The Business Value of Converged SecurityExpert William Crowell Shares Insights on Benefits to be Gained from Combining Physical, Logical Security Programs
William Crowell is an independent consultant specializing in information technology, security and intelligence systems. Last year Crowell co-authored "Physical and Logical Security Convergence," the first book to focus on this subject. He has worked with multiple information security companies since retiring as Deputy Director from the National Security Agency in 1997.
We caught up with Crowell to discuss the key agenda items re: security convergence in 2008.
Q: What has happened in the last year in the physical and logical convergence movement?
A: The thing that we are all seeing can be described thusly -- last year we saw interest in the subject. This year we are seeing real movement into convergence, especially in logical and physical identification systems. What this includes is unified identity management systems in financial institutions, aerospace industry and also on the government side, although the government agencies tend to move at a glacial pace. The unified identity management systems would be the employee identification systems, including your badge, or a smart card that identifies the employee when they log onto a system or uses their badge to get into restricted areas of the institution. In one way, the single sign-on movement helped drive the unified identity management systems into institutions, but single sign-on is only one part of the answer.
Q: Why should financial institutions be concerned about convergence?
A: By having a completely integrated and converged security program at your institution, it will help prepare your staff to handle what may be termed a catastrophic event. September 11th was the wakeup call for the security industry as a whole. Remember, the bad guys go for the seams, just as the 9-11 hijackers did. The majority of financial institutions and the industry as a whole is very concerned with security, and that their systems are secured and that they minimize risk wherever possible.
Going to the issue of compliance, Sarbanes-Oxley and Gramm-Leach-Bliley have turned the regulatory eyes back onto security issues and compliance at financial institutions. With convergence of physical and logical security, there are real advantages for an institution. You can build compliance systems that are automated and are very robust, where before it was usually a paper-based system with people making it work. While regulations such as SOX and GLBA were and are driving the cost of compliance up, convergence can give an institution the ability to do real time event correlation and respond to threats as they occur.
Q: Are physical and logical security separated in most institutions?
A: Over the years, all of the different services within a bank have grown up and gone into separate "stovepipes" -- banking in one, credit cards in another, retail is separate from corporate banking, and so on. Along with that, risk assessment, risk management and security have all been separate as well. So, the convergence of physical and logical security is part of a set of actions that need to be taken to manage risk more robustly. Something troublesome to me is the fact that most of industries are global in nature. Much of their business or parts of their business are supported globally, over vehicles like the internet. This makes them much more susceptible to attacks that can be very costly.
Q: Which institutions are initiating physical and logical security convergence?
A: There are some companies that have initiated physical and logical security convergence, and are approaching it in the right way. One very large convergence project has started at BT (British Telecom). In this country, I think we're beginning to see several convergence projects in the banking industry. Bank of America and Wachovia are in the early stages and working hard on it
Q: Where are the weaknesses within an institution, and will this pose problems with convergence?
A: There may be inherent weaknesses in financial institutions' approach to security/infrastructure that could cause problems in the future. I see the growing dependence on electronic transactions over the public internet and potential risk that this poses as the attacks become more sophisticated. Attackers are becoming very sophisticated in terms of their ability to penetrate a network's defenses. What's also most troubling is the combined insider/outsider threat, where an attacker gets entry into the systems or gains help covering up the intrusion via a change in logs or a firewall setting.
Q: Can institutions wait and see if convergence works for others before beginning it themselves, or will they be left behind?
A: Institutions that will get left behind are the ones who do not recognize the enormous changes in skill levels and organizational structures that will be needed to gain the advancements that convergence offers. Typically, the physical security office is run by an ex-marine or ex-law officer because that's who knew the most about physical security. Now, physical security is much different. Authorization and access equipment is running on the network and has to interact with all the other systems to get the most value out of it. This is where anyone starting out needs to begin. Ask these questions: What kind of people do I need? And where do I get them from? Do I need to hire them, or buy consultants?
Q: Where should mid-sized financial institutions begin when they're thinking of physical and logical convergence issues, and how they will begin addressing them in their institutions?
A: I think there are two areas that I call "low hanging fruit." First one to look at is the identity management platform. As you begin to address the identity management questions, it is a lot easier to do it on the same platform, and answer the common points that all of them are questioned on. It is easier to correlate between the physical and logical worlds. I would move to a converged identity management system within the institution; not necessarily with your customers, because that's a completely different, complicated area (and expensive area) right now.
Second thing to do is begin converge the physical security onto your network. The advantage of that is two-fold: You get to use the infrastructure you already have, a common TCP/IP infrastructure you deploy all across the institution, instead of having separate connections (wired and wireless) for all of your cameras, electronic door locks, and other physical security components.
Second advantage is you can begin to work down the cost of physical security, especially in the people cost. For example, today, the way a traditional wired camera system or a door locking/alarm system works, when there is a problem, a person has to respond to the problem. Now, if there is a camera, someone has to be watching it, otherwise it only provides forensic information when an investigation occurs after a crime. With an IP based system, opportunities to tie it altogether, when a door is opened, the camera is cued to respond to the command center and alert them that this is something they need to look at. If someone comes into a portal, or more than one person enters that portal, the image is cued again to alert the operator that more than one person has gone through that portal or "piggybacked" on the other person's credentials. The number of possibilities to combine all of these security events and correlate them into preventing things from happening to your institution is greatly enhanced.
Q: Where is the industry heading with physical/logical convergence, and does this include voice communications?
A: Based on the number of projects I've seen started at large institutions in the past year, and the number of companies marketing their security products for the converged environment, the interest is pretty high. If I walk through many large to medium sized financial institutions, I see the Cisco VoIP phones on every desk.
Q: What are the typical cost savings an institution would see in a convergence project?
A: There aren't any collective numbers compiled yet on total cost savings, but if we look at it by area of convergence, we can get an idea of cost savings. If you look at the typical cost of running cables to each camera in a bank branch to a central location, and the typical camera placements and how many cameras each branch has, you get an idea of the thousands of feet of cable a medium-sized bank has invested in to run its security cameras. That's an awful lot of wiring. Today, you can use the existing IP wiring that has been installed in the bank, or even use wireless capabilities. One example I know of is in Philadelphia, Pennsylvania, where all of the city's physical security cameras are running on a wireless system. The cost savings and maintenance savings (other than the initial investment in the hardware) is great. Because they are IP-based systems, the cameras can be maintained remotely.
Readers: What are your top questions about the convergence of physical and logical security? Send them to Editor Tom Field, and he will secure answers from William Crowell.