This is a phrase I have heard more than once when discussing security. It shouldn't come as a surprise -- it's why banks have vaults and secure facilities have fences. Technology security is no different -- physical access to a PC trumps all. What does that mean when you're considering IT security measures? It means that step 1 in any good security plan is making sure that your machines are stored safely. If, for instance, you have a server hosting sensitive data (like customer information, trade secrets, financial data, etc.), make sure that physical access to the server is limited. You may have firewalls, encryption, passwords, etc., but do you have a locked door to your server room? Does a janitor equipped with a screwdriver have the opportunity to open that server and pull out its hard drives? If he did, would you know? Of course, security doesn't just apply to servers. What about laptops and desktops? Are they secured? Are they physically connected to users' desks so that they can't "walk away"? Who else has access to the facility? Do you allow vendors in? What is the policy on access? Do you use sign-in sheets? Have multiple doors? Cameras? Alarms on all the external windows and doors?
I realized (in my third draft of this post) that a lot of security items relate directly to "physical access." Trying to include them all in one post would've made this quite long. Instead, I'm going to break this up into several posts. To get started, let me ask some questions relating to physical security:
- What is the password policy in your organization? Are you enforcing complex passwords? Have you educated your users about the dangers of using a password containing dictionary words and/or personally identifiable information, such as birthdates, pet names, etc.? Have you configured the "display logon screen on resume" functionality in the screensaver options? Are you using two-factor authentication so that it takes more than a password to get in?
- What is your policy on external devices? Do users have the ability to connect an external device, such as a USB thumb drive, to their machines?
- Do you use encryption software on your hard drives? If a hacker does get his/her hands on your laptop/desktop/server machine and remove the drive(s), can they access them?
The point of this is not to frighten you, but to get you to think about security in a holistic way. It's more than alarms and passwords -- it needs to be a comprehensive plan to cover all aspects of security in order to keep your data safe while allowing access to those who require it.
Watch for more posts on security-related topics. In the meantime, think about potential holes in your current security scheme.