Real World Physical-Logical Identity and Access Management

| 0 Comments | 0 TrackBacks
Guy Huntington, Identity Consultant to Boeing, Capital One, Toronto Hydro, shares lessons learned re: converging physical and logical systems

The day is coming when physical security devices become IP-based commodities. Then the big enterprise resource planning vendors like Oracle and SAP, who already own large chunks of the identity management space, start buying physical access system vendors. So logical and physical identities and the systems and processes behind them become ever more converged--owned by a smaller group of bigger companies known for their enterprise focus.

That's the vision of security's future world from Guy Huntington (pictured), a consultant who has implemented identity management solutions for such companies as Boeing, Capital One, Kaiser Permanente and Toronto Hydro. Some of those projects, including Capital One and his most recent work at Toronto Hydro, involved integrating complex physical and logical security and identity management systems from both business and technological perspectives.

Senior producer Sharon J. Watson interviewed Huntington at length for her article
"One Person, One Identity, One Credential." What follows is an abridged transcription of their conversation, edited for clarity and length.

Huntington on getting different enterprise layers to buy into converged identity management projects:

guyhunt.jpgIf the enterprise doesn't have a chief security officer, it is a hard slog. Because most CIOs I've met don't want to know anything about physical security because they've done it before and think it's a big piece of work--which it is. They don't want to be involved in the security guards and all that. They just tell me that. I tell them, you're in charge of logical security so how are you going to handle an attack from inside? They just give me some sort of b------t answer. So if you don't have a Chief Security Officer inside the enterprise, it's a hard sell.



If that's the case, then I try to slice and dice the enterprise and try to give it to them in little pieces. To the CFO, I'll say, would you like to cut your costs? And of course, they always want to do that. So I'll say one way to do that is to centralize your physical access controls and significantly reduce your labor costs. Using things like Quantum Secure, it's not that hard. You can show them it'll be a revenue neutral investment in the first year and a half. Then it'll be a positive internal rate of return over three or four years. They like that. And you say, as a result, you'll have better security, because you'll have people who will be de-provisioned way faster.

The other thing you can say to CFOs, if they fall under certain regulations, this is really going to cut your costs in doing compliance reporting. You simply hit the button and it'll print the report. So that's what I do with the CFOs.

The facilities guys, it's a harder sell in some respects. They run facilities and look after toilet paper and building maintenance, and there's a lot of turf that comes with physical security. I start with a very simple part of physical security. I ask: How many building keys over the last couple years have been returned? In some enterprises, I find about 30% of the keys are never returned, are lost. A lot of them are master building keys.

Normally, that's a little bit of ammunition.  Then I can go back to the CIO and CFO and say, you guys have problems here. You're losing master building keys to some of your facilities that have really sensitive stuff in them. First thing, not only do you have to start thinking about re-keying, which can get expensive, you need some kind of management system that will manage these keys.

That's another way I sneak identity management in....you can tie it to the last paycheck: return the assets before we give you the last paycheck.

On approaches to implementing converged identity management projects:

If I'm going into an enterprise and I have senior management buy in--facilities, purchasing, etc.--I'll put everyone around the table. But often if I go into a large enterprise, it'll take me several months to get everyone to buy in.

So I'll start in bits and bobs. I'll take the facilities people. Let's just quickly centralize the provisioning of your security badges. We'll have one group issue security badges. Then we'll work on your workflow over time. So we'll be able to reduce costs quite quickly, streamline their workflows, and we won't tie that to the central identity management system at all. That's one of my starting points.

Another one is to begin to work on the security side. It all depends on the industry I'm in. If I'm in a critical infrastructure industry where there's regulatory pressure on them to respond or a military defense contractor, it's quite easy to raise the security flags. Then you can come at it from a security perspective. Then you're always looking for relatively quick wins in succession. I might take the feed from several physical security vendors, tie them to a central source and get that done. Basically we can have a central command console just for physical security. Then we can have a separate console in the same area for logical security.

So I try to do them in bits, but have a structured path so I can say to senior management, here is where you are today, this is where you'll be a year from now, this is where you'll be two years from now, here's where you'll be three years from now. I take a crawl-walk-run approach. It works.

On the business processes underlying identity management

Identity management is a process. It's not technology. This is the downfall of most identity management projects. You get a bunch of what I call technoids who are running the project. And they think it's all about the software--they talk about IBM, Oracle, CA, Novell, whomever. Everything is focused on the vendor and the tools.

But identity management is only as good as the processes that underlie it. You need to put in place the business processes that are going to sustain these identities, and then you have to figure out who is going to be the authoritative source for all these identities. That could be a year or two's worth of work in some enterprises; in others, it could be quite simple.

I have to work really hard with the facilities people and the CIO, and I have to put everyone around the table and we have to map out all the identities that walk through the doors. You get window cleaners and delivery people and people who come to mow lawns and fix air conditioning--all this kind of stuff, and it's really complicated figuring out who owns them, who manages the identities, what kind of workflow tools are you going to use to manage all these identities and to quickly deprovision them once they're no longer tied to a contract.

I usually start with, who is paying for these identities? That's usually the authoritative source. When we stop paying Acme, and they're no longer coming into the building, that's the time when we have to terminate their badges for sure. Hopefully we'll have good business processes so that if a workman of Acme has been terminated two months before the contract is terminated, he'll be terminated right away as well.

On the need for centralized enterprise logical/physical security operations monitoring:

What happens is that most sophisticated attackers aren't going to penetrate the firewall. They're going to tailgate into the building, find a network connection, put on devices that give them wireless access and then begin to hack from within the enterprise because most enterprises are like marshmallow once you get behind the firewalls.

That makes it harder, because if you're going to get attacked from inside, then you have to figure out where that attack is coming from physically, and that requires you to have really good physical/logical integration so you can say "we're getting attacked from this server in this room," and we want to look for doors ajar and see who's in the room. That's quite possible if you combine the two....

You basically need to put together the puzzle to do that. That means bringing in the signals from all the physical access control vendors. The next thing to do is then congeal that on a command console, and that could be a Physical Security Information Management (PSIM) system. Then you have to integrate that with your logical security, which is all your other SIMs. It's complicated.

On helping executives visualize security risk

I was at Oblix [acquired by Oracle in 2005] and thinking there had to be a way for non-technical people, senior management and board level, to visualize their security. And I said we need to create products where you can visually slice and dice the enterprise, physically as well as logically, then combine them and show people where your high risk areas are. Show them what kind of security, physical and logical, you have around them.

At the time, that was kind of a pipe dream because there weren't any databases, there weren't any tools that could do that stuff. Well today, that's very possible. It's almost there commercially, but not quite. [Editors' note: See our AlertEnterprise article.]

You can stitch together all your physical access control systems and bring them to a central command console. You have logical security using SIMS, you can do that right away too. There are not really good modeling tools yet where you can combine all these.

On incident management rules and processes

You need to have incident management rules that are going to be built into your software that say, this door is ajar--is that a big deal? If it's a low risk area, the rule says no, I won't report that to the command console, I'll report it to the local security guard.

But then you might say, this door is ajar and we're under attack, that's a different incident, that's definitely going to be reported in real time and we'll send out a security guard immediately to see who's in that room. So it's more than just getting the data, it's how you manage the data and make sense of it. Otherwise, you're going to get all these "doors ajar" at the central command console and it's going to be data overwhelm, and you're going to be sending people out and in the end, they'll tune you out.

On differences between physical security and IT approaches to access

There's a difference in the way physical security people view security and the way IT people view security.

What happens with physical security people is that they're mostly worried about letting someone in the door. So if you tie to the identity management system, and it's asking if the guy is in Active Directory and if that takes more than a second or two--a second is a long time when you have people coming up to the door. So employees are going to get really p-----d off if they have to sit around and wait.

So what happens in physical access control is that generally, except for high risk security areas which are always an exception, in low to medium risk areas people want to get in the door really quickly. So you talk about availability first, making sure the system's always available to let them through just about immediately, then you worry about confidentiality and integrity. Whereas in IT systems, it's confidentiality, integrity--and then availability. There's a different way of looking at things from a physical security person's point of view, and it's all about process, not about technology.

So it's not just a matter of creating these wonderful interfaces, as Quantum Secure has done, to the physical access control device. It's more important that we focus on the processes of all these thousands or millions of identities and how we're going to track those and modify them and terminate them. You can bring workflow tools to that, but you need all the parties agreeing to it. That is the hardest part of any project--getting people to agree to change their business processes.

On the benefits of a unified enterprise view of physical and logical security

The CFO's just thinking cost and regulatory compliance. The benefits to them are reducing costs through labor because you have all these different people issuing security badges, filling in forms, there are delays, p-----d off employees--or customers....So the CFO's going to look at it from the cost benefit perspective.

There are significant savings to be had in medium enterprises where you run three or four or five or ten or twenty different physical facilities around North American or the world. If you can begin centralizing that, that's going to save a lot of bodies. That's the first benefit.

The second benefit is in terms of the provisioning. It goes back to business processes. If you have good business processes for each of the identities, you can quickly terminate them once they've left. What I find is there's a big rush to get an identity provisioned to get into a certain facility--and there are really crappy processes associated with termination. If they have regulatory compliance [requirements], then you can show where you'll have really good benefits in terms of terminating people and being able to provide regulatory reports quickly and cost effectively.

On compliance regulations driving converged identity management projects

If you read the [North American Energy Reliability Corporation Critical Infrastructure Points] NERC CIPS stuff, it's exactly where Sarbannes-Oxley was several years ago. They're writing these things up. A lot of consultants are running around critical infrastructure industries and they're putting together these spreadsheets to do all these reports. And at some point in the next year or two, people are going to say, my god, we're spending a lot of money to put these reports together! Because they have to do them every year. That's exactly where Sarbannes-Oxley was. That's exactly what gave the provisioning industry its uplift.

The same thing's going to happen with NERC CIPS. They'll say, we have all these plants, we have all these people coming in and out--we should really automate this. That then is going to drive automation of the physical access control from an enterprise perspective. Because now if you have to report for each facility and do all this work, you're going to have all these people costing a lot of time and money producing these reports, and you don't want to do that.

The other benefit is improved security. It all depends on the industry. If you're in a critical infrastructure industry, it's an easier sell to have the unified security with physical and logical together. If you're in other industries, it's a much harder sell.

On risk assessments and authentication strength charts

The first thing is you have to go through the enterprise and do a risk assessment, and a lot of Fortune 5000 companies don't have good risk assessments for all their applications or their physical security areas. That's a problem.

Then you have to have an authentication strength chart. And in most enterprises I've been in, they don't have authentication strength charts. They don't have the idea of saying this is low authentication, this is medium, this is high authentication. They don't have any way of measuring that. That takes a lot of effort. I go in and create those charts and create ratings.

Let me give you an example. Let's say a user id and password get a score of 10 or 15 out of 100. A digital certificate gets a little bit more--it's not really that much more secure than a user id and password--we'll give that 20 out of 100. Then a user id plus one time password token, we'll give that 25 or 30 out of 100. Then if we combine one-time-password token and password, we'll give that 40 out of 100. Then we have a biometric on its own--maybe that's 20 or 30--if it's a finger swipe, it's not that representative of anyone, it can be easily masqueraded, so we'll give that a 20-30. But if we use a biometric plus an OTP or smartcard, then we'll give that a 50 or 60.

Then you have to take that rating and mesh that against your applications and your physical asset risks. For any of these high risk physical or logical areas, you have to have a score of 70 or higher to get in. Then for medium risk, we'll say 50-70. From low risk, we'll say 20 or above.

I tell CIOs and CFOs: assume that all your user ids and passwords are stolen. There are oodles of ways they'll be obtained. I say, you then have to think, okay, I have to use stronger authentication for anything that's medium or higher risk.

On content management and identities

A lot of email contains a lot of sensitive information. So you have to being thinking about email and how you'll authenticate that and what kind of email you'll give over time.

What I see is there will be segmentation in some industries. If you have a good identity management system, the next thing to do is to take that and do data classification in the enterprise and then you bring content management to bear and link it to the identities. Now if you have highly sensitive material, the content management system might not let you check that out if you're coming in from email or remotely.

You'll have all these sophisticated systems over the next several years that will figure out where you're coming in from on a logical basis and on a physical basis, it'll say that guy's coming from an address in Russia or China, so I'm not going to allow him to have much on my network. But if he's coming in from New York, I'll let him have more, and if he's coming in from his office, I'll let him have most of it.

On whether and when identity management systems will manage physical security components

If it's a low risk area and people are pouring in the door, hundreds of thousands of people a day, you don't want to stop the door for any reason. You always want to have availability--you want to always let that person in the door. If you tie it to your identity management system and your system goes down or your network slows and people can't get in the door, they're going to be really p-----d off.

That's why at Toronto Hydro, I decided to not let the identity management system do it. I had wanted to build in XACML --eXtensible Access Control Markup Language. We decided not to do that on the first wave. The reason is that I wanted to get identities provisioned and deprovisioned--get the people out of there and remove their security badge access the moment they're terminated.

XACML is the way that in the end, you'll achieve [logical indentity management system integration with physical systems]: these doors and locks will be IP-based and then as you get better and better bandwidth, you'll add reliability and you'll have more and more of that done by the [logical] access control management system. That's why I think a lot of these ERP vendors are going to end up buying these physical security companies. It's going to take another five or seven years, but they're going to own the enterprise.

On the commoditization of physical access control systems and physical security components

I told the Tyco people here in Canada, your business is going to change dramatically over the next five to seven years. They said, what do you mean by that? I said, right now you're in the business of selling hardware. All the PACS reps are incented to sell hardware. That's where they make all their money. If you're the manager of a large multinational, they want you to rip out all the competitors' hardware, and replace it with theirs.

That model's not going to work so well in the future.

The first reason is that [their] business is going to become more and more commoditized. They're basically selling cameras and devices that are becoming more and more IP-enabled.

A camera, over time-- not overnight--is going to become a camera that is going to be able to be produced and bought and sold by oodles of different companies. Then you have badge readers. They're going to become IP-based devices. A badge reader will be a badge reader.

The second reason is that their decision makers are going to move, slowly, from facilities managers who control toilet paper budgets and everything else, to CSOs, and CIOs and VPs of IT who are going to be taking over a lot of the physical security decisions. That's bad for [physical access vendors]. What they need to think of is how are they going to value add their services? The danger is they'll start to compete with people they never thought of competing with, like Oracle and IBM and other vendors who are going to move more and more onto their turf.

I don't think they know it at the [physical vendors] senior management levels or they don't have enough customers coming and saying, look, I'm going to change the way I purchase things--yet. But it's going to happen. 

# # #

Query: If you are outside a critical infrastructure or industry dealing with sensitive data, what concrete cost savings and  benefits might you nonetheless derive from streamlining physical access systems and converging physical/logical security processes?


Guy Huntington, Identity Consultant to Boeing, Capital One, Toronto Hydro, shares lessons learned re: converging physical and logical systems

The day is coming when physical security devices become IP-based commodities. Then the big enterprise resource planning vendors like Oracle and SAP, who already own large chunks of the identity management space, start buying physical access system vendors. So logical and physical identities and the systems and processes behind them become ever more converged--owned by a smaller group of bigger companies known for their enterprise focus.

That's the vision of security's future world from Guy Huntington (pictured), a consultant who has implemented identity management solutions for such companies as Boeing, Capital One, Kaiser Permanente and Toronto Hydro. Some of those projects, including Capital One and his most recent work at Toronto Hydro, involved integrating complex physical and logical security and identity management systems from both business and technological perspectives.

Senior producer Sharon J. Watson interviewed Huntington at length for her article
"One Person, One Identity, One Credential." What follows is an abridged transcription of their conversation, edited for clarity and length.

Huntington on getting different enterprise layers to buy into converged identity management projects:

guyhunt.jpgIf the enterprise doesn't have a chief security officer, it is a hard slog. Because most CIOs I've met don't want to know anything about physical security because they've done it before and think it's a big piece of work--which it is. They don't want to be involved in the security guards and all that. They just tell me that. I tell them, you're in charge of logical security so how are you going to handle an attack from inside? They just give me some sort of b------t answer. So if you don't have a Chief Security Officer inside the enterprise, it's a hard sell.



If that's the case, then I try to slice and dice the enterprise and try to give it to them in little pieces. To the CFO, I'll say, would you like to cut your costs? And of course, they always want to do that. So I'll say one way to do that is to centralize your physical access controls and significantly reduce your labor costs. Using things like Quantum Secure, it's not that hard. You can show them it'll be a revenue neutral investment in the first year and a half. Then it'll be a positive internal rate of return over three or four years. They like that. And you say, as a result, you'll have better security, because you'll have people who will be de-provisioned way faster.

The other thing you can say to CFOs, if they fall under certain regulations, this is really going to cut your costs in doing compliance reporting. You simply hit the button and it'll print the report. So that's what I do with the CFOs.

The facilities guys, it's a harder sell in some respects. They run facilities and look after toilet paper and building maintenance, and there's a lot of turf that comes with physical security. I start with a very simple part of physical security. I ask: How many building keys over the last couple years have been returned? In some enterprises, I find about 30% of the keys are never returned, are lost. A lot of them are master building keys.

Normally, that's a little bit of ammunition.  Then I can go back to the CIO and CFO and say, you guys have problems here. You're losing master building keys to some of your facilities that have really sensitive stuff in them. First thing, not only do you have to start thinking about re-keying, which can get expensive, you need some kind of management system that will manage these keys.

That's another way I sneak identity management in....you can tie it to the last paycheck: return the assets before we give you the last paycheck.

On approaches to implementing converged identity management projects:

If I'm going into an enterprise and I have senior management buy in--facilities, purchasing, etc.--I'll put everyone around the table. But often if I go into a large enterprise, it'll take me several months to get everyone to buy in.

So I'll start in bits and bobs. I'll take the facilities people. Let's just quickly centralize the provisioning of your security badges. We'll have one group issue security badges. Then we'll work on your workflow over time. So we'll be able to reduce costs quite quickly, streamline their workflows, and we won't tie that to the central identity management system at all. That's one of my starting points.

Another one is to begin to work on the security side. It all depends on the industry I'm in. If I'm in a critical infrastructure industry where there's regulatory pressure on them to respond or a military defense contractor, it's quite easy to raise the security flags. Then you can come at it from a security perspective. Then you're always looking for relatively quick wins in succession. I might take the feed from several physical security vendors, tie them to a central source and get that done. Basically we can have a central command console just for physical security. Then we can have a separate console in the same area for logical security.

So I try to do them in bits, but have a structured path so I can say to senior management, here is where you are today, this is where you'll be a year from now, this is where you'll be two years from now, here's where you'll be three years from now. I take a crawl-walk-run approach. It works.

On the business processes underlying identity management

Identity management is a process. It's not technology. This is the downfall of most identity management projects. You get a bunch of what I call technoids who are running the project. And they think it's all about the software--they talk about IBM, Oracle, CA, Novell, whomever. Everything is focused on the vendor and the tools.

But identity management is only as good as the processes that underlie it. You need to put in place the business processes that are going to sustain these identities, and then you have to figure out who is going to be the authoritative source for all these identities. That could be a year or two's worth of work in some enterprises; in others, it could be quite simple.

I have to work really hard with the facilities people and the CIO, and I have to put everyone around the table and we have to map out all the identities that walk through the doors. You get window cleaners and delivery people and people who come to mow lawns and fix air conditioning--all this kind of stuff, and it's really complicated figuring out who owns them, who manages the identities, what kind of workflow tools are you going to use to manage all these identities and to quickly deprovision them once they're no longer tied to a contract.

I usually start with, who is paying for these identities? That's usually the authoritative source. When we stop paying Acme, and they're no longer coming into the building, that's the time when we have to terminate their badges for sure. Hopefully we'll have good business processes so that if a workman of Acme has been terminated two months before the contract is terminated, he'll be terminated right away as well.

On the need for centralized enterprise logical/physical security operations monitoring:

What happens is that most sophisticated attackers aren't going to penetrate the firewall. They're going to tailgate into the building, find a network connection, put on devices that give them wireless access and then begin to hack from within the enterprise because most enterprises are like marshmallow once you get behind the firewalls.

That makes it harder, because if you're going to get attacked from inside, then you have to figure out where that attack is coming from physically, and that requires you to have really good physical/logical integration so you can say "we're getting attacked from this server in this room," and we want to look for doors ajar and see who's in the room. That's quite possible if you combine the two....

You basically need to put together the puzzle to do that. That means bringing in the signals from all the physical access control vendors. The next thing to do is then congeal that on a command console, and that could be a Physical Security Information Management (PSIM) system. Then you have to integrate that with your logical security, which is all your other SIMs. It's complicated.

On helping executives visualize security risk

I was at Oblix [acquired by Oracle in 2005] and thinking there had to be a way for non-technical people, senior management and board level, to visualize their security. And I said we need to create products where you can visually slice and dice the enterprise, physically as well as logically, then combine them and show people where your high risk areas are. Show them what kind of security, physical and logical, you have around them.

At the time, that was kind of a pipe dream because there weren't any databases, there weren't any tools that could do that stuff. Well today, that's very possible. It's almost there commercially, but not quite. [Editors' note: See our AlertEnterprise article.]

You can stitch together all your physical access control systems and bring them to a central command console. You have logical security using SIMS, you can do that right away too. There are not really good modeling tools yet where you can combine all these.

On incident management rules and processes

You need to have incident management rules that are going to be built into your software that say, this door is ajar--is that a big deal? If it's a low risk area, the rule says no, I won't report that to the command console, I'll report it to the local security guard.

But then you might say, this door is ajar and we're under attack, that's a different incident, that's definitely going to be reported in real time and we'll send out a security guard immediately to see who's in that room. So it's more than just getting the data, it's how you manage the data and make sense of it. Otherwise, you're going to get all these "doors ajar" at the central command console and it's going to be data overwhelm, and you're going to be sending people out and in the end, they'll tune you out.

On differences between physical security and IT approaches to access

There's a difference in the way physical security people view security and the way IT people view security.

What happens with physical security people is that they're mostly worried about letting someone in the door. So if you tie to the identity management system, and it's asking if the guy is in Active Directory and if that takes more than a second or two--a second is a long time when you have people coming up to the door. So employees are going to get really p-----d off if they have to sit around and wait.

So what happens in physical access control is that generally, except for high risk security areas which are always an exception, in low to medium risk areas people want to get in the door really quickly. So you talk about availability first, making sure the system's always available to let them through just about immediately, then you worry about confidentiality and integrity. Whereas in IT systems, it's confidentiality, integrity--and then availability. There's a different way of looking at things from a physical security person's point of view, and it's all about process, not about technology.

So it's not just a matter of creating these wonderful interfaces, as Quantum Secure has done, to the physical access control device. It's more important that we focus on the processes of all these thousands or millions of identities and how we're going to track those and modify them and terminate them. You can bring workflow tools to that, but you need all the parties agreeing to it. That is the hardest part of any project--getting people to agree to change their business processes.

On the benefits of a unified enterprise view of physical and logical security

The CFO's just thinking cost and regulatory compliance. The benefits to them are reducing costs through labor because you have all these different people issuing security badges, filling in forms, there are delays, p-----d off employees--or customers....So the CFO's going to look at it from the cost benefit perspective.

There are significant savings to be had in medium enterprises where you run three or four or five or ten or twenty different physical facilities around North American or the world. If you can begin centralizing that, that's going to save a lot of bodies. That's the first benefit.

The second benefit is in terms of the provisioning. It goes back to business processes. If you have good business processes for each of the identities, you can quickly terminate them once they've left. What I find is there's a big rush to get an identity provisioned to get into a certain facility--and there are really crappy processes associated with termination. If they have regulatory compliance [requirements], then you can show where you'll have really good benefits in terms of terminating people and being able to provide regulatory reports quickly and cost effectively.

On compliance regulations driving converged identity management projects

If you read the [North American Energy Reliability Corporation Critical Infrastructure Points] NERC CIPS stuff, it's exactly where Sarbannes-Oxley was several years ago. They're writing these things up. A lot of consultants are running around critical infrastructure industries and they're putting together these spreadsheets to do all these reports. And at some point in the next year or two, people are going to say, my god, we're spending a lot of money to put these reports together! Because they have to do them every year. That's exactly where Sarbannes-Oxley was. That's exactly what gave the provisioning industry its uplift.

The same thing's going to happen with NERC CIPS. They'll say, we have all these plants, we have all these people coming in and out--we should really automate this. That then is going to drive automation of the physical access control from an enterprise perspective. Because now if you have to report for each facility and do all this work, you're going to have all these people costing a lot of time and money producing these reports, and you don't want to do that.

The other benefit is improved security. It all depends on the industry. If you're in a critical infrastructure industry, it's an easier sell to have the unified security with physical and logical together. If you're in other industries, it's a much harder sell.

On risk assessments and authentication strength charts

The first thing is you have to go through the enterprise and do a risk assessment, and a lot of Fortune 5000 companies don't have good risk assessments for all their applications or their physical security areas. That's a problem.

Then you have to have an authentication strength chart. And in most enterprises I've been in, they don't have authentication strength charts. They don't have the idea of saying this is low authentication, this is medium, this is high authentication. They don't have any way of measuring that. That takes a lot of effort. I go in and create those charts and create ratings.

Let me give you an example. Let's say a user id and password get a score of 10 or 15 out of 100. A digital certificate gets a little bit more--it's not really that much more secure than a user id and password--we'll give that 20 out of 100. Then a user id plus one time password token, we'll give that 25 or 30 out of 100. Then if we combine one-time-password token and password, we'll give that 40 out of 100. Then we have a biometric on its own--maybe that's 20 or 30--if it's a finger swipe, it's not that representative of anyone, it can be easily masqueraded, so we'll give that a 20-30. But if we use a biometric plus an OTP or smartcard, then we'll give that a 50 or 60.

Then you have to take that rating and mesh that against your applications and your physical asset risks. For any of these high risk physical or logical areas, you have to have a score of 70 or higher to get in. Then for medium risk, we'll say 50-70. From low risk, we'll say 20 or above.

I tell CIOs and CFOs: assume that all your user ids and passwords are stolen. There are oodles of ways they'll be obtained. I say, you then have to think, okay, I have to use stronger authentication for anything that's medium or higher risk.

On content management and identities

A lot of email contains a lot of sensitive information. So you have to being thinking about email and how you'll authenticate that and what kind of email you'll give over time.

What I see is there will be segmentation in some industries. If you have a good identity management system, the next thing to do is to take that and do data classification in the enterprise and then you bring content management to bear and link it to the identities. Now if you have highly sensitive material, the content management system might not let you check that out if you're coming in from email or remotely.

You'll have all these sophisticated systems over the next several years that will figure out where you're coming in from on a logical basis and on a physical basis, it'll say that guy's coming from an address in Russia or China, so I'm not going to allow him to have much on my network. But if he's coming in from New York, I'll let him have more, and if he's coming in from his office, I'll let him have most of it.

On whether and when identity management systems will manage physical security components

If it's a low risk area and people are pouring in the door, hundreds of thousands of people a day, you don't want to stop the door for any reason. You always want to have availability--you want to always let that person in the door. If you tie it to your identity management system and your system goes down or your network slows and people can't get in the door, they're going to be really p-----d off.

That's why at Toronto Hydro, I decided to not let the identity management system do it. I had wanted to build in XACML --eXtensible Access Control Markup Language. We decided not to do that on the first wave. The reason is that I wanted to get identities provisioned and deprovisioned--get the people out of there and remove their security badge access the moment they're terminated.

XACML is the way that in the end, you'll achieve [logical indentity management system integration with physical systems]: these doors and locks will be IP-based and then as you get better and better bandwidth, you'll add reliability and you'll have more and more of that done by the [logical] access control management system. That's why I think a lot of these ERP vendors are going to end up buying these physical security companies. It's going to take another five or seven years, but they're going to own the enterprise.

On the commoditization of physical access control systems and physical security components

I told the Tyco people here in Canada, your business is going to change dramatically over the next five to seven years. They said, what do you mean by that? I said, right now you're in the business of selling hardware. All the PACS reps are incented to sell hardware. That's where they make all their money. If you're the manager of a large multinational, they want you to rip out all the competitors' hardware, and replace it with theirs.

That model's not going to work so well in the future.

The first reason is that [their] business is going to become more and more commoditized. They're basically selling cameras and devices that are becoming more and more IP-enabled.

A camera, over time-- not overnight--is going to become a camera that is going to be able to be produced and bought and sold by oodles of different companies. Then you have badge readers. They're going to become IP-based devices. A badge reader will be a badge reader.

The second reason is that their decision makers are going to move, slowly, from facilities managers who control toilet paper budgets and everything else, to CSOs, and CIOs and VPs of IT who are going to be taking over a lot of the physical security decisions. That's bad for [physical access vendors]. What they need to think of is how are they going to value add their services? The danger is they'll start to compete with people they never thought of competing with, like Oracle and IBM and other vendors who are going to move more and more onto their turf.

I don't think they know it at the [physical vendors] senior management levels or they don't have enough customers coming and saying, look, I'm going to change the way I purchase things--yet. But it's going to happen. 

# # #

Query: If you are outside a critical infrastructure or industry dealing with sensitive data, what concrete cost savings and  benefits might you nonetheless derive from streamlining physical access systems and converging physical/logical security processes?


No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/67

Leave a comment