With news that they are resurrecting the old Get Smart parody of the James Bond spy series in a new movie, I can’t wait to see what ridiculous and useless security measures they dream up. Some of you may remember Maxwell Smart walking purposefully down a long hallway during the opening theme, with a series of large doors opening before him until, at last, he gets to a room with nothing in it but a phone booth (click HERE). He turns around in time to watch as all the doors behind him close one after the other. He puts a few coins into the phone, makes a call and suddenly drops through the floor, and out of site.

This, apparently, is the only way into Control Headquarters. It always made me wonder how they take deliveries of office supplies and equipment…

The multiple secure doors are a great example of a zoning safeguard… except for the fact that, to be secure, each one has to close before the next one opens, so that nobody can “tailgate” without being detected or trapped. It’s this kind of subtle inconsistency that makes a safeguard that’s supposed to be secure into a bit of a joke.

As I recall the old TV series was full of these intentional inconsistencies. The “Cone of Silence” (click HERE) was the ultimate safeguard. When things were so secret that nobody else was allowed to hear, the Chief would push a button and a clear plastic structure with two bubbles connected together by a tube would descend from the ceiling and cover their heads. It was supposed to provide a secure environment for speaking so that nobody else in the room could hear. But, of course, it was transparent, so you could lip read what they were saying.

The best part was that, despite the appearance of no complicated technology to screw things up, the “Cone of Silence” never worked. They could never hear each other through the little tunnel, and they always ended up discarding it and just speaking normally. The Chief would always wince when Max would suggest, “Chief, shouldn’t we be using the Cone of Silence for this discussion?”. In reality, if they were in a secure zone the only other people in that area would be authorized to hear what they are saying. But the scene works because it is so silly.

As with most satires, it makes you laugh because it can be so true. Even the most “secure looking” environments have glaring holes, and technology often makes things that are supposed to be secure unusable. The point I’m getting to is,if you are going to spend money on security, whether it’s for your information technology or even physical security, you can be wasting your money if you don’t deploy it properly. Zoning and Access Controls are commonly misused or counter-act each other.

How Zoning Should Work

The purpose of zoning is to create areas where assets and information of similar value can be contained, and where threats can be controlled. Most often, when security zoning is done there are at least three types of zones that are considered:

1) Public Zones
2) Restricted Zones (also called Public Access Zones, Demilitarized Zones, or Reception Zones)
3) Protected Zones (also called Operations Zone, and as you get to more sensitive areas, Security Zones)

In many retail businesses, anyone can walk from the street or public parking lot (a Public Zone) into the store. Walking through the door, you are entering a Public Access or Reception Zone. It usually has a limited amount of merchandise that could be lost if somebody tried to quickly grab things off the shelf and run.

But within this zone you might also have video surveillance cameras, and a large counter separating customers from the cash. If there is a cash register in this zone, it would have a limited amount of money in it.

Some businesses will have latching gates that clearly delineate where the customers should stay, creating a slightly higher security zone where the cash register is. (Picture Eugene Levy as a Bloomingdales sales clerk in the movie “Serendipity” when John Cusak tries to get a glimpse of his cash register screen… “Hey! Please stay behind the yellow line, sir. Customers are not allowed on this side of the yellow line!” Many clerks would hesitate to confront a customer who wanders into the wrong zone.)

Beyond the Reception Zone is where more secure zones exist. So, the office would have a strong door with a lock, and maybe a two-way mirror or reinforced glass window. The objective with each zone is to limit and restrict who can get to the next zone. Each successive zone has fewer individuals with authorized access. The most valuable assets may be locked in a safe within the most secure zone.

To have escalating security zones you need to ensure that there are different security measures at access points between them. You should not be able to use the front door key to get into the office that has the safe in it. Each zone should also have stronger mechanisms for accountability and detection of access events. When the safe is opened, it should be possible to go back through electronic records, video surveillance or log books to see who was accessing it. Obviously, log books are the least reliable, unless you have a trusted guard signing people in and out (but that gets expensive).

So, just imagine all the zoning and access control safeguards Jason Bourne must have had to break just to get to Noah Vosen’s safe (in The Bourne Ultimatum), not to mention the trick Bourne used in recording Vosen saying his own name as he answered his phone, so he could play it back and break into the voice-activated safe in Vosen’s office.

Even without the latest technology, it is possible to create a secure business environment with proper planning (and without having to build Maxwell Smart’s Control Headquarters).

What this means is that you have to think about the following:

1) What assets are most valuable, or most critical to daily operations?
2) Who should have access to each type of asset, and how can you reliably limit or detect access to the most sensitive assets?
3) What systems should be put in place to ensure that the security of sensitive assets are not violated if a single access control method fails, and to detect any failures as soon as possible to limit losses?

This approach still doesn’t guarantee security, but it also doesn’t mean you need safeguards to prevent every type of security breach. This would cost too much, and it would probably work as well as it does in Get Smart.

Look for Examples of Zoning Around You

You might wonder how companies like Best Buy or Costco handle zoning. They don’t seem to have a “Reception Zone” that separates incoming visitors from the large amounts of inventory on the floor. But they do check your receipts at the door to make sure you aren’t leaving with something you didn’t pay for. Best Buy also has everything tagged for electronic inventory control. This helps, since there are two independent safeguards generally working at the exit point.

A Zone is a Zone is a Zone

Most important IT systems used by businesses should be similarly designed using security zones. The zone names may change, but the purposes are similar. So, you may hear terms such as a DMZ (or Demilitarized Zone) which is analogous to the Reception Zone.

Visitors from the Internet can usually only access a very small number of systems directly. These systems are typically Web servers and Email servers. Systems in the DMZ should also do thorough checks on the data and requests passing through them to detect and prevent attacks.

Only limited amounts of information should be in the DMZ at any given time; the minimum required to interact with visitors for collecting or serving information. The main databases and transaction servers should reside in a more secure zone (usually an Operations Zone), separated by firewalls, which only the DMZ systems can access. Any irregular events occurring between the DMZ and the Ops zones should get logged and audited regularly to detect security breaches or attempted unauthorized accesses. This way, if an attack can be detected while it’s in progress, the systems under attack can be isolated until the threat is dealt with.

There’s No Easy Way In

Finally, it’s important to make sure there are no “Back Doors”. You can have a great zoning design with the best access controls facing the customers, and your administrators decide to put another entrance from the outside directly into your secure zone that has very few safeguards protecting it. This is often what attackers look for first. The rule of thumb should be that you must not be able to “skip zones”; meaning you must go from a Public Zone to a Reception Zone before you get to an Operations Zone. And a Secure Zone should only be accessible from an Operations Zone.

In the end, proper Security Zoning makes access control easier and cheaper. You usually don’t need to spend money to protect everything with the highest level of security; only the most important assets and information. Don’t end up paying a lot of money for a Cone of Silence, when a safe or a properly configured server in a locked room within a secure zone will do.