Identity Management - The Value of Physical & Logical Convergence

A recent article about Fannie Mae, a U.S. government-sponsored enterprise chartered by Congress to provide liquidity, stability, and affordability to the U.S. housing and mortgage markets, made worldwide headlines and caught my attention as well. On October 24, 2008, a Fannie Mae contract worker was fired from his computer programming job at the company's data center in Urbana, about 35 miles from the company’s Washington headquarters.

Fannie Mae did not immediately terminate the worker's computer access after telling him he was fired; and before surrendering his badge and laptop computer about three and a half hours later, the worker allegedly used his extended access to reset the company's computer servers, planting malicious code that was intended to execute on January 31, 2009. Luckily, his plot was thwarted by another worker who stumbled upon the code bomb and brought it to the attention of the FBI.

"Had this malicious script got executed, engineers at Fannie Mae estimated that it would have caused millions of dollars of damage and reduced, if not completely shut down, operations at the company for at least one week," an investigator on the case wrote. "The total damage would include cleaning out and restoring all 4,000 servers, restoring and securing the automation of mortgages, and restoring all data that was erased."

Now let's pause and think about this incident for a second. The damage that this terminated worker could have done to the American mortgage market could have been catastrophic. An additional unknown in this case is the fact that we do not know if or when his physical access privileges were revoked, either at the Urbana facility or at Fannie Mae's headquarters. Even if the worker was required to turn in his badge immediately, there is no guarantee that he didn’t already replicate his physical access card along with all access codes – a very inexpensive process that takes only minutes for a malicious individual to accomplish.

A couple of questions cropped up in my head regarding this event: What is the guarantee that his access was terminated in all disparate and disjointed physical access control systems across their worldwide facilities? Beyond the millions of dollars in damage that this worker could have caused with just a few lines of code, were there even more ominous goals in his mind?

As a security professional, I'm left with a few simple takeaways: Could this risk have been mitigated? Could an event like this trigger an automated process – executed in real time – to bridge the gap between the physical and logical security systems at Fannie Mae? Could this process remove the human element, which can quickly introduce latencies and errors?
Consider this. With a policy driven, automated process, as this contractor's dismissal was logged into the corporate HR system, it could have immediately resulted in instantaneous termination of his physical access privileges as well as his access to IT applications and networks around the world.

Case closed, right? Not just yet. Imagine if it were a hospital instead of Fannie Mae, where medical records can be accessed, drugs could be stolen, and people's lives could be in danger. Imagine if it were a nuclear power plant, where the security of a metropolitan area or perhaps an entire nation could be compromised. Have we really considered all things needed in today's society to mitigate risks such as these?

Countries around the world have worked hard to establish governmental regulations such as SOX, HIPAA, HSPD-12, and Basel II to fight such challenges. But complying with these regulations has proved – and will continue to prove – elusive for so many corporations from a converged physical and IT security standpoint.

Given the interrelated aspects of these initiatives, the question is, "Does the consolidation and correlation of physical and logical security make sense?"

Today's security initiatives involve guarding buildings, assets, and equipment as well as protecting networks, dealing with privacy issues, and managing overall corporate risks. As we just learnt, corporate risk is a direct function of the effective correlation of physical and logical domains.

Until now, in most organizations physical and logical access systems have operated as two independent structures and have been run by completely separate departments. However, access to critical information, whether in digital form or physical such as a laptop or a paper document, could fall into the hands of unauthorized people if not guarded properly, and could lead to further devastation.
This brings us to the concept of end-to-end identity and access management: allowing applications in IT and physical domains to make authorization, entitlement, and other policy decisions based on privilege and policy information.

At Quantum Secure, we have been dedicated to this burgeoning space since our inception in 2004. Our SAFE suite of software enables security practitioners integrate disparate physical security systems, automate enrollment processes, and simplify control of employees, vendors, and other third party identities across a global organization.

In a report released by Forrester Research, analyst Steve Hunt says that companies can cut costs by converging IT security with corporate or physical security functions and vice versa. Hunt suggests consolidating credentials for IT and physical access into an integrated process, which may save money and improve security. “Connect the processes for granting and revoking building and IT access,” he says. “Linking the processes for managing employees’ IT access rights with those for managing their building access will get people productive quicker and will improve security by ensuring that all necessary revocations take place when appropriate.”

Hunt projected a $2 billion cross-industry market for non-government firm spending in physical and IT security convergence in 2006, and that has only increased since then. Hunt says that spending will increase dramatically over the next four years as well, and will reach $16 billion by North American and European companies by 2012.

Integration of security systems can also help meet regulation requirements by showing improvements in processes and procedures. With regard to the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Sarbanes-Oxley Act information in both physical and electronic forms must be protected by appropriate access control mechanisms, and these mechanisms must be audited.

According to Eric Maiwald, an analyst for Burton Group’s new Security and Risk Management Strategies service, a well-defined, integrated physical and logical process for granting access to information in either physical or logical form may show that the organization understands and is compliant with the various regulations. Eric further exemplifies the concept by the following example. Data center systems are protected by firewalls on the network, antivirus software on the servers, and by intrusion detection. The room is also physically secured from unauthorized access, fire suppression, climate control, and power systems.

The concept of Identity Management in physical security space is burgeoning day-by-day as it ensures tighter security, compliance to various regulations, and operational efficiencies. Physical security systems, by nature, are disparate and disjointed with each other, even within a single organization.

The success of Physical Identity Management depends on selecting appropriate tools and technologies to first integrate, interoperate, and homogenize such disparities in physical security infrastructure and then to effectively correlate the access authorization and entitlement policies with that of its brother – IT security.

Until corporations embrace this new, policy-based paradigm with regard to managing their physical and logical security infrastructure, we will continue to come across stories like that of Fannie Mae’s – perhaps with worse outcomes. With a policy-based approach, however, automated rules can quickly meet both internal and external governance needs, reduce human errors, and provide a holistic approach to managing security across disparate systems and multiple geographies.