Formed in response to an NIST report on cloud security, a task group is developing standards to combat intrusion, sabotage, vandalism and theft of cabling infrastructure.
By Patrick McLaughlin
Much has been said and written about the concept of cabling for security systems, such as cabling infrastructure's support of Internet Protocol (IP)-based surveillance applications. Far less seems to be said about the security of the cabling systems themselves. That concept came to light recently when Grant Seiffert, president of the Telecommunications Industry Association (TIA; www.tiaonline.org), authored an article that appeared in an issue of "THE CIP Report," which is a monthly publication produced by the George Mason University School of Law Center for Infrastructure Protection and Homeland Security.
As Seiffert states in the article, "One area currently facing security threats is cloud computing," citing a National Institute of Standards and Technology (NIST; www.nist.gov) report identifying gaps for standards coverage related to the cloud. "In response to this report [U.S. Government Cloud Computing Technology Roadmap, Volume II – Useful Information for Cloud Adopters], TIA's Engineering Committees are working on standards to close these security gaps," Seiffert says. "Of particular, current interest is the infrastructure security for the cloud and for the infrastructure that connects people and devices to the cloud."
TIA task group
Seiffert's article later explains that in February 2012, the TIA's TR-42 Engineering Committee created a Task Group on Network Security "to identify and develop appropriate content to address this cloud security gap." The group "is developing standards to combat four threats: intrusion, sabotage, vandalism and theft," Seiffert states. He then points out several existing requirements and guidelines, within standards written by TR-42 subcommittees, which already address some of these issues.
For example, TIA-942 "provides requirements and guidelines for several security-related subjects involving data centers, which serve as the engines of the cloud," Seiffert reports. (It appears Seiffert's article talks in generalized terms about the TIA's standards series. His reference to TIA-942 also applies to its recent update, TIA-942-A, which also includes guidelines for security measures in data centers. A later reference to TIA-569 incorporates the subsequent 569-A and -B standards.) "This document includes security-related requirements and guidelines appropriate for data centers on the placement of telecommunications spaces, architectural considerations, signage, cable routing, access points, supporting equipment and site selection."
Seiffert then explains that while the NIST report puts focus on data centers, "Prudence would dictate that similar guidance apply to the physical security for other types of premises where cloud access is of particular importance … Accordingly, the Task Group on Network Security is not limiting the focus of the discussions to data centers." Furthermore, the group has pointed out installation guidelines in other existing standards--TIA-569 Telecommunications Pathways and Spaces, TIA-568-C.0 Generic Telecommunications Cabling for Customer Premises, TIA-568-C.1, Commercial Building Telecommunications Cabling Standard, and TIA-606 Administration Standard for Telecommunications Infrastructure--as examples of specifications that consider the protection of cabling infrastructure.
Additionally, the TR-42 Task Group on Network Security used a certain portion of the NIST report as a springboard for another path of consideration. The NIST report's Clause 5 includes the statement: "The (perceived) lack of visibility and control over the IT assets often runs counter to the existing security policies and practices that assume complete organization ownership and physical security boundaries …" Seiffert explained that in response to this concern, the task group "has been discussing important aspects of physical security, including the recognition of unauthorized modifications or rerouting of a network path. The Task Group has developed recommendations related to how the telecommunications infrastructure design should be a component of the facility's security plan."
Seiffert further discloses that the task group "is developing guidelines for automated systems that should enhance the security of the cabling. The automated functions might include such features as detecting changes to patch cord placement, connection to inactive or open equipment ports, and interruption in signal traffic." Guidelines already drafted by the task group also have recommendations for actions to be taken in response to any type of alarm condition. "These actions," Seiffert notes, "might include activating external device alarms and security video devices that feed detailed and useful information to appropriate personnel and systems. While these types of systems are already available in the market, the need for some minimum level of consistency in the services provided is essential to promote their deployment, operation and use."
NIST report details
The NIST report is an 85-page document, officially in draft form, and is accessible at the nist.gov website. The report's aforementioned comment about visibility and control over IT assets comes in the introduction to its fifth section. The report has seven sections in all. That intro reads, "Industry surveys consistently show that security, privacy and compliance are among the greatest concerns of organizations considering adopting cloud solutions. For USG [United States government] agencies, such concerns are often heightened due to the sensitivity of information being handled and the gravity of the consequences of failing to protect such information. Indeed, cloud computing characteristics do bring unique security challenges …"
It then lists the following specific challenges, the second of which is cited in the TIA article.
- Broad network access, a prerequisite for moving IT assets into the cloud, has the potential to introduce new cyber threats.
- The (perceived) lack of visibility and control over the IT assets often runs counter to the existing security policies and practices that assume complete organizational ownership and physical security boundaries.
- Multi-tenancy is prevalent in real-world cloud solutions and a source of concern related to segmentation, isolation and incident response.
The NIST report follows that list by stating that these challenges "are not insurmountable. The key to secure cloud computing lies in understanding the security requirements in the particular cloud architectural contexts and mapping them to proper security controls and practices in technical, operational and management dimensions. In addition, cloud computing brings new benefits to security architectures and solutions, resulting in services that could be made more robust and resilient."
It then provides two such examples.
- Well-defined resource abstraction layers (infrastructure, platform and software apps) bring more architectural flexibility, allowing for application of more effective security countermeasures at each layer, resulting in better "defense in depth" compared with traditional, rigid security controls relying on physical attributes (such as specific devices, MAC addresses, etc.).
- A cloud provider may achieve better "economies of scale" in applying security improvements to many consumers. For example, a new control designed to remedy one consumer's vulnerability may be more quickly applied for all consumers.
As technologies like IP and security systems collide, requiring the highest possible performance out of cabling systems, the silos within the cabling and networking realms also are colliding. Cloud computing, cabling and security are intertwined in the ongoing need to secure vital and often sensitive information in today's technology chambers. ::
Patrick McLaughlin is our chief editor.
View Archived CIM Issues