Governments clearly have a vested interest in Infrastructure Security. Many, if not all, of a nation’s essential services operate on physical infrastructure, often including IT infrastructure Private companies, while usually not providing the same level of physical infrastructure, have an investment in their own IT infrastructure.
IT Security is therefore a major item on an IT department checklist. It encompasses many things, not just digital security, but the physical security of the IT network assets like switches and desktops. IT infrastructure and IT Security in general can extend beyond physical assets to cover the security of data and Intellectual property.
Infrastructure Challenges for the Private Sector
The private sector will face IT infrastructure challenges on two main fronts:
- The physical security of assets against theft malicious damage and other physical threats; and
- Cybersecurity against the digitally-based challenges of malware and cyber-attacks.
These imply physical responses with security hardware and software, coupled with operational policies and procedures to ensure a maximum level of IT Infrastructure Security.
Why Infrastructure Security is Important
The overall security of IT infrastructure is a critical service for the prevention of physical and digital damage to assets and data, either from natural or malicious causes. A second objective is to minimise disruption and damage following a successful attack.
It is implemented by lowering the overall risk levels that the organisation faces, leading to reductions in operational disruptions and financial losses.
IT Asset Security
IT Asset Security is usually taken to be the process of managing access to locations and facilities hosting IT equipment. However, Access Control in its fullest form is a part of an overall Access Management environment that represents managing access to services be they physical or applications based. It also provides a platform for other services, including Asset Management and Control. The glue that links each process is authentication.
Physical Access Security is usually based on automated access control techniques securing locations and devices based on authentication using a physical card or biometric technologies.
An ID card can continue to be a Personal Identification card, it will act as the gatekeeper to physical and electronic facilities, and it will hold and process biometric and perhaps financial data to replace existing physical methods of storage. Ultimately, it will interact with a wide range of devices, from proximity readers to financial and point of sale terminals to personal computers, scanners, printers, and perhaps even cell phones and other smart electronic devices.
Further, the use of NFC and RFID technologies as embedded technology in electronic devices, for example, cell phones and netbooks is far advanced. This brings the possibility that at some point in the future, other devices and media become valid authentication devices, and the current ID card formats fall away.
The ability of cell phones and netbooks to run applications provides the opportunity for many contactless applications, including integration with point of sale and banking systems, and with Access and Asset Management.
All core equipment should be held in a secure Data Centre or similarly secured location. Other equipment, for example, wall-mounted switches housed outside the data centre should be held in secure locations such as lockable cabinets above normal reach.
Mobile assets such as laptops should also be recorded in an asset management system that links the asset to a specified user and creates an alert if the device is removed without the real owner being present.
Policies and Procedures
The organisation needs specific policies and procedures around the movement of physical assets, for example, acquisition, disposal and equipment returned to the manufacturer for repair or replacement following a failure.
Cybersecurity, the protection of infrastructure assets, including data, against digital threats is of equal importance. The overweening objective is to protect against cyberattacks which result in downtime, reputational damage, and unplanned recovery costs. Three levels of non-physical infrastructure can be considered:
Network security protects the integrity of data as it moves into, across and outwards on the corporate network. It usually means protection against unauthorised access, encryption, firewalls, VPNs, and multi-factor authentication.
This mainly covers the protection of data assets against malware exploits, theft, and unauthorised access.
At the lowest level, consideration needs to be given to managing the protection of data elements. Techniques include encryption, ensuring complete and clean backups, and a strict separation of users between authorised, unauthorised, and guest access.
Disasters will happen from time to time, and the best way to minimise their effects is to be well prepared. Most prudent businesses have prepared a Business Continuity Plan, which sets out how to react to a loss of service, including IT services.
The loss can range from a total loss of IT services to a minor loss of an ancillary service. All prudent businesses have a plan for how to cope in the event of a major threat to their operations. In all cases, you need to have a programme of actions to be taken in the event of a loss of IT services as part of overall business continuity planning.
A continuity plan is not a static document. It must be regularly reviewed and updated to reflect the changing business environment.
These are some outline thoughts on the necessity and implementation of IT Infrastructure Security. The actual implementation will depend on the degree of assessed risk, and the effects of the various levels of disruption that can be caused.
In any event, It is a topic that should be under active consideration in all organisations.