Security Intelligence Rises To A New Level

Jun 1, 2007 12:00 PM, By MICHAEL FICKES

Compared with today's expanded capabilities, “security in corporate America has been a farce,” says James D. Connor, a principal with N2N Secure, San Jose, Calif., a security technology integrator that deals with emerging networked technologies. “Think of an access control system, for instance. The vendor may claim that it stops piggybacking, but people piggyback all the time. That's not effective access control.”

Connor also points to all of the surveillance video that security cameras have produced over the years that show security breaches never seen in real-time. Most video is used for investigative purposes after the fact. Video has rarely if ever been used to prevent security problems.

“Today, we have new tools that are enabling us to start providing real security,” Connor says.

He refers to high-level security management systems that can integrate the proprietary security technology — access control, video surveillance, ID management, etc. — provided by two, three, four or even dozens of companies. These automated systems can accomplish much more than individual technologies operating alone.

Technology stops retail theft

Visual Defence Inc., Richmond Hill, Ont., recently cracked a fraud ring working the return desks of a large national retailer. The chain's security director approached the company and asked if there were a technology that could monitor the return desks and identify fraudulent return transactions in all of the chain's hundreds of stores.

The retail chain's security director had received reports of return clerks logging returns and giving credit when no merchandise was actually returned to the store. He wanted to know if it was possible — and economical — to verify the reports and catch those responsible.

It was no problem, according Michael Godfrey, chief technology officer with Visual Defence. The stores were already using digital video systems to monitor security issues. A Visual Defence integration team trained a camera on the return desk in each store. A digital video recording unit saved the video, and a video analysis system reviewed the video images to find anything untoward. Visual Defence also tied into the point-of-sale system and recorded the transaction numbers of questionable returns. They added a motion sensor to the customer's side of the return desk.

The point-of-sale system signaled the video system whenever a return transaction began. The camera system began recording, and the video analytics system checked to make sure that a person was present on the customer side of the return desk. To prevent false alarms, a motion detector aimed at the customer's space also sounded if something came into its field-of-view.

Data from these systems flowed into a server configured by Visual Defence using its 3C Command, Control and Converge software application. A “dashboard screen” reported 3C's findings — but only when a possible fraudulent transaction occurred.

“If a return was recorded with no customer present, the system would alarm in the security center at the home office,” Godfrey says. “Officers could review the event right away or tag it and review it later. Instead of reviewing thousands of return transactions from all of the chain's stores every day, security only had to look through 70 to 80 transactions per day.”

The retailer told Godfrey that the system paid for itself after six months and has virtually eliminated fraudulent returns.

Technology is listening

What has made all of this possible is a new “plain English” language that has entered the software world. Called Extensible Markup Language or XML, it was designed to share data between and among disparate systems. Whereas once only a few software engineers understood XML's capabilities, today it is showing what it can do.

For example, many brands of access control systems communicate with proprietary signals that can only be understood by like technology. Video systems are similar. Cameras and other devices in video systems such as pan-tilt-zoom (PTZ) controls only understand signals from devices within their own systems.

However, tying these systems together enables users to automate the response of multiple disparate systems to signals from other systems.

XML can tie it all together. Small XML programs — call them agents — translate proprietary access control signals into the universal language of XML.

Agents also listen for certain kinds of information. Suppose that an agent is set to listen to the stream of data pouring through an access control system and to take certain actions when pieces of data indicate that one of the system's door alarms has gone off.

The action might be to tell the video system to pan a nearby camera to the alarmed door, to begin recording on the digital video recorder system, to display the video on an alarm monitor in the security center and to e-mail an alarm to a handheld device carried by a patrolling guard.

Today, XML agents can tie together access control systems, video and video analytics systems, ID management systems and much more on a massive, worldwide scale.

“Suppose a multi-national company with 100 locations worldwide had 50 different technologies dealing with access control,” says Ajay Jain, chief executive officer of Quantum Secure Inc., a San Jose-based company that makes a product called SAFE that integrates disparate technologies. “Today, you can write rules once to cover all of the doors in all of those locations, click a button, and activate the rules at all of those doors around the world in about 10 minutes.”

ID management automation

XML can automate the labor-intensive job of ID management for corporations.

Most corporations manage IDs manually. A newly hired marketing manager makes his or her way over to the security department, has a picture taken and receives an access control card. A few days later, a security officer sets up permissions for the card so the individual can get through doors authorized for someone at the marketing manager level.

Meanwhile, the new employee visits the IT department and gets provisioned for access to the company network. Maybe a dozen people participate in the process, which takes the new employee hours to complete.

Using XML, Quantum Secure's SAFE automates all of this work. “We have agents that list to ERP systems and track changes in LDAP,” Jain says.

ERP stands for Enterprise Resource Management and refers to systems such as PeopleSoft and SAP. Among other things, ERP systems manage personnel files, which are held secure from all unauthorized people. Still, many departments within a corporation need access to some information from these files. So ERP systems publish a “stripped-down” personnel list that includes no confidential information. The list appears in a database called the Lightweight Directory Administrative Protocol or LDAP.

ERP systems publish new LDAP lists as often as a couple times a day, depending upon how important corporate departments deem updated information on new hires and terminations. In a large company with turnover every day, security departments need regular information on new hires and terminations.

“Our SAFE system has agents that listen for LDAP changes,” Jain says. “When the agent sees a new hire, it checks the person's title against a policy engine, which sets the access control system to open certain doors across the company when the card is presented. It is all automatic, and there is no need for the individual to check his or her card with anyone to be provisioned.”

Likewise, when the SAFE agent responsible for LDAP notices that an individual has been terminated, the individual's card is automatically deactivated.

Managing ID changes

Baxter Healthcare Corp., Cherry Hill, N.J., uses SAFE to automate ID management of new hires and terminations. According to Derrick Wright, CPP, the company's security manager, automating the ID management process for new and terminated people has provided an attractive return on investment.

“But the real value is in our factory environment, where credentials change all the time,” Wright says.

Individuals working on the Baxter factory floor frequently need temporary or permanent access to additional areas. Before SAFE, the process for changing permissions was long and frustrating. An individual had to visit the security center and ask for an access status change order form. He or she would get signatures from supervisors in the areas where access was desired. After returning the form to the security center, a security supervisor would have to review the transaction and approve it. Finally, an officer would program the badge for access. It sometimes took days.

Now Wright uses a SAFE Security Self Service Management Web site. An individual simply logs onto the site, clicks to the access status change section, and makes the request. The system solicits approvals from the supervisors and informs other interested parties by e-mail. If everything checks out, the system changes the provisions automatically.

“This is huge in terms of return on investment,” Wright says. “It is also convenient for employees who don't have to leave their desk. For those working on the plant floor, we have set up a kiosk.”

Connor used SAFE to eliminate what he calls “lockout time” in his last staff position before starting N2N. He was director of security with Symantec Corp., the security software maker based in Cupertino, Calif. “There is a huge indirect cost of labor when people are left standing around, locked-out and unable to get into the areas they need to access,” he says. “If security hasn't verified that you're an employee with access, then you have to wait. With approximately 25,000 employees, we estimated that Symantec lost $337,000 per year in locked-out labor.”

Regulatory compliance

Connor also automated compliance duties while working for Symantec.

For example, under the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act of 2002 (SOX), public companies must protect financial data.

“At Symantec, we had multiple data centers that had to be controlled under SOX,” Connor says. “And we had different groups of people that were given access and later perhaps denied access. We also had to create multiple reports showing that we were managing access properly.”

“When there was a problem — and there are always problems due to poor training or just human error — management had to meet to develop a remediation strategy.”

All of these tasks proved time-consuming for everyone involved. Using SAFE, Conner managed to automate the entire process so that no one has to lose time over it anymore.

SAFE XML agents pulled names from Symantec's PeopleSoft LDAT and distributed the names to the access control system, granting access to authorized people. When someone was terminated, the agents saw the change in LDAT and removed access privileges. The application also consolidated the SOX data into reports.

Connor estimates that automating SOX management saved the security department 4,000 officer hours per year, along with many more hours of the managers that had to meet and develop remediation strategies. “With the SAFE deployment, there is no more need for manual intervention in SOX management,” he says. “Everything is automated, and we don't have to worry about it anymore.”

All-knowing technology

XML agents can manipulate data from any and all systems that produce digital data, making it possible for security directors to automate security as well as other tasks and produce tremendous returns on investment.

SAFE, for example, can fix the problem that access control systems have in determining whether or not a tailgating incident occurred. SAFE will hear a card swipe, a door unlocking and a door locking again after a longer period of time than usual. It can ask a camera to check the video. If two people have passed through the door on one card-swipe, the system will report a verified tailgating incident. “The XML agents are smart enough to correlate this kind of information,” Jain says.

Perhaps more important, XML agents are smart enough to integrate more than access control, video, ID management and regulatory compliance systems. The integration can keep on going and include heating, ventilating, air conditioning systems, lighting systems, elevator systems and any and all other building systems using digital data into a universal situational awareness and event management tool.

And no matter who implements the system, both sides will have a powerful new management tool capable of producing a real return-on-investment.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue