owns — its own IT infrastructure.

On one hand, security practitioners want capabilities that the new technology has to offer. On the other hand, most practitioners are not prepared to exist in this new and seemingly hostile environment of SLAs, compliance and internal governance that dictate the management and lifecycle of existence for devices that reside on a managed network infrastructure.

As new IT compliance products emerge to assist the weary IT/IS manager, security practitioners will see e-mails that look something like this:

This system (Windows 2003 server at IP address 174.16.254.1) is very vulnerable due to:

• Unmanaged SAV (Symantec AntiVirus) client
• Unprotected ports
• Not a domain member
• Unmanaged (no domain group policy applied) etc.
• Not monitored
• No support/maintenance SLA exists
• Not server list for monthly security patch deployment

As Server Operation manager, I can not allow this server plugged onto the network.

The days of deploying DVRs, Physical Access Control Systems (PACS) and other orphan endpoints with anonymity and flying under the radar of IT compliance are rapidly coming to an end. This is a good thing for those of us who wish not to have physical security systems ironically end up as the biggest threat to the logical security of our corporate enterprise.

Q: Have you put security systems onto the corporate network without collaborating with IT first. If so, what was the result?

A: A few years ago we put a few devices on our security LAN just to try them out. A few hours later we got a call from IT about "rogue IP addresses" on our LAN. We were surprised that they knew about it. We learned that they have scanning software that checks the network for non-registered IP addresses, and that also checks the equipment for known vulnerabilities (open computer ports, for example). That was the start of our collaboration with IT.

— Security manager, port authority

A: We put some additional workstations on our company network, and connected our access control system server to the company network using a second network card in the server. The purpose was to allow us to access the access control and monitoring software from more locations on our campus. By trial and error, we found IP addresses that were not in use and this worked for a while. Then suddenly the connections weren't working any more, and we couldn't find any IP addresses that worked. That drove us to call IT and find someone we could get tech support from. They gave us some documents that contained the requirements for computers and devices to be placed on the network. Once we patched the operating systems and installed anti-virus software, they helped us put them back onto the network.

— Security manager, commercial real estate management company

New Questions

Q: How long have you been collaborating with IT about networked security systems? Who made the first move, the Security or IT department? E-mail your answer to ConvergenceQA@go-rbcs.com. We don't need to reveal your name or company in the column, but we'd be happy to credit your for your quotation.

Ray Bernard is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). Visit www.go-rbcs.com or call 949-831-6788 for more information.