Analyzing fundamental flaws: Opening vs. unlocking

The long view of security strategies for your network.

I've been doing facilities security assessments and reports for over two decades and still occasionally get requests for that kind of work. Recently, one of my local clients reported a problem with the two doors on its small Vermont office building. Seems the police found one of the doors unlocked in the middle of the night and called the security firm to get them locked. The manager of this 50-employee medical billing firm sent out a plea to all her employees asking them to please remember to lock the doors when leaving the building. She copied me on her message and here's what I replied.

* * *

Sally, you are facing the same problems in physical security that information security professionals face all the time: people cannot effectively compensate for a fundamentally flawed technology.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I've been doing facilities security assessments and reports for over two decades and still occasionally get requests for that kind of work. Recently, one of my local clients reported a problem with the two doors on its small Vermont office building. Seems the police found one of the doors unlocked in the middle of the night and called the security firm to get them locked. The manager of this 50-employee medical billing firm sent out a plea to all her employees asking them to please remember to lock the doors when leaving the building. She copied me on her message and here's what I replied.

* * *

Sally, you are facing the same problems in physical security that information security professionals face all the time: people cannot effectively compensate for a fundamentally flawed technology.

In computing, for example, system managers struggle constantly with passwords. Users create terrible passwords – names of spouses, names of children, names of pets – or use the word “password” itself! No matter how much we try to teach our users about good password hygiene, the problem is that passwords are a terrible way to control access to restricted resources! The whole idea that we should rely on users to develop and execute such an important element of access controls is fundamentally flawed, as any security officer will tell you from bitter experience.

The fundamental problem with the locks on your building is that they are badly designed. The operation to open the door requires unlocking the lock. A properly designed lock allows a user to open the door with one method but requires a different method to unlock the lock. For example, the locks on Dewey Hall at Norwich University [where the School of Business and Management offices are located] allow a key user to turn the key counterclockwise to open the door – but that operation leaves the door locked. One must turn the key hard and clockwise to unlock the lock, and there’s a pronounced click that serves as additional feedback to alert the user that the door has been unlocked.

My prediction as a security specialist is that no amount of haranguing will ever solve your door problem; the futility of the lectures is worsened by the complete impossibility of referring to an audit trail that would identify who failed to re-lock the doors: there is no audit trail.

The cheapest solution is to pay for new physical locks with the same keys if possible. Use the same approach as that described for the Dewey Hall locks. However, even that improvement will not resolve the problem: Nothing stops someone from accidentally unlocking the door by mistake or from unlocking the door and forgetting to lock it – and there is no audit trail to tell us who did it (and thus to help reduce the likelihood that an individual will repeat their mistake).

Given the hundreds of thousands of dollars of valuable computer and audiovisual equipment in the building, coupled with the wealth of confidential information available on paper, on magnetic media and through unsecured network access, I recommend that you invest in two electronic access systems: one for the front door and one for the back door. A proximity-card system would allow authorized personnel to enter the building without difficulty – and would establish an audit trail at the same time without requiring any action by the employees.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.