By Laurie Aaron

PHYSICAL/IT SECURITY CONVERGENCE

Today, virtually all organizations with physical and IT assets protect those assets in a variety of ways.  There are alarm systems to protect facilities and their contents from unlawful entry.  There are firewalls to stop intrusion into corporate networks.  Corporate assets may also be safeguarded by the use of employee ID badges, software application passwords, and a growing number of technologies, from magnetic cards and readers to biometric finger scans.  The scope of security systems spans physical access, logical access, video surveillance and storage, identity management, and more.

While all of these security technologies share a common purpose, those that protect physical assets and those that protect IT assets have virtually nothing else in common.  They have always existed in parallel, evolving separately and residing under the control of separate organizations.  This has resulted in a lack of integration and interoperability between physical and IT security systems.

With today’s heightened security concerns, this lack of integration is no longer simply an inconvenience.  It increases security risks by preventing technologies from working in concert with one another.  It limits corporations’ efforts to establish centralized control of security and develop integrated risk management strategies.  It prevents coordinated responses to security breaches by physical and IT security systems.  With no integration between physical and IT security systems, organizations cannot pursue cost synergies, fully address privacy issues, or ensure compliance with a growing number of government and industry regulations.

The solutions to these problems will come from the convergence of physical and IT security technologies.

WHAT IS CONVERGENCE?

The OSE defines convergence as the migration of physical and IT security towards common objectives, processes and architectures.  This migration includes:

Objectives:                                    

• Cost reduction/ revenue enhancement/ regulatory compliance
• Improve asset/ personnel protection
• Improve operational efficiency of physical/IT security staff

Processes:

• Collaborative planning between physical/IT staff on security strategy
• Identify/ eliminate security gaps
• Best practices and policies for converged security

Architecture:

• Strategic, tactical and operational security modeling
• Interoperability standards and policies for physical and IT systems
• Combined credentials for physical and logical security

Physical/IT security convergence will enable vendor-neutral interoperability among diverse security components to support overall enterprise risk management needs.  As physical and IT security merge, networked computer technology and associated applications will provide enterprises with increased operational efficiencies and intelligent security.

THE BUSINESS CASE FOR CONVERGENCE

Every organization has its own security needs and concerns, as well as its own business goals.  One way to begin identifying and prioritizing your organization’s key convergence goals is to consider common business drivers and their relationship to security convergence.

Risk management is a common theme among security-related business drivers.  Therefore, risk assessment techniques are very useful in identifying and prioritizing an organization’s security agenda.  This enables companies to target scarce resources at the most likely and potentially damaging threats.

The most common business drivers are the following:

Compliance

The requirement for certain mandatory actions and outcomes is common to IT and physical security, and is therefore a candidate for a converged approach.  This driver involves staying abreast of changes in the requirements themselves, communicating the requirements to the organization, detecting and correcting any non-compliance, capturing and organizing an effective audit trail, and periodic reporting to the appropriate authorities.  All of this must be achieved at the minimum possible cost without making a negative impact on compliance performance.

Besides these enterprise-wide compliance needs, certain operations, departments, or divisions within a facility may have their own, more stringent compliance requirements.  An interpretation of a compliance/ regulatory requirement should first consider the group with the highest level of risk mitigation and use that standard as a base line for the remaining groups.  For example, in the financial services industry, it is not unusual for a retail bank to share a facility with a mortgage origination operation and a securities brokerage division.  By addressing the most stringent security requirements among these groups, organizations can ensure better security for all.

Compliance factors include:

• Regulations These are government-promulgated mandates, such as Sarbanes-Oxley, employment and privacy laws, HSPD-12, and the Health Insurance Portability and Accountability Act (HIPAA).
• Policy and Procedure These are the fundamental, internal requirements, typically related to and driven by human resources.
• Workforce Security Awareness It is essential that all members of the workforce understand that security is everyone’s responsibility, not just the responsibility of the security professionals.

Asset/ Personnel Protection

Both physical and IT security systems are designed to protect an organization’s revenue-producing assets -- including people, equipment, products, tools, and information.  Organizations need to understand which assets need to be protected at what level of assurance, then develop and operate a mechanism to grant access to those assets.  With a mechanism in place, they need to be able to monitor and analyze access (both historical and real-time), and respond to inappropriate access.

Typical asset and personnel protection factors include:

• Authentication Organizations need to determine whether a person, computer, or Website is indeed who or what they claim to be, and find a convenient and secure means to persist such determination (e.g., badges, passwords, etc.).  The level of trust placed in establishing and persisting identity should match the value of the assets being protected.
• Authorization This is the process of granting appropriate access to assets based on identity and/or other attributes; that is “letting the good guys in, keeping the bad guys out”.  Organizations need to make sure that the needed access to assets is granted in a timely manner, that access is properly monitored, and that they can respond effectively to inappropriate access attempts.
• Integrity (non-repudiation) This means having the ability to trust -- and prove the authenticity and change history of -- tangible and information assets.  Examples include being able to prove a signature on a wire funds transfer, or that a security videotape has not been altered.
• Brand Equity/Goodwill This is a special class of asset protection that often merits special attention from both IT and physical security.  It strives to assure that the public’s trust in the organization and its products and services is not damaged through lapses in security.
• Personnel Protection and Life Safety Involves traditional executive protection, insuring a crime and offense-free workplace, and the ability to account for and assist personnel in emergencies.

Business Building

Most organizations treat both physical and IT security as a necessary cost of doing business, not a revenue or profit enhancer.  It is difficult to quantify the business building benefits derived from having employees who feel safe in their work environment, even though everyone would intuitively agree that the benefits are there.  Nevertheless, both IT and physical security practitioners frequently look for ways to recast and enhance their mission statement to include business building goals.  Often this means transforming security from a cautionary hurdle in business ventures to a confidence-inspiring “ready, go” capability.  The resulting acceleration in decision-making and other management processes can help the organization capture opportunities it might otherwise lose.  By combining best-of-breed practices and solutions, physical and IT security professionals can achieve this transformation.

Key business building security factors include:

• New Business Models Security measures must be able to keep an organization’s assets secure while participating in business models involving outsourcing (to level “n”, contract manufacturing, partnerships, or other joint ventures.
• Mergers and Acquisitions Organizations need to be prepared to quickly assimilate another organization’s security structure.
• Business Continuity By sharing best practices across IT and physical security, organizations can ensure that normal operations (and thus, revenue streams) can be restored more quickly after a loss event.  These measures may also decrease the likelihood of the loss itself.

Cost Control/ Productivity

Both IT and physical security involve investing to lower risk.  One can think of an ‘efficient frontier’ curve on a graph of security investment versus risk, with each point on the curve representing the lowest risk for a given investment and/or the lowest cost for a given level of risk.  Not only do IT and physical security professionals strive to operate on this most efficient frontier, they also strive to bodily move this curve by lowering costs for all levels of risk.  Once again, combining best practices and solutions from both physical and IT security can help make this happen.

Cost control and productivity factors include:

• Convenience and Usability When day-to-day secure behavior is effortless, it increases user productivity.  Examples include making it easy to securely obtain or reset credentials, single sign-on, ease of requesting and granting access to assets (doors, servers, etc.), and the use of badges for canteen operations.  The security goal is to allow a worker to go to/from the street to a desk and be logged on to a company’s network with as little efforts as possible without compromising security.
• Process Reengineering This refers to efforts to drive efficiency into all security-related processes, such as incident response, security monitoring, credentialing, policy-making and exception-granting, governance, vulnerability testing, security auditing, and reception.
• Workflow Automation By applying automation to the processes listed above, an organization may be able to shorten cycle time, eliminate human errors, and reduce effort.
• Workforce Optimization When an organization realizes greater efficiencies in security, it may reduce resource requirements or thus enabling the reassignment of personnel to more strategic, business-building activities.

PHYSICAL/IT CONVERGENCE ROADMAP

The OSE has established a Convergence Council, a group of senior security and IT executives from blue chip organizations, the purpose of which is to create reusable models, definitions, and tools to enable organizations to advance convergence.

The council’s current key project is the Convergence Roadmap, a multi-faceted tool that will provide illustrative, diagnostic, and theoretical aids to enable convergence.  The Convergence Roadmap provides a structured guide to understanding and advancing convergence, beginning with an ideal end-state and offering several points of entry or interface (‘on-ramps’, as well as milestones to assist organizations in their journey to convergence. 

The Convergence Roadmap can help you determine:

• What convergence means to your organization;
• How it can add value;
• How to know when you are ready to converge;
• How you can leverage your current investments; and
• How the old and new solutions/products fit together.

The physical and IT security is already happening.  A Lehman Brothers report states that growth will come in systems that identify and authenticate a potential ‘entrant’ and then tie those credentials into the company’s IT infrastructure.  That same report charts the convergence market at US$150 million and growing at 82% CAGR.

Laurie Aaron is the Director of Strategic Sales for Quantum Secure (www.quantumsecure.com).