When Security Data Becomes Business Intelligence: Quantum Secure on Analytics

| 0 Comments | 0 TrackBacks

Page:   1   2   3   4   5  Next  »

Getting More than Security from Converged Physical/Logical Identities

When we started research for a story about centralizing physical and security, our queries were primarily about what it takes to create a real-time operations center that encompasses physical and logical systems. It soon became clear that it's more accurate to refer to "physical and logical event data."  Converging that data into intelligence security professionals can act on immediately is still a critical (and for many enterprises, an elusive) goal. Yet it's possible there's even more value to that converged data when it can be used to serve the larger business objectives of the enterprise.

That's the theme that Vik Ghai, CTO at Quantum Secure, sounded in his conversation VGhai.jpgwith Sharon J. Watson late last month. Quantum Secure offers a physical identity management solution through its SAFE technology suite, which now incorporates an executive analytics reporting tool. The company links physical identities with authoritative logical identities, enabling clients to have a simplified, yet comprehensive view of the identities and their activities within the enterprise.

Ghai spoke of the importance of cleaning up the "transactional" business of security--while always recognizing the possibility of mining transactions in the aggregate to collect intelligence that goes beyond security objectives.  What follows is an abridged version of our conversation, edited for length and clarity.

*******************
Vik Ghai on the need for a solid identity management foundation for converging physical and logical event data for business uses

The building block to this portal or dashboard of intelligence is in fact the unified view... that you have identity management at the physical and IT level in one place so you are able to tie in that credential whether they are the person logging in or a badge swiping in...you need to have some policies and correlation between user IDs and badge IDs.

A lot of what we have done so far is automating physical access provisioning based on IT or HR on-boarding and off-boarding and vice versa. Changes happening on the physical security level reconcile with IT access. Initially the goal was primarily to streamline security. Intelligence is really a derivative of that.

[Intelligence] appeals to the broader enterprise [more] than the [unified identity]. The first appeals to the IT and physical security apartment, and it's extremely valuable to them. The value is reduction of costs because they are not manually trying to figure out this information. Take a national consulting firm with eight different facilities on the West Coast and eight different access cards and eight different access control systems a person is going in and out of and they're going to client sites and they have access cards from there. It's just a mess for an auditor going through all this, especially the different cards. But streamlined into one card, one identity regardless of the underlying infrastructure, that's a lot of cost savings there.

But now you know about events happening across all systems, locations, who is going where, the usage component, and that adds up into what we collectively get intelligence out of. We're getting the raw data and turning it into intelligence for both security and non-security organizations.

On achieving a truly unified view of physical and logical security events:

That's the Holy Grail, everybody wants that. But the next question from the business executive or business unit leader, the CFO, is: What does that get me?  What does that get us that's not provided otherwise?

We have found the most benefit is really converging the physical security department or the IT security department with the rest of the enterprise. The story is converging the business with security.

Page:   1   2   3   4   5  Next  »

Getting More than Security from Converged Physical/Logical Identities

When we started research for a story about centralizing physical and security, our queries were primarily about what it takes to create a real-time operations center that encompasses physical and logical systems. It soon became clear that it's more accurate to refer to "physical and logical event data."  Converging that data into intelligence security professionals can act on immediately is still a critical (and for many enterprises, an elusive) goal. Yet it's possible there's even more value to that converged data when it can be used to serve the larger business objectives of the enterprise.

That's the theme that Vik Ghai, CTO at Quantum Secure, sounded in his conversation VGhai.jpgwith Sharon J. Watson late last month. Quantum Secure offers a physical identity management solution through its SAFE technology suite, which now incorporates an executive analytics reporting tool. The company links physical identities with authoritative logical identities, enabling clients to have a simplified, yet comprehensive view of the identities and their activities within the enterprise.

Ghai spoke of the importance of cleaning up the "transactional" business of security--while always recognizing the possibility of mining transactions in the aggregate to collect intelligence that goes beyond security objectives.  What follows is an abridged version of our conversation, edited for length and clarity.

*******************
Vik Ghai on the need for a solid identity management foundation for converging physical and logical event data for business uses

The building block to this portal or dashboard of intelligence is in fact the unified view... that you have identity management at the physical and IT level in one place so you are able to tie in that credential whether they are the person logging in or a badge swiping in...you need to have some policies and correlation between user IDs and badge IDs.

A lot of what we have done so far is automating physical access provisioning based on IT or HR on-boarding and off-boarding and vice versa. Changes happening on the physical security level reconcile with IT access. Initially the goal was primarily to streamline security. Intelligence is really a derivative of that.

[Intelligence] appeals to the broader enterprise [more] than the [unified identity]. The first appeals to the IT and physical security apartment, and it's extremely valuable to them. The value is reduction of costs because they are not manually trying to figure out this information. Take a national consulting firm with eight different facilities on the West Coast and eight different access cards and eight different access control systems a person is going in and out of and they're going to client sites and they have access cards from there. It's just a mess for an auditor going through all this, especially the different cards. But streamlined into one card, one identity regardless of the underlying infrastructure, that's a lot of cost savings there.

But now you know about events happening across all systems, locations, who is going where, the usage component, and that adds up into what we collectively get intelligence out of. We're getting the raw data and turning it into intelligence for both security and non-security organizations.

On achieving a truly unified view of physical and logical security events:

That's the Holy Grail, everybody wants that. But the next question from the business executive or business unit leader, the CFO, is: What does that get me?  What does that get us that's not provided otherwise?

We have found the most benefit is really converging the physical security department or the IT security department with the rest of the enterprise. The story is converging the business with security.

<!--nextpage-->

We're getting a very mature customer base. They've been running our system for three years... converging their logical and physical [data]...and that's very transactional.  Data changes in one system, identity changes in one system, affect people's access levels to a door. Compliance certification to the DEA changes access controls to materials in a pharmaceutical plant automatically. That's transactional.

They've been running these systems, and say they are working out great--we have a unified view of an identity--but what I want to get from this information is: I want to know facility usage and occupancy across 900 of my buildings. Give me converged information. What are the specific parameters that will help me as an executive make a decision about collaborating with my marketing team and product team? What is the interaction level today based on where they are geographically situated? If I move them into a certain area, can I realistically do it without blowing our budget?

They want security data to give them business intelligence. They want to figure out the transient population that has visited the facility. In our instance, some of the data we provide to companies, they've actually gone out and made smaller cubicles, being able to accommodate their transient population based on the data monitored in real time.

On making data accessible and intelligible to non-security users:

This data is put into our dashboard and it is accessible-- we can give you the stock ticker tape of the building usage: show me the usage in time, show me what's happened over the last six months, show me trends in buildings that marketing uses versus the buildings engineering uses. People look at that and say the engineering office is a lot more occupied but at the same time, how many people are involved in that building at any given point in time....

Collectively you're giving one portal. The primary users for it are non-security people as much as security personnel. The reason I bring that up is that's the convergence of the security department with the rest of the business. At an analytical level, there's the strategic view.

The security guard has little use for that data, it's not their job, but the security director or facilities administrator or in some cases the business user or the line of business manager, they understand how this facility is getting utilized. They are taking our data and running with it, doing cost per square feet analysis, cost per different sites. They go from Milan to Paris to San Jose to a site in Shanghai.... The security data is the intelligence system strategic to that.

Use cases for analyzing security data for furthering business ends:


A lot of that has to do with where the economy is. We recently visited a big telecom company in Sweden, globally they have 2100 locations. The real estate person knows each of those locations cost a lot of money to operate, and so does the business. Now they are asking the security person not just if these locations are secured but asking, 'Do we really need them? Can you give me a list of the most utilized or most under-utilized locations in the world?' And they can't answer. To do this kind of analysis in every system is impossible. It would take some nine months to gather the data, another probably 18 months to analyze it.

<!--nextpage-->

The first thing we did was some benchmarking. Site A is utilized a lot more than site B. What's the business impact of that? What is the business impact of moving people from the underutilized site? That is not a decision security or facilities can make on its own. But the security data becomes the most valuable piece, showing a network engineer in Stockholm visited locations in London most often because that's where their projects were running.

From the real estate folks, what they want to do is rearrange some of those relationships, give that employee a permanent office in London, give him a satellite office in Stockholm. If they can make such changes across 2100 locations, they can basically operate the sites differently, and they can try leasing out some of the sites they currently own.

On how analytics applied to security data can help assess business system performance requirements

Somebody looks at the data from Quantum and asks, 'When are people really accessing our corporate systems?' Then they looked at some of the usage data to figure out when they need the most performance from their IT systems.

I give you this example: the IT help desk needs to be staffed in the average company 24 x 7.  They looked at some of the analytics data we provided on building usage and made decisions on when they're going to staff their IT help desk. So now they analyze when typically people show up to their desks, and that could be different for different departments: they could be salespersons coming in first thing in the morning, and your product and other teams may come into their area at 10 in the morning and then work late into the evening. Based on these evaluations, they know what kind of help desk people to staff and what time of the day they need to double the amount of people

If you didn't have the convergence, it would be all separate decision-making. You would be looking at only when people were calling in and making a decision based on that and not really correlating other things happening in your enterprise.

On the impact of globalization on managing security in locations around the world based on merged event data:

....You need intelligence to even make budgeting decisions. So the other part of our security intelligence is giving security managers an understanding of alarm data over a period of time so they can understand what the trouble spots are in their security footprint.

There's a simple report that our system provides today--top sensor alarms over the last six months across the globe. Their view of the world is, 'I don't care whether it's a GE system, Lenel system, Honeywell, I just want to know the trouble spots, give me normalized data, and I want to know for those top 10 sensors what can we do. How much can we train our personnel in these remote locations?'

<!--nextpage-->

They want to put some best practices in for responding to that alarm, and they want to see [data] after putting in those best practices. Some alarms are false because the door contact panel is misbehaving, some are false because nobody in the building in Shanghai told employees not to use the door during off hours, you need a big yellow sign in three different languages to reduce those false alarms. No amount of engineering will fix it.

Another very common one is certain alarms are only showing up when the janitor does because he uses a key to go through the door, not a card. They maybe even went out to replace the door, because they were looking at fixing the engineering part of the problem not the human side. But somebody has to give you the analytics to say this alarm only happens between the hours of 9:30 PM and 11:30 PM, Tuesdays and Wednesdays, that's when that person works. Sometimes one simple door alarm will create three separate sensor alarms because three different sensors went off, so now [local] security people inundated with the alarms can't figure out the right thing. But this person sitting in San Jose can visualize the trend.

On correlating the physical and logical event data necessary to identify a security threat:

Let me give you a real example of exactly this situation. A big telecom company out of the UK is using Quantum...they have been able to correlate that if eight servers went off-line immediately, and they had a door forced open within that same minute, they would cause an event. That's the kind of intelligence for which security people are extremely excited.  It's both intelligence, and at the same time, it's really more data correlation than anything else. If more than N number of devices go off-line and at the same time there's any other physical security alarm, no matter what it is--an intrusion, door forced, door ajar, whatever--being able to notify an operations center immediately to send a guard patrol because eight devices going off-line in a network room would certainly be a planned act. That would immediately send an alert to the network operations center. For a telecom company even one server going down means 16,000 people don't have DSL access. That's a lot of angry phone calls

Some of the thresholds are picked up by the system in itself, such as how many devices versus how many alarms. The building blocks that make it work are the policy correlation and thresholds between the policies that say a door ajar alarm on its own wouldn't need a guard dispatch...a door ajar alarm with two other thresholds being met on the IT side creates the need for a dispatch.

The [correlation policies and rules] absolutely live in the SAFE system.  What we have seen is that companies have HP OpenView or IBM Tivoli on the IT side. We can very easily connect and subscribe to certain of those thresholds. They all primarily provide for IT intrusion detection and monitoring so in some circumstances, some things would be an event for them but not an alarm because only one threshold of six was tripped.  It's only an alarm for them if something else happens on the IT side....

Once the thresholds are observed on both the ends by the respective systems...you need some sort of glue in the middle almost like a referee so you're not just dumping data to my system and vice versa. If the IT system wants to look at this as an alarm and vice versa, they want this information to be analyzed, correlated, validated by some system in the middle that's typically like a Quantum system before they would absorb it and take action on it. Because otherwise it's raw data, it's too much raw data, I don't know what to do with it if you send me 44 door ajar alarms for one person walking through the door.

<!--nextpage-->

What we are doing is correlating that event and in some cases we are sending back to that IT system an alarm now for potential breaches, a physical security breach for that area. So they may start monitoring all of the routers in that area on a more advanced basis, pinging them every second instead of once every minute.

On the need for--and lack of--security metrics meaningful to the enterprise at large

I personally come from a manufacturing background, in business applications like SAP. Generically, in all of these domains, whether you think of enterprise systems or manufacturing, everything happens based on a metric for that day or that month or that year. Literally in an enterprise system, it's number of clients in the pipeline, the metrics on receivables ratios. It's all about efficiencies, about individual parts, the machinery, the output per warehouse, trade in and freight out.

I've been in this security industry for five years and am still figuring out there are no seven or eight metrics that define the security organization. It's still 'my operation is as good as the number of events I've seen in my environment in the last one year, some that I have control over, like fencing in the right place, and some I don't have control over, like an employee having an event.' That's the only thing I have seen people measure.

When you talk about intelligence, at the end of the day it's all about some metrics. When you look at just the enterprise, CFOs get hired and fired because of the metrics they're managing....What we see in this analytics, we call it security intelligence, it's very akin to the business intelligence or analytics in the business world.

We are seeing these metrics as a way for them to speak the business language. One customer is especially interested in saying, 'This is the data I can [use] to go and speak intelligently to the management meetings...I can get invited to those meetings more because I can show I impact other businesses.'

That's what we are doing a lot of when you talk about convergence, helping them see how their department, the physical and IT security data, connects with all the other departments.  That is at least having an impact.  They are helping other departments see how valuable security is versus 'These guys do security, they're a cost center' so the marketing department doesn't have much use for them.

Think about it: if you walk into any major corporation what's on the first floor of most companies? A nice suite where they display their products--a demo center, especially if you go to high tech companies. Understanding the usage patterns of that one room for the marketing department can be very interesting. Who brought the customers there, when did they bring them, how long did they stay there. Think about it: That's data the security systems have. You can get it in a minute.

....In the analytics now, you're opening yourself up to the enterprise for really showing the value of how activities get done around the company. From our perspective, this is actually true convergence...that's what I see as part of a really big story, to have security people suddenly getting invited to management meetings. That's a big change.

###

Query: What data do your security and related systems collect that could be combined and/or aggregated to provide business intelligence?

Related Links:

Read the other background interviews in this series: David Fowler of VidSys, Larry Lien at Proximex, Rafi Bhonker of Orsus.

More on Quantum Secure and Converged Identities: An interview with CEO Ajay Jain.

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/88

Leave a comment