Posted by Simon Perry on January 30th, 2008

One of the goals of SecurityExtra is to explore the overlap between physical and digital security while recognising there are differences that need to be respected in these two domains.

When large amounts of data are lost, I often hear the responsible party say: “We’ve a thorough security policy in place; this is a case where the data just fell through the cracks.”

I want to explore that simple sentence for a moment, before circling back to look at its implication to information security.

Cracks are gaps, spaces between objects or ideas, voids into which something or someone may unwittingly fall. Though with all the errant data having fallen into all those cracks it is a wonder that there is any more room in there anymore.

That these gaps exist in the first place indicates that two or more concepts are not seamlessly joined or overlapped in the first place. If they were, there would no void in the first place into which we could stumble.

Considering the alternative gives us one of those simple ‘aha’ moments.

In physical design, considering the whole is important. Good design is sympathetic to the characteristics and structures of all the various materials we use. Each overlapping, and complementing the other.

The simplest everyday examples are the expansion strips between concrete slabs, as one component expands in the hot sun the other takes up the strain by being squeezed, avoiding damage to the whole.

When we take this approach we are far less likely to be blindsided by the failures of one component of our overall design, because we have catered for that behaviour in the design of another aspect.

In the world of information security however, we often fall into the trap of allowing ourselves to perceive there to be a void between the world of physical security, and world of logical security.

Yet information itself is simply the recording of facts and ideas, which by its nature easily transverses between these two worlds, and in doing demonstrates that the void isn’t really there at all.

There are many intersections where we need to treat the design and operational management of the logical and the physical as one, or at least as components of the whole, if we are to improve the way we deal with information security.