Identity Management - The Value of Physical & Logical Convergence

Author: Ajay Jain
President and CEO, Quantum Secure
Identity Management - The Value of Physical & Logical Convergence   -By-Ajay Jain
A recent article about Fannie Mae, a U.S. government-sponsored enterprise chartered by Congress to provide liquidity, stability, and affordability to the U.S. housing and mortgage markets, made worldwide headlines and caught my attention as well. On October 24, 2008, a Fannie Mae contract worker was fired from his computer programming job at the company's data center in Urbana, about 35 miles from the company’s Washington headquarters.

Fannie Mae did not immediately terminate the worker's computer access after telling him he was fired; and before surrendering his badge and laptop computer about three and a half hours later, the worker allegedly used his extended access to reset the company's computer servers, planting malicious code that was intended to execute on January 31, 2009. Luckily, his plot was thwarted by another worker who stumbled upon the code bomb and brought it to the attention of the FBI.

"Had this malicious script got executed, engineers at Fannie Mae estimated that it would have caused millions of dollars of damage and reduced, if not completely shut down, operations at the company for at least one week," an investigator on the case wrote. "The total damage would include cleaning out and restoring all 4,000 servers, restoring and securing the automation of mortgages, and restoring all data that was erased."

Now let's pause and think about this incident for a second. The damage that this terminated worker could have done to the American mortgage market could have been catastrophic. An additional unknown in this case is the fact that we do not know if or when his physical access privileges were revoked, either at the Urbana facility or at Fannie Mae's headquarters. Even if the worker was required to turn in his badge immediately, there is no guarantee that he didn’t already replicate his physical access card along with all access codes – a very inexpensive process that takes only minutes for a malicious individual to accomplish.

A couple of questions cropped up in my head regarding this event: What is the guarantee that his access was terminated in all disparate and disjointed physical access control systems across their worldwide facilities? Beyond the millions of dollars in damage that this worker could have caused with just a few lines of code, were there even more ominous goals in his mind?

As a security professional, I'm left with a few simple takeaways: Could this risk have been mitigated? Could an event like this trigger an automated process – executed in real time – to bridge the gap between the physical and logical security systems at Fannie Mae? Could this process remove the human element, which can quickly introduce latencies and errors?
Consider this. With a policy driven, automated process, as this contractor's dismissal was logged into the corporate HR system, it could have immediately resulted in instantaneous termination of his physical access privileges as well as his access to IT applications and networks around the world.

Case closed, right? Not just yet. Imagine if it were a hospital instead of Fannie Mae, where medical records can be accessed, drugs could be stolen, and people's lives could be in danger. Imagine if it were a nuclear power plant, where the security of a metropolitan area or perhaps an entire nation could be compromised. Have we really considered all things needed in today's society to mitigate risks such as these?

Countries around the world have worked hard to establish governmental regulations such as SOX, HIPAA, HSPD-12, and Basel II to fight such challenges. But complying with these regulations has proved – and will continue to prove – elusive for so many corporations from a converged physical and IT security standpoint.

Given the interrelated aspects of these initiatives, the question is, "Does the consolidation and correlation of physical and logical security make sense?"

Today's security initiatives involve guarding buildings, assets, and equipment as well as protecting networks, dealing with privacy issues, and managing overall corporate risks. As we just learnt, corporate risk is a direct function of the effective correlation of physical and logical domains.

Until now, in most organizations physical and logical access systems have operated as two independent structures and have been run by completely separate departments. However, access to critical information, whether in digital form or physical such as a laptop or a paper document, could fall into the hands of unauthorized people if not guarded properly, and could lead to further devastation.
This brings us to the concept of end-to-end identity and access management: allowing applications in IT and physical domains to make authorization, entitlement, and other policy decisions based on privilege and policy information.

At Quantum Secure, we have been dedicated to this burgeoning space since our inception in 2004. Our SAFE suite of software enables security practitioners integrate disparate physical security systems, automate enrollment processes, and simplify control of employees, vendors, and other third party identities across a global organization.

In a report released by Forrester Research, analyst Steve Hunt says that companies can cut costs by converging IT security with corporate or physical security functions and vice versa. Hunt suggests consolidating credentials for IT and physical access into an integrated process, which may save money and improve security. “Connect the processes for granting and revoking building and IT access,” he says. “Linking the processes for managing employees’ IT access rights with those for managing their building access will get people productive quicker and will improve security by ensuring that all necessary revocations take place when appropriate.”

Hunt projected a $2 billion cross-industry market for non-government firm spending in physical and IT security convergence in 2006, and that has only increased since then. Hunt says that spending will increase dramatically over the next four years as well, and will reach $16 billion by North American and European companies by 2012.

Integration of security systems can also help meet regulation requirements by showing improvements in processes and procedures. With regard to the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Sarbanes-Oxley Act information in both physical and electronic forms must be protected by appropriate access control mechanisms, and these mechanisms must be audited.

According to Eric Maiwald, an analyst for Burton Group’s new Security and Risk Management Strategies service, a well-defined, integrated physical and logical process for granting access to information in either physical or logical form may show that the organization understands and is compliant with the various regulations. Eric further exemplifies the concept by the following example. Data center systems are protected by firewalls on the network, antivirus software on the servers, and by intrusion detection. The room is also physically secured from unauthorized access, fire suppression, climate control, and power systems.

The concept of Identity Management in physical security space is burgeoning day-by-day as it ensures tighter security, compliance to various regulations, and operational efficiencies. Physical security systems, by nature, are disparate and disjointed with each other, even within a single organization.

The success of Physical Identity Management depends on selecting appropriate tools and technologies to first integrate, interoperate, and homogenize such disparities in physical security infrastructure and then to effectively correlate the access authorization and entitlement policies with that of its brother – IT security.

Until corporations embrace this new, policy-based paradigm with regard to managing their physical and logical security infrastructure, we will continue to come across stories like that of Fannie Mae’s – perhaps with worse outcomes. With a policy-based approach, however, automated rules can quickly meet both internal and external governance needs, reduce human errors, and provide a holistic approach to managing security across disparate systems and multiple geographies.

Previous  article
Write your comment now

Email    Password: 
Don't have SiliconIndia account? Sign up    Forgot your password? Reset
Reader's comments(2)
1: From: Mrs. Mary David

This mail may be a surprise to you because you did not give me the permission to do so and neither do you know me but before I tell you about myself I want you to please forgive me for sending this mail without your permission. I am writing this letter in confidence believing that if it is the will of God for you to help me and my family, God almighty will bless and reward you abundantly. I need an honest and trust worthy person like you to entrust this huge transfer project unto.

My name is Mrs. Mary David, The Branch Manager of a Financial Institution. I am a Ghanaian married with 3 kids. I am writing to solicit your assistance in the transfer of US$7,500,000.00 Dollars. This fund is the excess of what my branch in which I am the manager made as profit last year (i.e. 2010 financial year). I have already submitted an annual report for that year to my head office in Accra-Ghana as I have watched with keen interest as they will never know of this excess. I have since, placed this amount of US$7,500,000.00 Dollars on an Escrow Coded account without a beneficiary (Anonymous) to avoid trace.

As an officer of the bank, I cannot be directly connected to this money thus I am impelled to request for your assistance to receive this money into your bank account on my behalf. I agree that 40% of this money will be for you as a foreign partner, in respect to the provision of a foreign account, and 60% would be for me. I do need to stress that there are practically no risk involved in this. It's going to be a bank-to-bank transfer. All I need from you is to stand as the original depositor of this fund so that the fund can be transferred to your account.

If you accept this offer, I will appreciate your timely response to me. This is why and only reason why I contacted you, I am willing to go into partnership investment with you owing to your wealth of experience, So please if you are interested to assist on this venture kindly contact me back for a brief discussion on how to proceed.

All correspondence must be via my private E-mail ( for obvious security reasons.

Best regards,
Mrs. Mary David.
Posted by: mary lovely david - Monday 26th, September 2011
2: Hi my dear,
My name is Mounace, i would like to establish a true relationship with you in one love. please send email to me at ( i will reply to you with my picture and tell you more about myself. thanks and remain blessed for me,
Your new friend Mounace
Posted by: mounace love love - Thursday 09th, June 2011
More articles
The retail industry is witnessing an increased migration of customers ... -By-Kaushal Mehta
by Kaushal Mehta - Founder & CEO, Motif Inc..
The retail industry is witnessing an increased migration of customers from traditional brick and mortar retail to E-commerce (online retail)...more>>
Its 1 AM. Do You Know What Your Offshore Team Is Doing? -By-Samir Shah
by Samir Shah - CEO, Zephyr .
You probably do because you are on the phone with them! For all of you working in some technical management capacity here in Silicon Valley,...more>>
Disconnect: The Root Of All Execution Evils -By-Raj Karamchedu
by Raj Karamchedu - Chief Operating Officer, Legend Silicon .
These days are a mixed bag for me. Of late I have been considering "doing something bigger and better," in my life, perhaps seriously though...more>>
IT Services Rise Of Tier II Companies -By-Madhavi Vuppalapati
by Madhavi Vuppalapati - CEO of Prithvi Information Solutions .
IT Services Rise of Tier II companies The Indian IT outsourcing industry is going through very exciting phase in its business life...more>>
DLP, Prevention Is Better Than A Cure -By-Bhaskar Bakthavatsalu
by Bhaskar Bakthavatsalu- Country Manager, India and SAARC of Check Point Software Technologies.
Data loss occurs every day through corporate email. In fact, given the sheer number of emails an organization sends every day, data loss inc...more>>