A Question of Convergence
May 1, 2006 12:00 PM, By Michael Fickes
A COUPLE OF YEARS AGO, while researching the security needs of large multi-location corporations, Quantum Secure Inc. of San Jose, Calif., discovered an odd correlation between logical and physical security requirements.
Corporate security directors were saying that they wanted to automate their closed circuit television (CCTV) systems to pan video cameras to cover the doors of their facilities during denial of service (DOS) attacks on networks. The security directors also wanted automatic alerts sent to patrolling security officers ordering them to monitor all physical doors.
Why? “A number of companies told us that DOS attacks are sometimes followed by physical robberies,” says Ajay Jain, CEO of Quantum Secure. “While employees are distracted by the DOS attack, it is possible to steal laptops, servers and other devices storing sensitive information.”
Just as a logical attack can pave the way for a physical robbery, a physical break-in can make a logical attack possible. Not long ago, for example, a team of hackers somehow acquired an access card belonging to a terminated night cleaning company. The card provided access to a bank. One night, the hackers entered the bank and bugged the tele-computers. The next day, they stole all the passwords and user names, logged into the bank's network and carried out a major identity theft.
A single security system that combined the capabilities of physical and logical security technologies could have prevented the theft. “If you tie logical and physical security and ID management into the human resources (HR) system, then when someone is fired at 3 p.m., that event propagates through the system and removes that person's access rights to get into buildings and onto networks and applications,” says Stephen Thompson, director of marketing for fire and security with Johnson Controls Inc., Milwaukee.
Likewise, it might take a security director surprised by a DOS attack five minutes to order cameras moved and security officers to their posts, Jain says. But an automated intrusion detection system that spots a DOS attack when it begins could be configured with physical security software to orient cameras, lock the doors and order security officers to cover all access points before thieves make it into the building.
Someone will always think of some new way to attack a building or a network. Coordinating information technology (IT) security and physical security can help ward off criminals who figure out how to use a company's computer network to get into the company's physical building and vice versa.
How to make the CFO angry
One reason physical and IT security directors are lagging in their efforts to converge ID-card management functions are that they rarely speak to each other. Each manages different kind of doors — physical doors and logical doors. Each has followed a career path different from the other. Each reports up through a different corporate chain.
The two sides never had much reason to talk until the corporate financial officers (CFOs) got mad. Several years ago, it became standard operating procedure for large security purchase orders to pass through the CFO's office. At the same time, a security research firm called 4A International had begun interviewing CFOs about security spending. “The CFOs we interviewed often spoke of similar experiences,” says Steve Hunt, president of 4A International, Chicago. “They would receive a purchase order for a new ID management software system from the IT department and another purchase order from the physical security department for a card and credential management system. Both would arrive at about the same time.
“Since the CFOs were unfamiliar with both of these technologies, they would ask what the systems did,” Hunt continues. “Both the physical and IT people gave the same answer: ‘These systems manage employees' access privileges to corporate assets.’”
The CFOs, not unexpectedly, responded by saying: “If you are both managing the same employees for the same company, why do we have to pay for two technologies that do the same thing?”
John Heimann, director of security program management for Oracle Corp., Redwood Shores, Calif., sees the point. “We are all creating users and managing privileges,” he says. “You want to get new users up and running as fast as possible when you hire them, reassign them or promote them. And you want to get them out as fast as you can when they lose privileges. It does not matter if it is a door to the facility or a Web application.”
A million and one convergent points
Convergence is vast. It encompasses cooperative needs that range from robbers distracting company employees with DOS attacks, through activities carried out with stolen passwords, to bringing together the people in physical and IT security, who up until now have not seemed to notice all that they have in common.
Ask any expert to define convergence, and you will get a couple of answers. You may have heard some of them before. But you will often find a new one that makes sense.
Laurie Aaron, director of strategic sales for Lexington, Mass.-based Software House/American Dynamics and the chair of the Open Security Exchange Convergence Council, defines convergence in terms of three goals. “Convergence first means a single credential for physical and logical access,” she says. “Second, it means a single point of provisioning and de-provisioning. Third is the human aspect: Bringing physical and IT security folks together in effective working relationships.”
Hunt begins his take on convergence of physical security technology and information technology with the requirement that cameras and alarms plug directly into the company network. Second, Hunt sees convergence of physical security with IT technology when access control systems made by companies such as Honeywell, Lenel and Software House store user privileges in active directories that can exchange data with physical as well as logical systems. Hunt agrees with the need for convergence (a cooperative working relationship) of people from the physical security side and the IT side.
Thompson lists three definitions of convergence: running physical security technology over network wires; a common credential for door and logical access; and integrated logical and physical applications, such as tying physical and logical ID systems to the HR system. “When I discuss convergence with customers, I always start out by asking which of these ideas they are talking about,” he says. “It might be one or two or all three.”
“New areas of convergence will continue to evolve,” Heimann adds. “For example, we now record digital information about who accessed what physical facility and when. We also have audit records in our computers. Someday it may be important to correlate that information. Then there are the new video applications that are getting smart enough to figure out the name of the person in a video image and to correlate that information with audit records.”
In short, convergence is not a product that comes out of a box ready to plug in, turn on, and start converging. Convergence is a thousand and one steps, some of which make sense in one corporate setting but not another.
The trick lies in being able to converge the two systems quickly and efficiently once a need has been identified.
Convergence on demand
Think how difficult convergence must be for a company like Procter and Gamble (P&G), which manages 500 different business locations around the world. Each uses one of 35 different access control systems. Not only that, each access control system uses coding created locally. For example, the security people in Boston call their front door the perimeter door. So when a command having to do with the perimeter door arrives, the system knows to lock or unlock the front door. In London, however, their security department has labeled their front door the front door. In San Francisco, the front door is referred to as Zone 1, and so on, 500 times throughout the corporation.
To be worth anything to them, convergence must include a procedure to provision an employee's identification card to allow or disallow access to all the doors and all the computers and networks throughout the 500-location network of installations.
Quantum Secure makes a software application called SAFE, which is designed to automate convergence for the physical security side of a company. SAFE, for example, will automatically provision an individual's ID card when he or she is hired. When an individual earns a promotion, a SAFE software agent notices the change made to the human resources (HR) files and the SAFE system automatically provisions the person to use the doors and networks available to someone in the new position while removing the permissions governing the old position.
“Should this person be terminated, our system will see that in the HR files and immediately terminate the individual's card so that he or she would not be able to get into any company buildings or computer networks,” Jain says. “Quantum Secure agents are always listening (to the HR system) for changes like new hires, transfers, changes in roles, changes in names and terminations. The moment we find a change, the application brings up that record, checks with the policy engine and takes appropriate action.”
Quantum Secure programmers have built a single drag-and-drop system that enables physical and logical security personnel to translate policies from paper or member into an automated business process initiated by something as simple as the creation of a new record in the corporate HR system.
Cardholder identity, role and clearance management compose one of four business process areas that Quantum Secure automates. The other three cover global incidents and risk management, regulatory compliance and event management.
Global incidents and risk management: Suppose a fire erupts in a computer room. An alarm goes off in the physical security center. The sprinkler system goes off, guards hustle over to the room with fire extinguishers, the fire department receives a call, but no one bothers to inform the IT department. “IT is always the last to know,” Jain says. “Our system will send an alarm to IT.”
Regulatory compliance: The Sarbanes-Oxley Act of 2002 and other legislation that have spawned regulatory activities in recent years demand the strict physical protection of financial records stored electronically. Quantum Secure helps in this effort by auditing the activities of anyone entering the data center or data warehouses — through the door or through the network — where confidential company information is stored.
Event management: A large company's physical infrastructure might generate hundreds of thousands of events every month: Someone forces a door, a manager phones security from a computer room or a hurricane warning comes in from the National Weather Service.
PricewaterhouseCoopers, for example, has set Quantum Secure to execute a policy designed to protect employees during hurricanes. Under the policy, if the Federal Emergency Management Agency (FEMA) issues a Category 4 hurricane warning, Quantum Secure will check the access control systems at all affected locations to determine who and how many people are in the firm's offices. The system will email everyone alerting them that a Category 4 hurricane warning has been issued. It will contact every affected employee through email or short messaging service (SMS) and arrange a conference call about emergency procedures.
How much convergence will cost
Convergence tools will carry price tags related to the value of the services they supply, but the overall cost may be relatively low.
According to Jain, Symantec Corp., has begun to implement Quantum Secure. “Symantec will save $2 million a year with this system,” he says. “The savings comes from automating the entire provisioning process, the regulatory and compliance processes and responses to events and incidents where they would not have to deploy guards.”
One of Jain's clients calculated that any time an employee gets a new card or changes a card privilege, it cost the company an average of $1.07 per change for labor. By automating the process, the company saves the labor charges. As a rule of thumb, Jain now figures that companies with 2,000 employees will save $500,000 per year, and companies with 20,000 employees will save $5 million.
The real cost of convergence, it seems, comes with ignoring it.
ABOUT THE COMPANIES
For information, circle the Reader Service number (listed below) or visit securitysolutions.com
| 4A International | 30 |
| Johnson Controls Inc. | 31 |
| Oracle Corp. | 32 |
| Quantum Secure Inc. | 33 |
| Software House/American Dynamics | 34 |
Want to use this article? Click here for options!
© 2008 Penton Media Inc.
Today's New Product
|
B.I.G. Parking Control/Guard BoothManufactured for Louisiana State University, The Estate parking control/guard booth from B.I.G. Enterprises was built to strict hurricane codes due to Hurricane Katrina. The booth features a copper standing seam roof, gutters and downspouts. It comes factory-prepared for on-site installation of architectural brick and has extensive electrical, high-output HVAC, data and communication lines, shelves and cabinets. |
advertisement
This month in Access Control
- Opening Up About Door Closers
- An Enterprise Approach
- The Framework For Open Systems
- On A Higher Plane
- More from April's issue
advertisement
