Ver Suplemento Temático...

Seguridad Corporativa y Protección del Patrimonio.
Seguridad de la Información y Protección de Datos.

 

 Expertos

Paul F. Roberts


Seniror editor at InfoWorld

Information Technologies (IT) security gets physical


The good news: The physical and IT security systems your company uses will merge. The bad news: It'll probably take a while.

The cameras are watching when you drive up to IBM’s Watson Research Lab in Hawthorne, N.Y. They’re also noticing things … things such as the color of vehicle you’re driving and its license plate. When you get out of the car, another camera zooms in on your face, capturing its image and transmitting it (along with snapshots of your car and license plate) to third-party analytics systems, which then compare those bits against a database of lab employees and authorized visitors.

By the time you get to the door at Hawthorne, says Arun Hampapur, manager of IBM’s Exploratory Vision Group, the cameras have, in theory, already collected enough data to grant you access to the facility without you having to wave a key card or check in at the front desk.

This type of “Minority Report” scenario remains more myth than reality, but a number of factors have combined in recent years to put the merging of physical and IT security on the front burner. The advent of open, IP-based physical access systems, the appearance of new startups offering convergence solutions, along with an embrace of open applications platforms and Web services, may soon place true converged security solutions within reach of ordinary enterprises.

Physical threats
Even before the words “stolen laptop” started popping up in headlines, 9/11 increased the burden and cost of physical security — especially for companies with high visibility, says William Crowell, an independent consultant and former senior official at the U.S. National Security Agency.

But incidents such as the December theft of five laptops from the benefits consulting firm Towers Perrin, containing data on tens of thousands of retirement-plan participants, are motivating corporations to push for security integration. One company, Boeing, suffered three break-ins between November 2005 and December 2006, culminating with the theft of a laptop from an employee’s car that contained the names, salary information, Social Security Numbers, home addresses, phone numbers, and dates of birth of 382,000 current and former employees.

Rather than hack a well-defended corporate network, smart criminals in search of sensitive information have discovered it’s often more effective to focus on gullible employees and loosely guarded offices, says Cheng Tang, a consultant with System Experts, a security consulting firm. “Crime is always about finding the weakest link. It’s a lot easier to hack the physical and person-side of the security equation,” he says.

Some attacks combine both online and offline tactics, with attackers researching their target on the Web or rattling doors on the company’s public-facing servers before trying to compromise physical security protections to get what they want, says Dave Tyson, CSO for the City of Vancouver, who manages a joint physical and IT staff of 45 that includes 22 security guards and security contractors.

Unified operations like Tyson’s are rare. “In the past, there’s been this umbrella of security around physical security, where the building is locked down and the concerns of the security officer are taken care of,” says Peter Fehl, senior marketing manager for integrated security at Honeywell. “On the IT side, they have [anti-virus] and firewall. But in between the groups is where the cracks have developed.”

The spitzer factor
But the reasons to fill those cracks are mounting. The parade of new regulations, led by Sarbanes-Oxley, provides even greater motivation for organizations to consider converging their IT and physical security operations.

By the time you get to the door at Hawthorne, says Arun Hampapur, manager of IBM’s Exploratory Vision Group, the cameras have, in theory, already collected enough data to grant you access to the facility without you having to wave a key card or check in at the front desk.

This type of “Minority Report” scenario remains more myth than reality, but a number of factors have combined in recent years to put the merging of physical and IT security on the front burner. The advent of open, IP-based physical access systems, the appearance of new startups offering convergence solutions, along with an embrace of open applications platforms and Web services, may soon place true converged security solutions within reach of ordinary enterprises.

Physical threats
Even before the words “stolen laptop” started popping up in headlines, 9/11 increased the burden and cost of physical security — especially for companies with high visibility, says William Crowell, an independent consultant and former senior official at the U.S. National Security Agency.

But incidents such as the December theft of five laptops from the benefits consulting firm Towers Perrin, containing data on tens of thousands of retirement-plan participants, are motivating corporations to push for security integration. One company, Boeing, suffered three break-ins between November 2005 and December 2006, culminating with the theft of a laptop from an employee’s car that contained the names, salary information, Social Security Numbers, home addresses, phone numbers, and dates of birth of 382,000 current and former employees.

Rather than hack a well-defended corporate network, smart criminals in search of sensitive information have discovered it’s often more effective to focus on gullible employees and loosely guarded offices, says Cheng Tang, a consultant with System Experts, a security consulting firm. “Crime is always about finding the weakest link. It’s a lot easier to hack the physical and person-side of the security equation,” he says.

Some attacks combine both online and offline tactics, with attackers researching their target on the Web or rattling doors on the company’s public-facing servers before trying to compromise physical security protections to get what they want, says Dave Tyson, CSO for the City of Vancouver, who manages a joint physical and IT staff of 45 that includes 22 security guards and security contractors.

Unified operations like Tyson’s are rare. “In the past, there’s been this umbrella of security around physical security, where the building is locked down and the concerns of the security officer are taken care of,” says Peter Fehl, senior marketing manager for integrated security at Honeywell. “On the IT side, they have [anti-virus] and firewall. But in between the groups is where the cracks have developed.”

The spitzer factor
But the reasons to fill those cracks are mounting. The parade of new regulations, led by Sarbanes-Oxley, provides even greater motivation for organizations to consider converging their IT and physical security operations.

Government organizations face other, more stringent mandates. The recent implementation of Homeland Security Presidential Directive 12 (HSPD-12) has primed the pump for security convergence. The directive, which took effect in October, requires government agencies to begin issuing standard PIV (personal identity verification)-2 cards to employees. In time, HSPD-12 smart cards will be used to tie logical and physical access together at government agencies as well as at their private sector contractors.

“HSPD-12 is an attempt to say ‘These worlds should converge. They should be managed together,’” says Brian Contos, CSO of security information management firm ArcSight.

Beyond government, critical infrastructure owners such as health care, telecommunications, and transportation are also standardizing on cards that meet the FIPS (Federal Information Processing Standard) 201, a set of specifications for personal ID cards issued by the National Institute of Standards and Technology (NIST) in response to HSPD-12, notes Peter Boriskin, director of product management for Tyco Fire & Security’s Access Control and Video Systems.

If nothing else, the money and regulatory weight behind HSPD-12 promises to reduce the cost of smart card deployments and focus the physical and IT security industries on a key point of intersection: the security credential.

“HSPD-12 created a nexus around the token,” Boriskin says, noting that previous attempts at physical and IT security integration were focused on integrating security applications. “Rather than try to integrate all these complex, fragile systems, now we all just know the token.”

While smart-card readers may take years to reach the bulk of enterprises, in the interim, Fehl of Honeywell sees companies picking and choosing from FIPS 201, grabbing onto the smartcard technology and adopting government standards for card enrollment, verification, and background checks.

Emerging technologies
Perhaps the biggest boost to converged security originates with the security industry itself, where a generation of proprietary physical access systems is giving way to newer, network- and Web-based products, built using open architectures and with third-party integration in mind.

At Tyco, long a leading player in physical security, a next-generation access control system, the C-CURE 9000, marks a radical departure. The 9000 series was built with convergence in mind, using Microsoft’s .Net framework and Web services to connect physical security systems’ fire and door access with HR and IT systems network single sign-on and user provisioning/deprovisioning systems.

Rather than being a “security management” system, Tyco thinks of C-CURE 9000 as an events-management system that can link physical security with IT-centric tools such as ERP software, Boriskin said. Previous generations of the C-CURE platform could only have accomplished that through brittle and expensive integration projects.

“XML and Web services have been the biggest enabler of convergence,” Boriskin says. “It’s a layer of abstraction that provides a common language for all these different products to talk to each other.”

Experts agree that the lack of an open, services-based approach hobbled early efforts at convergence, such as the Open Security Exchange (OSE), a joint physical-IT consortium that launched in 2003 with the backing of companies such as Computer Associates, HID, Tyco, and Wells Fargo.

“The big problem back then was that when you started to connect systems like that, you needed direct access to the database, and that can break things,” Fehl says. “Today, XML creates an intermediate layer where you can filter the data and apply rules that process the data before it hits your database.”

Smaller security firms such as S2 and Imprivata are also taking advantage of the move to IP based networks and Web services to create open platforms that can tie physical and IT security together.

S2’s product, NetBox, is a physical security management appliance that integrates access control, alarm monitoring, temperature monitoring, video surveillance, and intercoms, according to CEO John Moss. S2’s technology uses controllers that bolt on to existing card readers, video monitors and other physical security point devices. Those readers store access policies, and communicate with the network appliance using standard IP-based protocols, where a policy database centralizes physical security policies and then pushes them out to the devices it manages.

Similarly, Imprivata’s OneSign product is an appliance-based, single-sign-on solution that joins physical and logical access systems. Web services standards such as SPML (Service Provisioning Markup Language) allowed the company to create interfaces for third-party user provisioning systems from Courion and others to create and manage user accounts, applications, and credentials within OneSign.

Moss, who founded the card-access company Software House before selling it to Tyco in the mid-1990s, says that’s a big departure from the “1990s’ big software model” that has dominated the physical security market until recently, in which integration happened at the application layer, and big vendors such as Tyco extracted hefty fees for access to APIs. In contrast, S2 has published open Web services APIs that allow companies to link their IT-based user provisioning systems to S2’s NetBox, Moss says.

Culture clash
Despite such advances, the biggest obstacle to converged security has nothing to do with technology. It’s the cultural chasm between the physical and IT security professions.

“The two groups just don’t know how to talk to one another,” says Vancouver’s Tyson. “The world of technology is a very term-based environment. If you don’t understand those terms and the technology behind them, you’re on the outside looking in.”

That’s often where people with a physical security background — a group that once included Tyson himself, who started his career as a bodyguard — find themselves. “There’s no really good school for IT security, unless you go back to school and get a CS degree, but who can afford that?” he says.

S2’s Moss agrees. “Physical security practitioners make less per hour than in the IT world. And [professional certifications] don’t always require IT training. IT security practitioners are more highly trained and have certifications for the things they do, but they don’t know much about physical security,” he says.

In other words, your IT security staff may be perfectly trained to sniff out a Trojan or keylogger on a PC, but don’t go to them if you need an unruly visitor hustled out of the building. On the other hand, if that disorderly visitor started harassing an employee via IM, the physical security folks wouldn’t know where to start, says Tyson.

Until recently, that basic cultural difference permeated most physical security vendors, where such established vendors as ADT, Honeywell, and Tyco tailored their wares to the guys with badges.

To this day, the servers and systems for managing door access and video surveillance frequently form a kind of “shadow IT” within corporations, overlooked by trained IT staff who might not even know they’re there, and ignored by physical security staff who do know they exist but lack the expertise to manage them. Vulnerabilities in those systems can pose big risks, especially as they migrate from closed, proprietary networks to the same IP-based network used by mission-critical applications, Tyson says.

“When I first arrived on the job (at the City of Vancouver),” Tyson recalls, “I asked the physical security manager when was the last time the camera system servers had been patched. His response was: ‘What’s a patch?’”

On the flip side, IT security experts are often blind to physical security systems, or don’t consider them part of the overall IT picture. “We hired one of the Big Four consulting companies to come [to Vancouver] and do an IT threat and risk assessment,” Tyson recalls. “Nowhere in their report do they even discuss the physical security systems.”

Such glaring disconnects lead some to take the long view. “I don’t think real converged security is going to happen any time soon,” says Geoff Hogan, senior vice president of business development and product management at Imprivata. “When you get right down to it, physical security doesn’t want to own the network log-in, and IT doesn’t want to own the door responsibilities.”

Even at IBM, Hampapur says the Smart Surveillance System isn’t operationally linked to any access control systems at any IBM site or customer, although the company has demonstrated an in-lab prototype of such a system to a major U.S. airport.

“It’s at the stage that people see what’s possible and doable. But you need to tie it back to the business case to support it. Is this a $5,000 problem with a $50,000 solution, or vice versa?” says Sam Docknevich, IBM’s national practice leader for security services.

So far, larger companies and early adopters are pushing vendors such as IBM and Tyco the hardest on security convergence, requesting ways to tie in employee provisioning with security management systems such as C-CURE, Boriskin says.

At IBM, the focus is more on linking video surveillance to biometrics and access control. The company is also seeing a surge in requests for proposals on RFID and asset tagging to prevent theft from the retail sector, as well as utilities looking to protect remote sites, Docknevich says.

Converged security today
So when will converged security go mainstream? To start, companies must come up with a sober assessment of their security needs based on risk management. At many firms, this has already happened.

“When you talk to large companies, you find that they’re re-examining the organization of security around risk management. Very often they talk more in terms of risk management and what are the component pieces,” Contos says.

Often, taking a risk-based approach means doing less, not more, and focusing on a few core assets, rather than big, expensive solutions that touch everything, Ray O’Hara, SVP at Vance says. “You can have the best access control system and cameras all over the world, but is your focus on the crucial information? Maybe that camera in Beijing is necessary, but you need to study the validity of having it there first,” he says.

Rather than chasing off after facial recognition systems, Jon Gossels, president of System Experts says companies adopting a risk-based approach might focus first on telephone rooms and computer datacenters — and make the physical security around those top notch. Or they might audit basic access security at branch offices, which are often easy prey for criminals and social engineers.

As for the gap between physical and IT security cultures, changes in management — such as establishing a CSO position with global authority — can help. At the City of Vancouver’s offices, Tyson instituted a program to train security guards about IT security, and then assigned them to look in cubes for unsecured laptops, passwords on post-it notes, and unauthorized wireless access points.

“IT security doesn’t have the feet to get out to all those desktops. So instead of just rattling doors, we’ve got [security guards] looking for all the risks in the environment,” Tyson says.

On the IT side, experts say that enterprises should focus convergence efforts on areas with a big payoff, such as data encryption, door access, and branch office security — and look for ways to realize convergence without having to rip out existing infrastructure or disrupt existing systems and processes.

As an example, Imprivata’s OneSign product, which works with products by Tyco, Linell, and S2, integrates with legacy access card readers, but adds the ability to tie in door access with logical access to the LAN in the office, or through a VPN system, Imprivata’s Ting says. That means companies can leverage the physical access system they already have as a second factor, instead of investing in an entirely new second factor token or secure ID, he says.

Tyco plans to disclose integration with “a leading IT security vendor” when it unveils its new C-CURE 9000 platform in the first quarter of this year, whereas integration with platforms like IBM’s Tivoli are “coming soon,” Boriskin says. And Cisco is working on integrating its NAC network admission control technology with IBM’s Smart Security System, says Steve Cohen, director of marketing at Cisco’s Security Technology Group.

Although the worlds of physical and IT security are beginning to gravitate together, true convergence is still a ways off.

“The adoption curve is never as fast as people think it’s going to be, except, maybe for the iPod,” says ArcSight’s Contos.

The capability to move incrementally toward convergence, however, may be the best indication that it will eventually happen, says Fehl.

“People have talked about convergence forever, but it hasn’t come about. It was always a big leap, and it was expensive and peoples’ jobs were on the line,” Fehl says. “Now you can take baby steps. Be flexible. Change direction and evaluate.”

Información relacionada

Experto: Seguridad: la mayor preocupación de los Directores de Informática, por Ignacio Cortés (03/11/2004)

Experto: La inseguridad informática en las empresas españolas, por Ignacio Cortés (16/06/2004)

Suplemento Temático: Los nuevos retos del Director de Seguridad

 


Fuente: www.infoworld.com
Fecha: 29/01/07

   Mas artículos de Paul F. Roberts        Otros Expertos   

Este experto ha sido visto por 2257 personas.