Security's new unified command

Physical security and information technology security exist as separate worlds at most government agencies. The physical side employs guards and concerns itself with protecting facilities and people, while the IT side employs technical specialists and focuses on securing networks and computer systems. The two spheres involve distinct reporting hierarchies and maintain separate budgets. Their orbits have seldom intersected.However, that pattern of segregated security has begun to change. Spurred in part by recent technical developments, some agencies have concluded that physical and IT security missions have the same objective: Keep the bad guys out while letting the good guys in with minimal hindrance. “A physical threat to a building is not a whole lot different from a cyberthreat to our network,” said Elayne Starkey, Delaware’s chief security officer (CSO). That realization has led some government entities to combine their security efforts. A year ago, Delaware brought its physical security, disaster recovery, continuity-of-operations and information security programs together under the authority of the CSO’s office. Other agencies have launched task forces to oversee all aspects of security. Government and industry executives see a number of benefits to pulling security together, a strategy referred to as security convergence or enterprise risk management. In their view, a holistic take on security can eliminate gaps that might otherwise occur among different layers of security. Proponents also view converged security as more efficient and cost-effective. Technology helps make security convergence possible, and in some cases, it drives the process. For instance, the adoption of IP-based security cameras makes video surveillance an IT function and a physical security tool. Smart cards — particularly those required under Homeland Security Presidential Directive 12 (HSPD-12) — have also emerged as an important intersection of physical and IT security.Because security convergence is a relatively new area, no tried-and-true approach exists for agencies that wish to better coordinate their physical and IT security.“There isn’t a well-developed model for how this should be done,” said Jonathan Gossels, president and chief executive officer of SystemExperts, which provides security consulting services. “It’s evolving.”One approach puts all aspects of security under the authority of a single executive, typically a CSO. Creating such a position is a new strategy for most government agencies, Starkey said.  CSOs are  more common in the commercial sector. “The creation of a C-level individual — a CSO — is how most of the commercial industry deals with that [convergence] issue,” said Bruce Brody, vice president of information assurance at CACI International. Delaware officials have found that converged security helps them avoid duplication of efforts. A single program manager  oversees all of the state’s security projects, which are funded through a unified budget. “It’s all combined,” Starkey said. “It just makes the funding of the project and the overall management of the project life cycle much easier for us.”The state has also consolidated its efforts to prevent, respond to and recover from security incidents under an all-hazards approach, she said. Rather than maintain threat-specific plans for disaster recovery and continuity of operations, officials employ a standard risk-mitigation strategy.Other agencies form committees to coordinate the various aspects of security. Officials at the National Science Foundation took that approach.Instead of combining all elements of security under a single office, NSF established a Security and Privacy Working Group. In addition to IT security specialists, the group includes the director of NSF’s Administrative Services Division, who handles physical security, and a representative from human resources, who is responsible for conducting background checks on applicants for sensitive positions.The group meets monthly to discuss, create and test policies and procedures for NSF’s security and privacy programs, said George Strawn, NSF’s chief information officer. By meeting as a team, the security disciplines keep one another apprised of their activities. That communication is important given increasing interdependence of security fields. Strawn said HSPD-12 is a good example of that convergence. It calls for federal agencies to adopt a common identity credential for physical access to facilities and IT resources.NSF’s Administrative Services Division is tackling the physical security aspects of the smart-card initiative, and its representatives on the working group are keeping their IT security counterparts informed of their progress because the second phase of the program will involve them.  The Social Security Administration has also taken the working-group approach to coordinating physical and IT security. “Social Security manages the convergence of physical security and IT through inter-component workgroups with staff from the offices of Physical Security, IT Security and the Chief Information Officer,” an SSA spokeswoman said.The workgroups serve as SSA’s preferred method for managing complex projects that span multiple security disciplines, the spokeswoman said.Agencies stand to benefit in many ways from taking an all-encompassing approach to security. For example,  Brody said, an enterprisewide perspective could help organizations uncover vulnerabilities they would otherwise miss. An organization could manage vulnerabilities for each of its stand-alone security systems while overlooking a weakness at the point where those security layers intersect, said Brody, who held information security roles at the departments of Energy and Veterans Affairs before joining the private sector.“Quite frankly, if I’m the agency head of security, I would be kind of concerned if those [vulnerability assessments] are being done separately and not being done holistically,” he said.Security convergence can also help agencies meet the demands of HSPD-12 and its technical underpinning, Federal Information Processing Standard 201. “This is an area where we see the need for a cross-departmental approach,” said John Sabo, director of global government relations at CA. He is also president of the IT Information Sharing and Analysis Center, a nonprofit organization of leading IT companies focused on the trusted exchange of information about cyber incidents and a member of the Homeland Security Department’s Data Privacy and Integrity Advisory Committee.Sabo said that in addition to physical security and human resources representatives, an organization’s chief information security officer and chief privacy officer should be involved in FIPS-201 efforts.Sal D’Agostino, executive vice president of CoreStreet, said the Defense Department has made the most progress in deploying smart cards, but other agencies are getting the cards into the hands of employees. CoreStreet makes software for smart credentialing programs. Laurie Aaron, director of strategic sales at Quantum Secure and vice chairwoman of the Open Security Exchange’s board of directors, said the desire to increase security and the need to comply with regulatory mandates are the primary business drivers behind convergence. The exchange promotes the interoperability of physical security with IT security and more broadly with IT in general. She also listed reduced operating costs and enhanced business continuity as key reasons that organizations adopt security convergence. Potential savings stem, in part, from running physical security applications on an organization’s existing IT backbone rather than a parallel infrastructure. For example, video surveillance traditionally operated outside the IT realm on closed-circuit TV systems. But IP-based and digital cameras now let agencies take advantage of existing IT resources, such as data-storage equipment. Tony Lapolito, vice president of marketing at VidSys, likens today’s situation to the rise of voice-over-IP technology for mainstream telephone services. VidSys markets information management solutions that tie physical and logical systems into a unified system.“The business case that was made for VOIP was based around efficiencies on the network,” he said. “I think you are seeing the same exact desire within the physical security world.”Adding physical security to the IT infrastructure will result in cost savings and productivity gains, Lapolito added.Security convergence raises many organizational and cultural questions. Starkey said it was a challenge to bring together security units previously housed in separate state organizations and get employees to understand that they were now all on the same team.Organizations must be aware of the potential culture clash between the physical and IT security fields, said Paul Kocher, president and chief scientist at Cryptography Research, a security consulting firm. “The first thing that an organization has to do is make sure that the people in each group don’t view each other as a threat,” he said. “You can’t start out with an antagonistic relationship, with each [group] trying to preserve turf or gain ground.”If an organization has a CSO, he or she must maintain a good relationship with both sets of people, Kocher added.Organizations without a CSO should at least maintain an open dialogue among security players. That is true for both agencies and government contractors. Tim McKnight, vice president of information security at Northrop Grumman, said he talks once or twice a day with his physical security counterpart, the vice president of industrial security. Northrop Grumman also has a security council that includes McKnight, the industrial security vice president and the physical security executives from the company’s four business sectors.Obstacles to convergence also exist on the technical side. One issue is integrating the systems that protect buildings with the systems that protect IT resources. In general, most access-control vendors now provide application program interfaces, so integration is possible, said David Ting, founder and chief technology officer at Imprivata, which offers authentication and access-manangement appliances.But he added that none of the APIs are standardized.“It’s a mixture of proprietary APIs, database connectivity or the more modern Web services-based solutions,” he said. He added that Web services and the Open Security Exchange’s pursuit of standardized interfaces are positive developments. Better integration of physical and network-access programs will facilitate the development of smart-card systems that span both types of security, which is the goal of HSPD-12. Such coordination could enable new capabilities. For example, a system could deny network access to a user when he or she is not inside a government building, as indicated by his or her smart card not having been swiped at the building’s entrance. In addition to product vendors, service providers, such as the recently launched Sentrillion, also aim to help customers tackle the challenge of integrating physical and IT security.“The driving influence is HSPD-12,” said Jack Larmer, Sentrillion’s CEO.Add improved security and efficiency to the mix, and agencies have ample incentive to combine physical and IT security.