Have you ever noticed how the things we do in the electronic security world mirror the things we do in the physical world? We deploy firewalls at our network perimeter like we put fences near our property lines. We make rules in firewalls to allow certain traffic through just like we have guards that allow authorized parties access to physical assets. In the physical world, visible security controls could take the form of an employee with a badge or a visitor that is escorted. It’s remarkably similar.

CEO Face, by rogerimp

But what about the bad side of security? You know, those dumb things that smart people do to cause incidents?

Most corporate networks are incredibly flat and operate more like a university and less like compartmentalized zones. Outside of government installations and some data centers I have seen, the physical world matches this. Sure, you may have a separate set of guards or a different authorization levels for physical access to a data center, but you can get an amazing amount of sensitive information without physical access to a data center. All it takes is some access to a network jack somewhere past the front door and it is ON.

To further illustrate my point when was the last time you saw someone that looked out of place and confronted them? “May I help you? You look lost. Can I see your badge? Who is supposed to be escorting you?” Would you stop someone dressed in a suit and tie, confidently walking the halls? What about if he was wearing a pizza delivery uniform? What about medical scrubs? What about a hoodie with some bling?

If you look at how we do things in the physical world, this whole information security nonsense is strange. It’s no wonder we struggle with things like network segmentation or trusted enclaves, we rarely (barely in many cases) do it in the physical world. It isn’t a foreign concept, it’s just not practiced regularly.

This post originally appeared on BrandenWilliams.com.