Convergence: The Next Horizon in Security Protecting the Perimeter in the Age of Convergence Beyond Convergence I get dozens of emails each week on "convergence." I gave the keynote address at Security Summit 2007 in Los Angeles and the title of the Summit was: Convergence: The Next Horizon. It is safe to say that convergence is the number one topic in the security field. The industry is experiencing a major transformation. However, the focus on convergence is misplaced. I believe it derives from the perspective that as security devices become network peripherals, security professionals are focused on the point of convergence. The problem with this focus, is that it results in under achieving. Such a focus leads to security devices operating on Ethernet networks and doing providing the same functions as those same devices provided previously, when they were standalone electronic systems. I encourage all security systems manufacturers and integrators to look beyond convergence. This longer-range focus changes the objective from gain equivalent functionality to engineering the network, which means optimizing it, to protect people, facilities, data and prevent fraud. Looking beyond convergence helps expand the context to achieve a higher level of protection by using the benefits that become available through convergence.
Please let me know your thoughts on this topic.
Industry Report Points to Ollivier Corporation Ray Bernard is an industry analyst who I have known for about four years. When I was new to the security industry, he was one of the first security consultants whose eyes lit up when he and I talked about the integration of physical and data security. He has gone on to create an incisive new report on the industry.
He talks about such projects as the national retailer (over 300,000 employees) deploying 150,000 IP cameras globally, as an incremental addition to their global deployment of IP Telephony. IP Telephony (VoIP) replaces analog phones and connect directly to a network, getting both power and communication connectivity over Ethernet-based networks.
Very few discussions of convergence in the security industry use "installation" as an example. Ray does in his report. He talks about the installer preparing the IP-based cameras in the same manner as IP-based phones. Both are put in similar boxes, prior to distributing to regional offices, with the same information barcodes on the boxes and with network cable location numbers. A swipe of the computerized barcode scanner displays exactly where a phone or camera is to go along with other installation information. This enables an integrator to reduce the typical per-camera installation time from 3 hours to 30 minutes. This is a classic IT application. Ray then points out that Ollivier Corporation is using common IT installation strategies for its security deployments. He reports that customers want the benefit of IT expertise from their security integrator and that Ollivier Corporation is way out in front of other physical security integrators. I encourage you to learn more about Mr. Bernard's industry report. Guards, Dogs and Technology I am still surprised how the discussion of balancing a guard force and technology-based security systems is seldom discussed. It seems as though the discussions of how to deploy each of these is done in isolation of the other. Here are some of my thoughts. Now that security devices, such as cameras and access control readers are peripherals on the network, they are much more intelligent than just a couple of years ago. They are especially intelligent if the network is engineered to take advantage of communication between the devices and with the data available on the network. It is this communication that enables Eye on Cash, GPS Logon, Virtual Perimeters, Virtual Mantrap, CRM Secure and other solutions developed by Ollivier Corporation to be available at low cost in today's market.
As intelligent as these solutions are, they still require the judgment provided by a competent guard force. These solutions sort through hundreds of events to create alerts and alarms that are rendered important or meaningless by the guard force. The guard force is the comprised of first responders. What this means is that the guard force's value and contribution is significantly increased by relegating monitoring and surveillance to devices. I have been told by guard service organizations that they make more money deploying intelligent guards to monitor and assess the output of computer-based security systems than they do selling low-paid guards.
Friday, January 31, 2007
Meshing Surveillance I am working with residential building owners in a very high crime area of Los Angeles. We intend to cover the entire 5 square mile area with IP-based surveillance cameras. The trick is that each of the buildings in this area is owned by individuals, acting in a loose confederation as property owners. They require high quality cameras because the ambient lighting will vary dramatically and a high level of visual acuity will assist in making proper identifications. While the cameras must be high quality the infrastructure must be low cost, yet tie each camera into the network. New mesh network technology dramatically reduces the cost and planning required to improve infrastructure and therefore creates a platform for higher functioning cameras. This configuration is working well in a few cities and we hope to apply it to our situation in Los Angeles. If you have any comments, please contact me at joelrakow@olliviercorp.com. Thursday, November 16, 2006Access Control Moving to IT? Two years ago, physical security appeared to be the sole domain of the traditional security organization. Maybe it is me, but it seems that in small and large organizations alike, I am seeing the IT organization as the prime mover in access control... and often surveillance. In the just the last week, I have visited a hosting company for 40,000 realtors, the company responsible for 80% of all transmissions of digital cinema films and one of the oldest large residential communities in Los Angeles. In each case, the Technology Director, the Network Administrator or Facilities Technician (in the IT department) has been the primary point of contact. Two of these companies are part of very large organizations that have traditional security, yet it is as though they do not exist. What does this mean? It seems to be the beginning of a trend. It seems to me that while the physical security professionals get comfortable with the concept of convergence, the IT professionals are filling the void of indecision. In my opinion, all that has to happen for physical security to re-establish its rightful place is to understand that IT wants to be the custodian of the access control system and they want security to be the owner of the data. This can be an easy arrangement to negotiate and one that serves both professional communities. Tuesday, September 26, 2006When Cost of Smartcards is Too High Very few companies will want to bear the high cost of re-badging their entire workforce. And, why should they? Integrating physical and data security is the desired goal. Smartcards represent a technology approach to achieving that goal. Integration can also be achieved through directory services (e.g. Active directory, LDAP) without having to re-badge. Here is how I advise my clients when they are confronted with budget constraints: i) Identify the assets that represent the greatest risk (e.g. top security government work); ii) Provide smartcards to the people who need to access those assets; iii) Protect all other assets using directory services. This is a practical approach to achieve convergence between physical and data security. Monday, September 25, 2006Three Hundred Data Breaches We hear a lot about data breaches. It seems as though one is announced nearly every week. Well, it turns out that between February 2005 and July 2006 more than 300 data breaches were reported. That is almost 20 a week. Click on the link to see a listing of these data breaches: http://www.privacyrights.org/ar/ChronDataBreaches.htm It is useful to remember that we hear very little about the outcomes of these breaches. The lawsuits and penalties rarely appear in the press, yet the general counsel or representing attorneys know that the cost of the breach will occur in the cost of litigation, the penalties and shareholder value. Saturday, July 01, 2006Value Proposition for Covergance - Free ROI Tool Using smartcards is one way to integrate physical and data security. Using directory services (e.g. Active Directory, LDAP) is another. In either case, many security directors have discussed with me how this convergence might be financially justified during this budgeting season. This is becoming such a widespread concern that I have initiated the development of a sophisticated eCrime ROI Tool that links several worksheets into a consolidated value proposition. This is one of the advantages of belonging to a company with over 500 CFOs. So far, it seems quite easy to justify a smartcard initiative if the company also sells security products. When this is the case, it is clear that aligning the customer-facing product strategy with security operations will both enhance revenue and reduce risks. This helps the numbers favor integrating security, even with the more expensive smartcards. When this situation is not the case, then it helps to explore applications, in addition to access control, that can be added to the smartcards. Such applications might be for travel expenses, credit union, cafeteria access, uniforms and equipment accounts and so on. We have found that expenses related to lawsuits can be a good source of cost justification, especially when we look at how they prevent lawsuits, decrease the potential for awards going to the other party and increase the potential for winning awards. In a related manner, consider the costs related to investigations. A major value in convergence is its audit ability: You should be able to create very nice support when you look at the time and cost of tracking down events that occur on physical space and on the network. These systems are usually disparate, record events with clocks on slightly different time and have user IDs that are often different. They are a quagmire of line items that take a lot of time to sort through. The ROI Tool is easy to use and available upon request. All I ask is that after you use it, you provide comments on how it worked and how you would like to see it improved. I am glad to share this ROI Tool. Simply send me an email (joelrakow@olliviercorp.com) and I will send it you. posted by Joel Rakow, Ed.D. at 10:41 PM Saturday, May 20, 2006 Convergence: The Whole Story I recently attended a security conference where convergence was a major topic. To my surprise and disappointment, convergence sometimes means using the IT infrastructure to run security applications such as access control and surveillance. What a small view of an important topic! This view of convergence grounded in the lowest level of operational security: It is satisfied with incremental change that may or may not lead to a direct path of increasing the security of critical assets. This view operates as though automating processes is an end in itself. It runs headlong into the age old IT conundrum of automating a broken process...thereby making things worse. We all agree, I am sure, that the processes between physical security and data security are so broken that, for the most part, they do not even exist. I encourage all participants in the discussion of convergence between physical and data security to make sure that the processes around security are fixed before or at the same time as the security systems are implemented on the IT infrastructure. That way, you can avoid making the same mistake our IT predecessors made in the early 60's and 70's. Let's learn from our mistakes so that our effort increases the level of protection. posted by Joel Rakow, Ed.D. at 3:17 PM Wednesday, March 29, 2006 Weeding Out the Unprepared. Ongoing process improvement is an often overlooked and important element of every security program. It is not enough to identify a vulnerability and implement remediation, if you do not also ensure that the asset and risk assessment is all reviewed again on a regular schedule. This is often considered the mark of a true security program...rather a collection of security activities. If you work in a regulated industry or submit to other types of audits, ongoing process improvement is almost always one of the "weeder" items on the checklist. Remember college, where there was always that one course that weeded out the less talented students. The same applies to ongoing process improvement, the audit checklist and security. posted by Joel Rakow, Ed.D. at 10:52 AM Sunday, March 05, 2006 Why Convergence? Physical security and data security organizations typically work independently of each other. You know this to be true since you see at every company you have ever worked at, unless it is IBM, Microsoft and just a handful of others. Well, let's take a look at some obvious security events that never get detected in the typical (unconverged) environment: 1. Bob does not badge in to work today, but someone accesses data and applications normally used by Bob. This is probably not a security event in your company. 2. Bob gets up from his computer workstation, leaves the building to go home for the night. He even badges out. Bob’s computer continues to run just as though he went down the hall to use the restroom. Would this be true at your company? 3. Bob works in customer support, yet he uses the computers his department to access files that are normally accesses only by people in accounting. These two departments are on separate floors of the building. Would this be a security event in your organization? These three examples illustrate how the separation of physical security and data security creates a set of vulnerabilities that ought to embarrass any security organization that claims to have performed a risk assessment . posted by Joel Rakow, Ed.D. at 8:52 PM Sunday, March 05, 2006 Sopranos Go After the Data Have you every watched the Sapranos on television? Or , any mafia movie for that matter? They seem to always be hijacking trucks: What are they after? Well, they steal cigarettes, razor blades, electronics: Things that are easily converted into cash. These are called fungible items. In today's world, financial identities are fungible items. A good financial identity will get $2 on the open Internet. Moreover, there are a number of scams that allow less than $10,000 to be converted into $1.5 million with virtually no risk of being caught. I am not writing this to encourage any of you to get into the Internet scam business. Rather, I write this to underscore why so many businesses and individuals are under very intense attack over those financial identities. These attacks are increasing and will be looking for new targets and new victims. posted by Joel Rakow, Ed.D. at 6:59 PM Sunday, February 26, 2006 A Meeting of Two Cultures with Identical Goals I recently conducted a joint security discussion at a $5 billion beverage company. I moderated the discussion, which was between the physical security organization and the data security organization. The physical security personnel fit the stereotype of burly, blue collar and rough hewn language skills. The data security folks also fit their stereotype: brainy and articulate. Yet, during the meeting, it became clear that the physical security folks had a lot to offer the IT people. It is true, the physical security folks might be able to persuade, but it was clear to me and to the IT people that physical and data security can and should work together. We found that physical security had skills in conducting risk-based assessments that were sorely lacking in the IT people. We also discovered that the physical security people would immediately view change procedures as an area of high vulnerability. Yet, such procedures at this company were incomplete and inadequate. Finally, the parties reached consensus that third-party oversight might benefit IT's security efforts. Convergence is a term used to imply the integration of physical and data security. Most people think this means the integration of entry control systems for facilities and the computer network. In the case of this global company, convergence means integrating the two organizations in a way that allows both to contribute to improving the protection of assets. posted by Joel Rakow, Ed.D. at 11:51 AM Saturday, February 25, 2006 Operational Risk and Organizational Risk Electronic crime has increased the organizational risk that corporations face. With physical crime operations tend to bear the greatest risk. Six or seven years ago organizations could focus on securing its operations in order to deal with it greatest risk. If a truckload of product were stolen, the loss would often be the company's greatest exposure. The Internet has initiated such changes as: i) Financial identities can be obtained (i.e. stolen) and sold by people thousands of miles away; ii) Laws have been implemented to protect consumers and employees from having their identities stolen as a result of corporate negligence; and iii) Penalties and sanctions can, when made public, result in a loss of approximately 17% of a corporation's market capitalization for at least a year following the breach, in addition to damages. This loss of shareholder value along with a loss by the brand makes the organizational risk greater than that borne by the operations. The corporation suffers very little, it at all, when its customers' financial identities are purloined...at least the direct loss is very little. The litigation that follows is now the major risk factor. A competent security plan protects the corporation from this organizational risk. posted by Joel Rakow, Ed.D. at 7:02 PM Friday, December 16, 2005 Aligning Risk with Security Solutions IT organizations almost never conduct a risk assessment before they implement security. How smart is that? Well, not very. The standard practice in, say, configuring a firewall is to see what traffic comes through and then configure it to block that traffic. Wait for and block the next set of traffic to come and then repeat this process until satisfied. Think about securing your house in the same manner: Well, people walk in front of the building so you put locks on the front door. People walk by and look in the windows so you lock the front windows. The garage door is left open at times and people walk by, so you lock the door from the garage to the house. Let's say that is the extent of traffic for about a week. Is your house secure? Hardly...and neither are IT systems, and for the very same reason. I actively advocate having physical security people work with IT people in conducting risk assessments. Physical security people have risk-based assessments etched into their DNA. They can provide a lot of guidance to IT people when it comes to securing IT systems. I like to think of this as one step in integrating physical and data security: This is also call convergence in security circles. I exhort my clients to integrate the two organizations, physical and data security, before they try to integrate systems such as access controls. IT learned many years ago that automating a bad procedure only makes the matter worse: Integrating the IT systems of physical and data systems before the organizations are working together will also make the system worse. In addition to conducting risk-based assessments, I encourage my clients to have physical security provide guidance in development enforceable policies for IT change controls and to provide third-party oversight when those change procedures are being performed. Collaboration in these three areas represents a satisfactory prerequisite to integrating various access control systems. posted by Joel Rakow, Ed.D. at 10:19 AM Friday, December 16, 2005 Securing the Corporation Ask most data security professionals how to secure the assets of a company: They will talk about operational security. They will discuss firewalls; intrusion prevention and the like. They wrongly focus on the loss of data and other operational security matters. Yet, they will also tell you that they can never be 100% security. At the same time, they nearly always fail to also discuss the biggest risk for a corporation...and that is often the legal aftermath of a data loss. The legal entanglements will often result in far more financial loss than the actual damages, especially a loss of data. I think this is a holdover from physical security when the actual loss was often the majority of the material damages. This is simply not the case in today's world of data loss. So, how do you protect against this? I like to distinguish operational security from organizational security. Securing a corporation requires both operational security and organizational security. At the minimum, organizational security is comprised of: i) Some kind of oversight or governance; ii) A formal security plan; and, iii) Progress against than plan. While the devil is indeed in the details, these three elements typically protect a corporation from its greatest risk. Moreover, it can be implemented often within 30 to 60 days. I often call it the fast track to compliance. With an active oversight program, companies can actually extend their remediation efforts and be more systematic and therefore economical in deploying their operational security. I strongly advocate organizational and operational security programs as joint initiatives. posted by Joel Rakow, Ed.D. at 9:28 AM Friday, December 16, 2005 Integrating Physical and Data Security for Money I continue to bang the drum for integrating physical and data security. It makes too much sense not to. Not only does it dramatically improve security, make electronic crime much more difficult to perpetrate, it is even inexpensive. Think of the situation in this way: A company with 3,000 employees in three buildings has to issue changes orders for every new employee, every departing employee and every employee who relocates in the buildings. This means HR must document the changes, physical security must update its various (one for each building) access control lists, and IT must modify the server configuration. This 300 change requests times three, 900 per month, assuming 10% of the employees have change monthly. By the way, I hear that Cisco has 10,000 change requests a day! They manage those requests with 5 people. You know how: They have integrated their systems. Integrating physical access control and computer accounts for our hypothetical corporation will provide a full return on its investment (estimated at $160,000) in 16 months, based on compensation levels in Los Angeles circa 2004. Why isn't this being done across all corporations? I maintain that the obstacle is simply the cultural gap between physical security organizations and the information technology organizations. I spend a good deal of my professional time explaining and showing physical security personnel how to bridge the gap with IT. I identify and describe how to integrate with IT even before the access control systems are integrated. Integrating access control systems and the computer network will produce tremendous gains in both security and productivity. If Cisco can process 10,000 change requests a day with five people then certainly access control can become the low-level administrative task it should be. posted by Joel Rakow, Ed.D. at 8:57 AM Thursday, December 15, 2005 Identity or Transaction Identity management is one of the most obvious places to focus security attention, but it may not be the most economical. This is especially true for a large corporation that needs to protect shareholder value and may be the object of attack from dozens of unknown sources. Having said that, identity management has experienced a number of improvements in recent years. I was in the middle of these developments two years ago when I was advising the president of a company that secures communication between the White House and the DOD. This was during the transition between "PKI is too hard to use" and the new approach which is "wrapped PKI in a registration authority software interface". Now, there are a number of identify management solutions that make the process of administering PKI-level identify management as easy as email account administration. Returning to my first point, there two things to remember: You can never have perfect knowledge of your users' identities, so this will always remain a vulnerability even if it is reduced; and You could have near perfect identity management and still not reduce your company's largest risk. These two facts of life in today's world, suggest identity management is not, as I stated at the outset, the most economical security focus. So, what is? I continue to believe the it is best to keep the focus on two places and keep it there until it cannot be implemented any better: One, secure the point of the transaction; and two, optimize the three-point implementation of i) maintaining a formal security plan, ii) providing formal governance over that plan, and iii) show progress against that plan. These two points of focus easily provide the greatest security (especially when cost is considered) a corporation can obtain. posted by Joel Rakow, Ed.D. at 8:41 AM Tuesday, December 13, 2005 Disaster Recovery Begs a Context It is a fact of corporate life in America that a company's biggest risk derives not from the direct impact of a disaster but from the litigation that follows. Emergency management provides the proper framework for planning disaster recovery and business continuity (DR/BC). This framework defines the continuity from the first instance of an emergency and continuing until the emergency has fully passed and normalcy is restored. Too often disaster recovery is combined with business continuity as though they represent a complete entity. A company should build its DR/BC plan in a framework for distinguishing incidents (breaches in service to the customer) disasters (breaches in service that require replacement of facilities and/or equipment) and crisis (breaches that become the focus of the news media). As these different emergencies are distinguished different emergency response teams are activated. Similarly, the emergency response plan should exist within a governance program. It requires both of these layers: governance and an emergency response plan (including DR/BC) to truly mitigate a company's liability. posted by Joel Rakow, Ed.D. at 10:16 PM Sunday, December 11, 2005 When is your IT department an obstacle to security? It may seem like a funny question, but the IT department is an obstacle to security when they operate under the myth that a high thick wall keeps the bad guys out. This is a myth because 60 to 80% of all corporate crimes have an insider element: This element can be unwitting or witting. So how do you know if your IT department believes in this myth? Simply listen when an executive asks them: Are we secure? If they answer by saying something along the lines of "Yes, we have a firewall, intrusion detection and virus protection" then indeed they do believe the myth. An electronic crime does not occur as a simple event. It evolves. It begins with the bad guy collecting information form unsuspecting sources. He (or she) then uses that information to create traffic that looks to your firewall, intrusion systems or perhaps your virus scanners, every bit like valid traffic. Electronic crime sneaks past the barrier of the "high, thick wall." posted by Joel Rakow, Ed.D. at 10:16 PM Friday, December 09, 2005 Integrating Physical and Data Security Over 15,000 physical access control systems have been sold and installed in US corporations. These systems fully support integration of access control in both physical and logical space: Yet, less than a dozen companies have completed this integration. Despite the existence of these systems, the place to start the integration is with the people. Physical security personnel hold many of the key skills. Here is what I recommend: 1. Have physical security lead the risk based assessment of the company's computer systems. This skill is in their DNA. IT folks almost never conduct risk based assessments. 2. Have physical security write enforceable policies for change management within IT. IT seldom writes such policies for themselves...and when they do they seldom do them so they are readily enforceable. 3. Have physical security provide third party oversight when key change procedures are performed. This of data as cash: digital cash. Doing so highlights the need for third party oversight. Integrating these three functions is the forerunner of integrating the access control systems. It follows the old IT adage: Do not automate broken processes. posted by Joel Rakow, Ed.D. at 9:58 PM Wednesday, December 07, 2005 eCrime or Security I use eCrime because it is a conversation starter. It leads to more questions, more dialog. When the term security is used people often rely on their image of ex-cops, fences, dogs, kiosks, etc. It stops conversation and questioning. eCrime is a conversation starter. It invites such questions as: How is electronic crime different than physical crime; Why is electronic crime on the rise and physical crime at a plateau; How physical crime (security) people interact with electronic crime people? These questions are addressed throughout this blog and in Tatum's eCrime practice. posted by Joel Rakow, Ed.D. at 8:04 AM Tuesday, December 06, 2005 Cyberbust! This was the allure that got me into this business: Five thirty on a dark Saturday morning, I led an experienced team in a court-ordered break in to investigate a number of companies allegedly linked to illegal operations taking place in a single building south of Los Angeles. In this concrete-slab tilt-up building so typical of California industrial parks were slightly less than a dozen companies providing credit card and bounced check processing services. These companies were spawned from a single company that the State Court had just recently judged to be stolen, in its entirety, two years before. Two employees with minority shareholdings, it seems, hijacked the hard drive from the server leaving bogus drives as replacements, thereby taking the clients, the vendors and all future transactions. The majority owner of the original company was left with the existing cash, which was not much, the lease to the building, furniture and little else. He pursued the thieves in the courts for two years, finally receiving a judgment for $24 million and a court order to seize the business to collect evidence of the commingling of assets between the companies. The seizure was foiled because the defendants placed the stolen company into bankruptcy, thereby forcing a change in venue from state to federal court. This bankruptcy was filed, of course, after the most valuable assets were transferred from the bankrupted company to the other legal entities, leaving the owner with a bankrupt company worth far less than his $24 million judgment. This crime is one example of how difficult it is to catch up with cunning thieves who understand the subtleties of electronic forms of data and the law. posted by Joel Rakow, Ed.D. at 1:25 PM Tuesday, December 06, 2005 Where is the leadership? What happens if Bob does not badge in and then someone else accesses Bob's computer and data? Answer: Nothing. It is not even a security event or alert. This scenario illustrates the fact that there is no connection between physical security and data security in corporations. Here is the punch line: Over 15,000 systems have already been sold and installed in corporations in America that enable the integration of physical and data security. Why the disconnect? I believe it is a failure of leadership. There is nothing to prevent physical security people and data security people working together except for: i) a cultural gap; and ii) the lack of leadership to bridge that gap. When Tatum's eCrime practice is operating at its highest level, we provide that leadership. Our goal is increase the amount of time we spend operating at that level. In the meantime, we devote ourselves to the blocking and tackling of compliance and operational security. posted by Joel Rakow, Ed.D. at 11:14 AM Sunday, December 04, 2005 Making Money with Financial Identities Here is an example of how fianancial identities are used in scams to make money for the bad guys: 1. Bad Guy Bob buys 2,000 financial identities for $2 apiece. So, here one person makes $4,000 for a product (the financial identities) that he gets to sell over and over again. 2. Bob then uses one of the identities to get a credit account at Circuit City where he buys 10 digital cameras for $500 each. This charge of course is against someone else, not Bob. 3. Bob has the cameras shipped to one of his re-mailers. He got the re-mailer by posting an advertisement on a telephone pole saying, "Work at home, make $20 per hour." 4. Bob opens a store on eBay advertising brand new, still under warranty cameras, still in the packaging, for sale for only $350. Bob will get a lot of orders for these cameras. 5. Bob sends ten of the orders to his re-mailer and says, " Open the box from Circuit City and send one camera for each of these orders. Bob pays the re-mailer, say, $40 for this work. Let's do the math. Bob make $3,500 for his $2 investment when he used one of the 2,000 financial identities he had purchased earlier. If he does this same routine 1,999 more times he will gross $700,000. By the way, Bob could execute this entire scam from outside of the U.S. He could also move the operation (the re-mailers and the Circuit City store) from city to city each month. This scam is a very difficult one to catch up with. It is very lucrative and very low risk. The point of all of this is that with such easy gain and low risk, there is a high level of motivation for bad guys to steal identities. You can bet that the pressure on financial identities will increase for many years to come. Posted by Picasa posted by Joel Rakow, Ed.D. at 10:22 PM
| 