To achieve this holistic view of enterprise security, physical and logical security systems and business their units need to converge and work together. At the end of the day security is security. It may be much easier to convince an unknowing employee who works in the payment processing division that you have forgotten your badge and gain physical access to a sensitive area than it would be to write a complex buffer overflow, traversing the many layers of network security and go undetected.
In a converged world, security teams would be able to correlate and investigate across all systems using an information management platform for collecting the alerts from all of the systems, whether it’s a physical, door sensor, glass break or intrusion detection event. Most organizations these days have a system in place to consolidate information like this, known as a security information and event management (SIEM). Since most organizations have technologies like this in place, will more convergence take place?
According to Colby DeRodeff, a co-author of Physical and Logical Security Convergence: Powered by Enterprise Security Management, corporate security managers must understand and implement converged security or get left behind.
So where do you begin? DeRodeff says that he has seen some very unique deployments where video analytic sensor alerts, door access alerts and logical logins to computers in secure locations are being correlated to provide analysts a complete picture of the identity that is actually accessing information assets. One of the more common use cases that organizations tend to implement first, he says, is tailgating detection or physical plus virtual private network (VPN) access violations. In the latter case, physical plus VPN access violations, VPN logins are correlated with building access records to determine if a user’s VPN account has become compromised or if the user may have left a VPN connection open while physically in the building. Tailgating detection is done by correlating physical access records with logical logins to a user’s work station. For example, if there is never a building access record and there is a local logon to a work station that resides in the building, he says, then it’s quite likely that the user followed another user into the building.
“There are some unique challenges that organizations will face when looking to correlate and converge their physical and logical security systems and teams. The first and probably the most difficult is not even a technology issue, it’s an organizational concern,” he says. “The two teams have historically been disparate with poor communications between the two. In some cases the teams don’t know one another and it’s quite common for the physical security team to be outsourced. The suggestion is not being made that an organizational overhaul has to occur but there needs to be an executive level sponsor who ensures that there is communication between the teams and that information is shared freely.”
Once the people and process challenges are addressed, he says, the technical challenges are fairly easily overcome. For example, he says, some physical security systems are not IP-based and are using legacy protocols for communication between components, such as the communication between a door sensor and the control system using serial connections. In these cases logging “events” are often a byproduct. The need was never established for real-time alerting when a door is opened. Many card readers will actually hold a buffer of access events on the local sensor and when that buffer is full transmit all of the access records in that buffer. “This is of course the extreme case and most companies are moving or have moved to fully IP-based solutions but many buildings are still equipped with outdated gear,” he says.
The second challenge is the vast number of physical security devices that exist that one may want to collect data from and often the formats of the output can be complex. “In this case it’s important to have a very flexible collection process or to integrate with solutions that are already collecting and consolidating this information,” he notes. There is a definite rise in Physical Security Information Management (PSIM), he says. An interesting use case in this area is that when a violation, for example, a brute force logon to a local system in a data center, is seen through correlation, the PSIM triggers a camera to snapshot or record at the location of the physical system.
The final challenge that arises is how to correlate across the disparate information sources. If the use case is to correlate physical access records with VPN logins, there is a challenge in that the systems identify the user completely differently, he says. The VPN will have an ID like a user name or an email address and when the access logs are written they contain that user name. When a user enters a building using a physical access system the event that is written to the log identifies the user by a numeric badge ID. Without a technology, there is no way to systematically compare these records.
“While technical and organizational challenges exist, there are not enough compelling reasons not to integrate the two organizations at least from an information sharing standpoint,” he says. “We are just at the beginning of this road.” As we look forward we are going to face more threats from individuals and groups who have figured out how to exploit weaknesses in our current methods and approaches to security, he contends.
Enabling StrategiesWhen effectively bringing together cyber and physical capabilities, identity management can enable an organization to establish a unique corresponding credential for each authorized user, and then use that credential to control access to both physical and logical assets, say two security professionals.
“I think it is very important to merge cyber and physical security programs together,” James D. Keyes, manager of security operations for North America for Alcatel-Lucent, tells Security. “This is a concept that I believe is recognized by most security professionals in the industry. The notion of merging the two programs makes sense but is easier said than done. There are still many organizations out there where cybersecurity is a totally separate entity from the physical security side and thus don’t even communicate let alone merge concepts and policies. That would be the starting point, to be on the same page with policies such as access control would be a catalyst for merged programs.”
Keyes says that Alcatel-Lucent has gone through some transitions over the past few years in terms of reorganizations within the security group. At one point all of the security groups were under one hat, which he says made it easier to work with the cyber security side of the house. “In the past we were looking at a smart card that would incorporate remote access credentials for network connectivity. It never came to fruition because we reorganized again and the project was never approved,” he says. “We have worked to physically secure data centers to prevent any unauthorized access to the hardware, but beyond that process very little in the way of merged programs.”
Ultimately, he says there are no plans for merging the two organizations, although it has become essential to work together in terms of coordinating polices and procedures. “More Government entities audit both cyber and physical security programs to be compliant with their recommended protection criteria,” he says. “It’s only a matter of time where it will be necessary to merge the programs.”
For Tony Castorino, director of physical security for Technicolor Inc., the convergence of both physical and logical security is essential to the industry for a complete package of protection of our facilities and personnel. “More and more can be accomplished with digital tools, which interact with conventional physical security devices such as using IP cameras for security video over a secure network layer, as well as using IP prox control boards for access control,” he says.
On all of Technicolor’s new projects and build outs, Castorino says there is a set policy that IP cameras are used instead of analog, with a video server on the internal network. “IT has committed to supply a secure layer for all of security devices within the core network,” he says.
In the future, he says there is a plan in place to gradually replace all existing analog camera systems with a hybrid system, which will allow Castorino and his staff to keep costs down while moving toward a new platform. “As older analog cameras fail, they will be replace with newer IP cameras, as well as some megapixel cameras which the newer hybrid systems will allow us to utilize,” he says. “Eventually all analog camera systems will be removed and replaced with a digital network solution. We also have a plan to migrate all Prox systems to the newer IP controllers which will also be on our secure layer within the network.”
Compliance and IdentityIn one example of physical and cyber ID management converging, Molina Healthcare is using software in more than 100 training, development and testing environments to identify and mask the personal health information of Molina Healthcare’s members and providers, protecting sensitive data and enabling the managed care organization to meet HIPAA compliance requirements.
Molina Healthcare is a multi-state managed care organization that arranges for the delivery of healthcare services to persons eligible for Medicaid, Medicare and other government-sponsored programs for low-income families and individuals. Altogether, Molina Healthcare’s licensed health plan subsidiaries in California, Florida, Michigan, Missouri, New Mexico, Ohio, Texas, Utah and Washington currently serve approximately 1.3 million members.
Prior to using the software from dataguise, Molina Healthcare was relying on an internally developed solution, which was unreliable, difficult to maintain and required frequent adjustments. Molina Healthcare has now mitigated the risk of exposure and access to its sensitive data while reducing the overhead needed for dedicated resources to manage and maintain the integrity of its database environments by 300 percent.
“As a healthcare organization that supports government programs, we are constantly receiving and storing highly sensitive data; a data breach would not only have a negative impact on customer satisfaction, but would also jeopardize our fulfilling HIPAA compliance standards,” says Nitin Gotmare, director of IT for Molina Healthcare. “This technology desensitizes information so that a breach is not possible. With it in place, we can provide our customers and members with peace of mind that their personal health information is safe and secure.”
Implementing an identification management program at your company is a mixed blessing. It will almost certainly increase the security of your facilities, staff and intellectual property. But there may be some false starts, office diplomacy and maybe some arm twisting before ID management yields a return on investment.
How to Converge and Merge in a Corporate EnvironmentImplementing an identification management program at your company is a mixed blessing. It will almost certainly increase the security of your facilities, staff and intellectual property. But there will likely be some false starts, office diplomacy and maybe some arm twisting before ID management yields a return on investment. Here’s how to make the process smoother.
1. Do your homework, as too much information will be your problem. Do basic homework on access control and smart cards and form your own definitions and common terms so as not to get tripped up in terminology.
2. Ask questions. Find out if there was an incident or other catalyst that raised ID management to the C-level. Communicate with leadership until you can create tangible metrics of success. “Tightening up IT security” or “better employee safety” are not specific enough to spend the company’s blood and treasure.
3. Climb through the corporate silos. Odds are that someone else in your company is thinking about/struggling with ID management. You can find allies to join the fight and possibly multiple budgets to be shared.
4. Part Science, Part Art. It may all look good on paper or in the potential vendor’s PowerPoint, but implementation will involve some trial and error. Fail small and fast first. If possible, first deploy the program at a single work site or location that would have minimal business impact.
5. Seek a consensus and grow the program. Perhaps PCI compliance required a ID management system for a subset of your employees. After implementation, look to expand ID management across the enterprise with only incremental costs and easier corporate acceptance.
6. Great is the enemy of good. Two factor biometric authentication thru mantrap turnstiles with RSA-style tokens linked to RFID tracked badges look great in the movies. Resist the shiny technologies, and confine your implementation to practical business requirements.
7. Cook the books on the ROI. When the cost of ID management is within one cost center it can look prohibitively expensive. Itemize the benefits, tangible and intangibles, across the enterprise. An ID management system that provides visibility into time and motion of employees on a manufacturing floor can yield real productivity results. Better physical access controls linked to video surveillance can possibly eliminate several manned security positions.
Information provided by W. Michael Susong of iSIGHT Partners