The lack of technical integration between physical and IT security systems has resulted in gaps for virtually all companies, often leaving them vulnerable to attacks. Efforts to converge the two areas have been accelerating as organizations try to protect their people and their capital assets.
Spearheading that thrust, a group of companies organized a new forum to develop specifications for security management and interoperability. Eric Maurice, executive director of the Open Security Exchange (OSE), says it wants to bring together the people that know the technology, have them agree on a scope and a technical document, and work in the OSE to create a universally acceptable document. Maurice says the OSE is for non-proprietary integration that puts everyone on an equal footing when it comes to integrating products.
"There are very few standards in security management," he states. "As a result, security tools like firewalls and provisioning systems have not been designed to work together. Today's security environment is really a patchwork of individual technologies, and we see that security management becomes a very important function, just as system management became very important ten years ago."
Founding members of the global OSE include Computer Associates, Gemplus, HID Corporation and Tyco Software House.
Steve Cooperman, director of homeland security solutions for Oracle, says that it is not a case of lack of information, but a lack of much-needed integration of the information available, which means bringing security communities together that never speak to one another. He notes there is a list of organizations that fail to communicate even when it might prove beneficial. Law enforcement and intelligence agencies, as well as utilities companies, or public health and pharmaceutical companies are just a few entities that could start talking more about their physical and IT security issues.
"Our premise is no one's going to share data until they secure what they have," says Cooperman. "Before anyone's going to share, we have to lock down and understand who has access and protect that access. Security thus becomes that much more critical."
One university has already strengthened its ability to establish trust relationships on its campus by bringing together IT and physical security mechanisms. Delaware State University (DSU) has security goals that are similar to those of other universities. It seeks to safeguard its 1,800 resident students, 650 faculty members and other employees, and hundreds of commuting students and campus visitors from security threats. At the same time, the university must also protect its information resources, including research data and other data, from cybersecurity breaches.
To do this, DSU uses smartcards to improve control of access to its campus and computers. DSU's CIO Dr. Charles Fletcher says the plastic, creditcard-sized smartcard contains a computer chip and controls access to physical facilities and information systems. The card has five separate technologies in it, including the traditional magnetic strip for a legacy application that acts like an account debit system for meals and the bookstore, and a barcode reader to check out books from the library.
It has two antennae. One is contactless for an e-purse application that the university is working on with the Department of Transportation to provide a "cashless" way to ride trains. The other is a proximity antenna for physical access to residence halls and computer centers. The final technology of the card is a chip that stores the identity and management pieces.
"We expect a decrease in the cost of managing computer IDs and an opportunity for the university to better track who's getting in and out of buildings," says Fletcher.
While the university has relied on physical security policies and solutions like photo-identification badges, automobile ID stickers, motion sensors, and ordinary keys for access to buildings, it plans to expand smartcard access control to all 22 buildings on campus over a two-year period. The ROI for the first year is an impressive 17 percent, but this is expected to increase to 60 percent in three years, as productivity improvements grow with skills development.
In other organizations, software security systems are being supplemented with hardware-based video and remote sensor security systems.
Tom Goldman, CEO at NetBotz, a company that offers such solutions, says in most cases the majority of employees and assets are not in a central place, but are distributed globally. The Walgreens store, for example, must keep track of every cash register, point-of-sale terminal and inventory system while ensuring the ability to process creditcards. As a result of such vast environments, IT professionals have moved over to a side of protection that used to be the domain of a facilities guy with a lot of keys on his belt, explains Goldman.
"The vast majority of our customers are starting to take responsibility for the physical side of the infrastructure, just as they might have for the technical side in the past, because they don't have any alternative," he says. "If the network goes down, it's just too mission critical, too important to the business to leave it in the hands of the guy with 50 keys on his belt."
Offering IP-based physical security solutions that protect customers from physical threats caused by intrusion, error or hostile environmental factors (like water leaks or dangerous gases), NetBotz entered the market about five years ago to try to solve the problems of physical and IT convergence. It has about 2,500 customers, doing business in 30 countries. Its products, which are self-contained, web-accessible appliances, monitor remote sites where a company houses critical assets and spaces and alerts personnel of trouble.
It is not the only player trying to make a connection between physical and IT security mechanisms. Rainbow Technologies approaches the issue by providing very strong protection that secures applications and a user's identity. This is accomplished by providing iKeys, tokens that plug into a standard USB port on a computer. Once the token has been inserted and the user provides a PIN, the systems are authenticated and access granted to a protected website.
Brad Beutlich, Rainbow Technologies director of business development for e-security, says right now the two technologies (physical and IT) are like oil and water. "They are taking a baby step toward integration," he says.
According to Michael Rasmussen, principal analyst at Forrester Research, businesses can be divided into two groups. There is the one with the guns, the guards and executive-protection elements, while the other has a lot of compliance issues to address across jurisdictions worldwide.
"And while there is a little overlap between IT and physical security," he adds, "there is a lot more of an overlap between the elements."
One trend has started to come to fruition, though, and a lot of it is because of regulations coming down the pike, he continues. This is the formation of a chief risk officer position in some of
the more forward-thinking companies, under which the functions of physical and information security fall.
"I see the whole trend of the chief risk officer – and the coordinated risk functions that include physical and information security – moving to a lot of other critical infrastructures over the next five years," he explains.
And the reason, according to Rasmussen, is a simple one – we are all facing ever-greater demands to protect our privacy, defend against identity theft, comply with regulations, and address homeland security issues.
The time of the chief risk officer has arrived.
One of the first products to make the bridge between physical and IT security comes from Computer Associates (CA) in its eTrust 20/20 system.
It monitors and analyzes employees' actions on physical and digital levels, while intelligently analyzing patterns to determine any potentially harmful behavior within the enterprise.
The software integrates data from IT sources, such as email or web access, as well as physical access facilities and security checkpoints, which it then combines and logs into a security events repository.
According to Sam Curry, CA vice-president of product management for security products, 20/20 collects and correlates security-related data and then analyzes and displays it in an intuitive interface, highlighting any suspicious behavior. "You then take all the events and data and put them into one big bucket," says Curry.
The software features both realtime and playback graphical interfaces, along with visuals that can display a company's building design and security checkpoint layout. It automatically analyzes and flags suspicious behavior, such as a sudden change of user activity or an attempt to access unauthorized resources, adds Curry. The software then applies business intelligence inference analysis against the eTrust 20/20 security events repository to determine whether a user's behavior is normal or suspicious, even if a security violation has not taken place.
"If it's normal for an employee to come in at 9 a.m. and leave at 6 p.m.," he explains, "if that person comes in at 3 a.m., there would be a score associated with that."
According to Curry, once the program is up and running, what typically takes between six and eight months would now take between ten minutes and an hour to achieve.
CA has collaborated with Pinkerton Consulting and Investigations Inc. to create some of the security policies and reports included in eTrust 20/20.