This article can also be found in the Premium Editorial Download "Information Security magazine: Effective strategies for risk management and security information management systems."
Download it now to read this article plus other related content.
RICH GRASSIE is IT's version of a matchmaker. Many times he's united people you'd think on the surface would have no shot at a sustainable relationship. But Grassie knows how to connect disparate entities, especially when he hitches those guards with guns to geeks guarding GUIs.
Converging physical security with IT security inside the enterprise isn't easy, but it's a labor that Grassie, principal consultant with TECHMARK Security Integration of Massachusetts, says is worth the bother, especially for large companies branching out globally with new services. Convergence affords organizations the opportunity to align security with overall business goals, streamline business processes such as provisioning and investigations, and centralize security operations and policies under one office. There are significant barriers to these unions; political and cultural disputes are often the tallest to hurdle, and companies cannot ignore the integration required to get a central view of physical and logical systems.
"We look at it as a holistic approach to managing security across an enterprise. It becomes a formal cooperation between two functions in the organization that previously never worked together," Grassie says. "They operate on their own budgets. They are two kinds of people. Now by integrating a holistic approach to information, logical and physical security, into one function under the CSO, we actually protect the enterprise much better than if we had three
POLITICAL, CULTURAL BARRIERS TO CONVERGENCE
Enterprises have been talking tough for years about transforming their security functions into more of a risk management exercise, yet few on the IT side have thought enough to include their physical security brethren to help make it happen.
"If organizations take a step back from the myopic IT-centric approach and really look at the security of an organization, they'll realize physical and logical security are perhaps equally important," says Brian Contos, chief security strategist with database and application security company, Imperva. "Understanding risk is more inclusive than IT-centric security."
Convergence, ultimately, isn't a grassroots campaign; it has to start from the top-down. That means executive management has to have the forethought to establish a chief security officer or chief risk officer and have that person oversee both operations. The CSO must massage conflicting people, business and technology issues, to ultimately gain an overall vision of risk to the business beyond information security.
"You need a central figure to carry the flag," says Contos, coauthor of Physical and Logical Convergence. "It can't happen from the bottom up simply because there does need to be an investment in new technology to make it work. I've seen grassroots campaigns try to start, but they only have a sliver of an organization covered. When they have a champion, they're able to run out an organization-wide solution quickly."
A CSO can mandate a risk assessment that identifies critical assets, their location and what they contain. He should evaluate whether these assets are protected by the proper IT and physical controls, and then high-value assets, such as critical data centers, are prioritized as the first targets for convergence. The end result should be that risk is lessened around fraud, business continuity, compliance and reputational risk.
"If you don't look at it from just a logical or physical standpoint, but as total asset protection," says Ron Woerner, president of the Nebraska InfraGard chapter and a security professional at a financial services firm, "it helps you better manage risks versus having a segmented view."
While risk assessments and asset classification might naturally be within the purview of the CSO, he also has to be part mediator, part politician. Nothing stands up convergence initiatives more than a culture clash. Not only have these two groups been segmented, but they're often separated by experience, pay scale and interest.
"[Political] battles are huge -- monumental," Grassie says. Grassie recalls a consulting job in on the West coast with a major corporation, sitting with physical and logical security management, and bringing up the notion of the two entities working together because more physical security tools and systems were IP-enabled and creating network bandwidth issues.
"You should have seen the look on their faces; they turned purple," Grassie says. "A lot of physical security guys, especially the older ones, don't want to venture into IT space. They see those IT folks as competing for the same dollars and space in the organization."
Staff on the physical security side of the house usually have a law enforcement background, or are retired military supplementing their pay. The CSO not only has to bring these groups together, but weed out those who are just along for the ride from those who can recognize the benefits of a converged operation.
"Someone told me that going out for a couple of beers did more for the convergence practice than any number of meetings," Contos says. "Once they start talking and sharing best practices about how IT can help physical security and, where physical security guys share information with IT, the use cases and value propositions became very apparent."
Cameras = Computers
IP-ENABLED physical security tools such as video surveillance are easing physical and logical convergence pains, experts and practitioners say.
Analog cameras are slowly being phased out as network cameras are introduced with advanced functionality and logging capabilities, says Ron Woerner, , president of the Nebraska InfraGard chapter and a security professional at a financial services firm.
Woerner said during a presentation at the RSA Conference 2009 that network cameras enable video to be stored locally or remotely, and include video motion detection, audio and digital inputs and outputs and serial ports for data or control-pan-tilt capabilities.
They communicate, Woerner said, either via built-in Web servers or FTP servers.
"Many of technologies in place today on the physical side are really client-server," Woerner says. "Cameras are really getting to be computers; digital cameras have digital analytics. So the IT side realizes this traffic is flowing over network, they prepare for it and realize it can take up some bandwidth. It needs to be protected and segmented on the network."--Michael S. Mimoso
CONVERGENCE USE CASES
The most typical use case right now involves some sort of badge reader integrated with an identity management or directory system such as Active Directory of LDAP. Users swipe an access card at the door and use that same access card to log on to network resources.
But increasingly, video surveillance is entering the picture as analog cameras are replaced with network-aware cameras that allow users to view locations remotely, store video digitally and manage it remotely over an IP network. Some are able to do video motion detection and capture audio as well. Some also include built-in Web and FTP servers, email clients and allow users to program alarms.
Woerner notes that some cameras also feature video analytics capabilities that can do object or people tracking, facial recognition, and much more. He cautions that some companies do run into bandwidth issues transmitting video, but compression technology has improved easing this challenge. This could lead to discussions about whether to store video -- locally or in a central repository -- and whether more storage must be allocated or purchased.
Contos says some industries such as the government and pharmaceuticals and other health care facilities are using badge readers and video extensively. He relays one specific use case from an Asia-Pacific enterprise where a network analyst noticed an anomaly on a critical server -- events such as brute-force logins or unauthorized copying of data to a USB stick would trigger an event. The video analytics system this company had installed not only streams video on demand, but takes snapshots of certain high-value locations, such as a data center, based on a trigger from an analyst. Within seconds, the analyst had an image of a user inside the data center, could correlate that against an access log and determine whether that individual belonged inside the data center. If this were determined to be a malicious and unauthorized user, physical security could be notified.
"Now with the advent of IP-ready physical security systems, it makes the transition easier," Contos says. "It used to be that if you wanted to upgrade physical security systems, you'd wait a couple of decades. With, IT things get upgraded quickly; every 18 months. With wireless and IP-centric solutions, you slap up a couple hundred IP-centric video cameras around your facility and you don't have lay cable or drill through concrete. You can have a pretty robust system, and to boot, you can use system over IP network and bring it all together. The availability and cost with these new technologies are allowing physical security groups to do upgrades on par with how quickly IT does upgrades."
IP-capable cameras and badge readers also ease integration, unlike their predecessors which evolved in a vacuum. Today's video cameras and badge readers not only communicate either wirelessly or on their own segmented VLANs, but they create logs and track events. This enables IT to pull these in centrally, and correlate physical and IT logs via a SIM. And since they're essentially computers, storing information on databases or being accessed often via Web applications, those avenues must be kept secure as well. Organizations especially need to keep the integrity of this data in case it's required in an investigation.
The ability to establish an audit trail is critical, Grassie says.
"For example, in the biotech and biopharma industries, there is a requirement from the Food and Drug Administration (FDA) and Health and Human Services (HHS) to have an audit trail to determine how batches [of drugs] spoiled," he says. "By utilizing converged security, this assists investigations further. There are cameras to monitor pill finish lines at pharmaceuticals. If a problem arises, they go to the database, identify where the lot is contaminated. This saves them a lot of money, rather than throwing the output for a day away."
CONVERGENCE STREAMLINES BUSINESS PROCESSES
Cost savings are a huge business driver for convergence. Enterprises quickly realize the similarities between the two operations and see opportunities to consolidate security processes and policies. For example, security operations can be combined with one team trained to monitor logs and systems, eliminating a duplication of efforts and cross-staffing. Also, information sharing between these disparate groups improves, and a centralized operation no longer competes for budget dollars the same way separate entities would.
"There are certainly some coordination issues: 'Who does what? Who am I supposed to notify?' I wouldn't say it requires more people power, but it does require more process" Contos says. "These are very different groups, with different perspectives on what they are trying to do and trying to protect. So a lot of times, it's really the direct managers each of the groups making sure processes are well coordinated."
Contos says, however, that the process moves a lot smoother than, for example, the convergence of application and data security with network security.
"Once a process is in place and the boundaries are known, IT looks at events on the network and making sure they are keeping these physical systems up and running and operational," Contos says. "The physical security guys are the ones who ultimately respond to incidents. They become the response leg of the IT department when it comes to a physical security event. Once a process is in place, no additional manpower is necessary. It can be taken care of by opening lines of communication."
No business process benefits more from convergence than provisioning, experts say. Being able to combing on-boarding and off-boarding of employee access in one process is invaluable. Insider threats have been well documented; a 2007 Carnegie Mellon University study on insider threats said that critical system disruptions, loss of confidential intellectual property, fraud, reputational risk, and loss of customers, partners and future revenue were attributed to actions by disgruntled insiders. Often, problems arise from an insider retaining his system and/or physical access long after termination of employment.
By converging the assignment of proximity badges for door access, for example with network access control processes, one central entity can be responsible for terminating every avenue of access.
"In a previous life, eight or nine years ago, I had to go out to each group for access," Woerner recalls. "Having a single point of focus for access control not only manages on-boarding and off-boarding, but ensures whether access is appropriate."
"Nothing is more important than terminating access," Grassie adds.
Convergence is within reach of many large enterprises, especially as vendors such as Cisco, General Electric, Symantec, McAfee and Check Point continue to invest in information technology products that support traditional physical security.
Companies with global operations will continue to explore convergence, especially IP-based physical systems that integrate well with open network and application platforms and Web services. Organizations will be able to reduce risk, unify management, and centralize asset protection, provisioning and access control
"Convergence offers the opportunity for an enterprise to develop a comprehensive security strategy that aligns security goals with corporate goals," Grassie says. "If information is king, I think IT folks have a greater opportunity to converge physical and logical security. The less information-dependent a company is, the more the physical security guy can survive."
Michael S. Mimoso is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.
This was first published in June 2009