Security Convergence and the Financial Services Industry

By Thomas Schmidt

What is known for certain is that convergence -- the merger of previously separate security functions -- has moved front and center on today’s security agenda. This collision of two different technology worlds has profound implications for the financial services industry. Rapid technology adoption is driving an overlap between traditional physical security and information security technologies and “siloed” business functions that hinder enterprises’ ability to understand and effectively mitigate security risk.

Read on to learn more about the payoffs and pitfalls of integrating physical security and IT security.

Growing momentum
The momentum behind security convergence has been building for some time. As the SANS Technology Institute recently observed, “We are running network information that was formerly analog over our digital data networks, we are converging formerly separate network devices, especially at the perimeter, and we are starting to see physical and classic network security groups beginning to merge. If the trend continues unabated, it will end up saving us a lot of money and giving us a lot less actual remediation of risk than past practice. This trend is solidly in the uniform architectural approach to defense in depth.”

Security convergence has also received a boost from a spate of new regulations, led by Sarbanes-Oxley, that provide real incentives for organizations to consider converging their IT and physical security technologies.

The 2006 implementation of Homeland Security Presidential Directive 12 (HSPD-12), meanwhile, has been another key factor in promoting convergence. HSPD-12 requires government agencies to begin issuing standard PIV (personal identity verification) cards to employees. HSPD-12 smart cards are expected to tie logical and physical access together at government agencies as well as at their private sector contractors.

Culture clash
Despite these developments, plenty of potholes remain on the path to security convergence. To say that convergence provokes fierce debates within organizations today is an understatement. As Dave Tyson, author of the recent Security Convergence: Managing Enterprise Security Risk, has observed, that’s because of the stark cultural differences between physical and IT security departments. While Tyson is an ardent believer in the benefits of security convergence, he doesn’t soft-pedal the challenges.

For example, IT professionals generally embrace new systems and like to experiment with them to see how they might be applied to their work, while physical security personnel are usually more skeptical about emerging technologies.

Then there’s training. Physical security practitioners don’t always require a lot of training, whereas regular certifications are a way of life for IT security practitioners.

Compensation is another barrier. In general, IT workers earn significantly more than physical security personnel.

As Tyson has observed, the typical IT security staff may be perfectly capable of sniffing out a Trojan or keylogger on a PC, but you wouldn’t go to them when an unruly visitor needs to be escorted from the building.

Specific benefits of convergence
Given those very real obstacles, what are the payoffs that financial services firms can expect from convergence? Forrester Research cites four specific business and operational benefits:

• Consolidate credentials for IT and physical access onto a single card. A smart card can serve as an ID badge for building access and can also store IT credentials like passwords and digital certificates.
• Connect the processes for granting and revoking building and IT access. Linking the processes for managing employees’ IT access rights with those for managing their building access will get people productive faster and will improve security.
• Correlate security events across the physical and IT realms. Security event management systems, presently used to monitor and respond to IT-related events, should incorporate events from physical security systems. An alert should trigger if, for example, the VPN signals an employee logging in remotely while the badging system indicates that he or she is inside the corporate office.
• Unify the auditing of physical and IT rights and events. By assessing authentication and authorization processes and controls across IT and physical facilities, organizations will find many opportunities for improved efficiencies and security. For example, Forrester performed an audit that showed ways in which one company could streamline processes of employee and visitor badging by integrating existing identity management systems.

But the benefits don’t end there. In the post-Sept. 11 world, few companies can afford to hold the traditional view of security as just another cost center. Such a view fails to recognize the importance of an enterprise understanding of security to day-to-day business activities. Today, security must be seen as a key enabler for the business. For example, if a network is unavailable due to a logical or physical incident, that’s a revenue-impacting event. A unified security strategy will better align security goals with business goals, resulting in mitigated risk, reduced cost and complexity, and more efficient IT operations.

Start the dialogue
Recently, Richard Baggot and Scott Harroff of Diebold Security led a roundtable discussion about security convergence with attendees of the FSI Executive Summit in Las Vegas. The FSI Executive Summit is a forum that addresses the critical security and information risk management challenges facing the banking, capital markets and insurance industry.

Specifically, Baggot, vice president of enterprise operations and security strategy, and Harroff, chief information security architect, encouraged attendees to approach convergence in terms of the following “dialogue”:

• Identifying vulnerabilities Which areas in your organization are most vulnerable?
• Assessing and prioritizing What real-world threats will have the most significant impact on your critical information assets?
• Securing What are the most efficient solutions and mitigation strategies you can deploy to keep those assets safe?
• Managing How can you most effectively manage the overall maintenance of your security program?
• Exhibiting What are the most efficient solutions and tools you can leverage that show your ongoing commitment to reducing risks to your brand, customers, partners and regulators?

As Baggot and Harroff put it, “This is a world in which the analog systems of yesterday are giving way to today’s digital security solutions. This new world order, and the way we use it, will change security forever.”

Conclusion
As should be clear by now, a number of factors are combining to put the merger of physical and IT security on the front burner. The advent of IP-based physical access systems and the embrace of open applications platforms and Web services in particular are placing true security convergence within reach of an increasing number of financial services firms. True security convergence may be a ways away for many firms, but the worlds of IT and physical security are gravitating toward each other.

 

Thomas Schmidt writes frequently about information security topics. He has more than 15 years of experience as a writer and editor in high-tech publishing.