gds international - next - generation - security - summit - us - 7

© 2010 Quantum Secure, Inc. White Paper

of 19

UNIFIED PHYSICAL IDENTITY & ACCESS MANAGEMENT

USING POLICY-DRIVEN SOFTWARE TO SEAMLESSLY MANAGE IDENTITIES (CARDHOLDERS) AND

THEIR PHYSICAL ACCESS ACROSS DISPARATE EXTERNAL SYSTEMS WHILE MAINTAINING

COMPLIANCE

Quantum Secure, Inc.

100 Century Center Court

Suite 800

San Jose, CA 95112

USA

Phone: 408 453 1008

Email: [email protected]

Web: www.quantumsecure.com

mailto:[email protected]

http://www.quantumsecure.com/


of 19

TABLE OF CONTENTS Executive Summary ..................................................................................................................................................... 3

Physical Security Infrastructure: Decades of Haphazard Growth .............................................................................. 5

Resulting Implications for Physical Security ............................................................................................................... 5

Significant Operating and Capital COSTS ................................................................................................................... 6

Risk of Non-COMPLIANCE ......................................................................................................................................... 6

RISK of Theft, Fraud, and Crime ................................................................................................................................ 7

The Next-Generation Solution: Policy-Driven Physical Identity and Access Management ...................................... 9

What Should One Look For In An Ideal Solution? .................................................................................................... 10

Centrally Manages Lifecycle of Physical Identity ..................................................................................................... 10

Automates Policy Definition and Deployment ........................................................................................................ 11

Integrates with Physical Security and Logical Identity Management Systems ........................................................ 11

Automates Compliance Initiatives ........................................................................................................................... 12

Unifies Security Events and Correlates with Identity Data ...................................................................................... 12

Provides Executive-level, Detailed Reporting of the Overall State of Security Operations ..................................... 13

The Quantum Secure Solution: SAFE ........................................................................................................................ 14

Components of Quantum Secure SAFE ................................................................................................................... 14

SAFE INTEGRATION FRAMEWORK ....................................................................................................................... 14

SAFE POLICY SERVER ............................................................................................................................................ 15

SAFE SUITE APPLICATIONS ................................................................................................................................... 15

Transforming Physical Security Using Quantum Secure SAFE ................................................................................. 18

Cost Savings ............................................................................................................................................................. 18

Compliance .............................................................................................................................................................. 18

Investment Protection and Future-Proofing ........................................................................................................... 18

Security & Reduced Risk .......................................................................................................................................... 18

Conclusion – Why Quantum Secure? ....................................................................................................................... 19


of 19

EXECUTIVE SUMMARY

Physical security practitioners of any organization should ask themselves one fundamental question:

Can I respond to today’s challenges in a resource-conscious world

by subscribing to the traditional way of managing physical security?

This traditional approach, often characterized by the incorporation of additional hardware systems, has

often led to complex security infrastructure, consisting of systems which are disparate, disjointed and

difficult to manage. This problem is compounded because physical security processes are by large

manual in nature, operating in silos with little or no connection with other enterprise processes like

those of IT.

As a result, most physical security departments today lack the agility and flexibility to address today’s

challenges of increasing cost, risk of non-compliance and high risk of theft or fraud. And this struggle

does not limit itself to any particular type of business, as these challenges can be seen across

organizations of all types and sizes, including global corporations, government institutions, airports and

hospitals.

To address these challenges, physical security practitioners should adopt a software-driven approach

towards unifying various physical security systems and electronically maintaining all security-related

data. A software-driven approach will automate processes related to physical identity (cardholder),

simplify the management of identities and access management across the physical security

infrastructure and also streamline compliance initiatives.

Quantum Secure supports this approach through its SAFE software suite. Quantum Secure is the leading

provider of enterprise software to manage and streamline security identities, compliance and correlate

with events across disparate physical security systems. Its SAFE suite of software enables security

practitioners to integrate physical security systems, automate processes and simplify control of

employees, vendors and other identities across their organization. By connecting physical security

operations closely to their IT infrastructure, corporations can quickly lower operational costs, improve

compliance and reduce risk.

This whitepaper achieves the following:

Reviews the current situation and lists out the key challenges faced by security practitioners

in context of physical identity and access management

Proposes an approach that unifies physical identity and access management using a policy-

driven software solution

Discusses the essential capabilities of such an ideal solution including security policy

automation and integration among disparate physical security systems and with logical

security systems


of 19

Discusses how Quantum Secure SAFE can support the unified approach by automating

manual security processes to centrally manage physical identities and their associations with

systems, events, and stakeholders while adhering to real-time compliance

Presents the benefits and some examples of how Quantum Secure SAFE has improved the

key performance indicators for physical security department


of 19

PHYSICAL SECURITY INFRASTRUCTURE: DECADES OF HAPHAZARD GROWTH The turn of events at the beginning of this millennium will be etched in the

memory of physical security practitioners for the next few decades. While 9/11

ushered in a spate of changes in physical security management at government

institutions and airports, it has also prompted businesses to assess their risk

exposure as they operate multiple locations spread throughout the world.

Internal threats such as employee pilferage and collusion pose even a greater

threat for corporate entities, educational institutions and other non-

government entities, creating new elements of cost and risk.

Unfortunately the current state of physical security infrastructure for most

organizations is not designed to respond effectively to the changing

environment. Ever since the inception of video surveillance cameras five

decades ago, organizations have added boxes of these and other systems such

as access control, alarms and sensors to strengthen their security posture.

While these systems proved to be good point products, there were no industry-

wide standards and/or open architectures by which these systems could work.

Some organizations got locked into proprietary hardware products from a single

vendor, and others spent millions on best-of-breed solutions from multiple

vendors, only to struggle with the management of these disparate technologies.

As a result, security practitioners rarely have complete visibility and control over

their physical security infrastructure, and their physical security policies are

often dictated by their hardware, rather than the other way around.

To compound this challenge, many physical security policies and various

administrative tasks are executed manually by the security staff, leading to

costly, error-prone data entry that can lead to duplication and erroneous

identity information within the system.

RESULTING IMPLICATIONS FOR PHYSICAL

SECURITY As a result of the present situation and the complications, organizations of all

kinds and size face the following challenges in context of physical identity and

access management:

PRESENT DAY COMPLICATIONS

Multiple and disparate PACS

Manual and inconsistent

enforcement of security

policies

Manual administration of high

volumes of access requests

Siloed systems with no

integration with logical

security


of 19

SIGNIFICANT OPERATING AND CAPITAL COSTS The manual nature of managing physical identities and their access implies a

significant cost overhead. Security staff maintains access-related information

either in paper or in spreadsheets and manually updates them whenever

changes are required. In other words, a significant amount of time is spent in

card and access rights administration tasks. These manual efforts lead to errors,

which lead to more effort towards their fixing, driving additional costs.

On- /off-boarding of a physical identity is a cumbersome and time-consuming

process, primarily because of lack of integration with the logical side of an

identity. Activities like background verification, role-based access determination

and subsequent approval, and credential management are by large manual in

nature and executed in a disjointed and improper sequence.

Organizations wanting to standardize on one type of physical access control

system (PACS) are worried by the huge capital expenses that can be incurred for

any rip and replacement effort. This may especially concern large enterprises

that grow through acquisitions and in that process face the problem of

standardizing the PACS.

As a result, many companies forego this large capital expenditure, or simply add

new systems on top of their existing ones. This further compounds the

challenges they experience with their existing physical security infrastructure.

RISK OF NON-COMPLIANCE There is a constant pressure on physical security practitioners to ensure

compliance to internal policies and external regulations like SOX, ISO 27000 and

other industry-specific regulations. As most of the security processes are

manual, security staff needs to spend additional effort in ensuring that

compliance related controls are operating effectively. They are also expected to

prepare reports asserting their compliance. All this effort spent may go waste if

due to some oversight, compliance exceptions are reported by third-party

agencies. These exceptions can not only result in fines and penalties for the

organization but they can also dent the organization’s reputation.

Today, there is hardly any way to ensure that compliance-related exceptions are

not allowed in the first place. Off-boarding is a manual process which means

that an employee can still have physical access despite having the logical access

terminated. Delay in removal of physical access for a terminated employee can

Manual access and change

management processes

Cumbersome and time-

consuming on-boarding and

off-boarding

Significant capital expenses

towards standardizing on one

PAC system

Increasing pressure to

comply with external

regulations like SOX, ISO

27000

Stringent industry-specific

regulations like TSAs 49 CFR

Part 1540, 1542 directives for

Airports; HSPD-12 for US

federal agencies, NERC CIP

standards for Energy

companies, CFATS RBPS for

Petrochemical facilities,

HIPAA/DEA/FDA for

Healthcare sector


of 19

lead to compliance exceptions. Similarly, access management is a manual

process which can be error-prone and lead to compliance violations.

RISK OF THEFT , FRAUD , AND CRIME Since security policies are created and enforced manually in so many instances,

there is no way to track and ensure if they are being implemented properly.

Manual processes expose the organization to potential risk of theft/fraud, as the

handling of large volumes of card administration requests manually can lead to

errors and create undesired exposure. For example, delays in removing access

rights for a terminated employee, contractor or other third-party identity may

create a security breach by which he/she can potentially return and commit

theft within the premises.

Organizations also face the challenge of managing their visitors in a secure and

organized manner. Most of the existing visitor management solutions are

standalone applications which can’t be easily deployed across multiple sites and

which lack the flexibility to adapt to changes in visitor-related policies.

It is also important to note the unique situation and challenges faced by

different types of industries/sectors:

Airports need to manage a litany of vendors and related staff and manage

access to airside and sterile areas while complying with ever-growing

regulations like 49 CFR Part 1540, 1542 directive from Transportation Security

Authority (TSA) in USA and similar regulations in other countries.

Government institutions in the US, who are often geographically dispersed with

multiple proprietary PACS need to integrate physical access management on the

standardized Personal Identity Verification (PIV) credential as mandated by

Homeland Security Presidential Directive 12 (“HSPD-12”). Things become

complicated because their current physical infrastructure is not capable of

handling digital certificates and biometric information from PIV cards.

Energy and Petrochemical facilities in the US are under increasing pressure to

comply with NERC Critical Infrastructure Protection (CIP) standards and CFATS

Risk-Based Performance Standards (RBPS) respectively but lack complete

control and automation of these standards.

Healthcare institutions also need to drive DEA, FDA and HIPAA compliance with

their complex network of facilities, role and related access.

Manual processes are error-

prone which increase risk

exposure

Manual or standalone visitor

management solution lack

flexibility, scalability and

security


of 19

Higher education institutions face the challenge of integrating their different

systems like ERP, facilities, housing, dining, bookstores and more in order to

have complete control over their physical identities.


of 19

THE NEXT-GENERATION SOLUTION: POLICY-DRIVEN PHYSICAL IDENTITY AND ACCESS

MANAGEMENT One thing is certain: the traditional way of solving physical security problems

simply will not suffice. Additional hardware, standalone software solutions and

adding more manpower only compound the issue.

These challenges can be addressed by a “unified approach towards physical

security management using policy-driven software that can seamlessly manage

identities, their physical access, and their correlation with physical security

events in a multi-stakeholder environment while providing real-time

compliance”.

Figure: Policy-driven unified approach for physical identity and access management

As shown above, a unified approach involves centrally managing:

Identities through various stages of their lifecycle including on-/off-

boarding, access provisioning, badging

Integrations with all types of external systems (logical and physical) for

ensuring one identity definition

Policies which are rules governing relationship of identities across

different systems, with different stakeholders (like IT, facility, physical

security) and with physical security events

Compliance and reporting as it relates to physical security

PRINCIPLES OF A UNIFIED

APPROACH:

One physical identity

Consistent policy enforcement

Integrated physical and logical

security systems

Compliance across physical

security infrastructure


of 19

WHAT SHOULD ONE LOOK FOR IN AN IDEAL

SOLUTION? Listed below are essential capabilities that one should look out for in a unified

physical identity and access management solution.

CENTRALLY MANAGES THE ENTIRE LIFECYCLE OF A

PHYSICAL IDENTITY The solution should be the central place to manage the lifecycle of an identity as

it relates to physical security.

Figure: Lifecycle Management of a Physical Identity

The solution should allow pre-enrollment which includes identity verification

against HR/LDAP or any authoritative data source. It should enroll an identity by

performing activities like background check through integration with federal,

state or local repositories (like Criminal History Records Check (CHRC), Sex

Offender Registry). Thereafter, the solution should be able to issue assets like

access cards, metal keys, and provision role-based physical access for the

identity.

Automating identity-related

tasks like on-boarding,

provisioning improves

efficiency and service levels

and minimizes risks

It gives security staff

complete view of who has

got what access in the

organization. Self service

releases substantial time for

security staff to carry out

important activities


of 19

The solution should also manage different associations for an identity like other

personnel, visitors, parking permits. Once the identity starts using the physical

security infrastructure, the same solution should report access audits and

events for the identity. The solution should give security practitioners the

ability to manage the identity through reports on trends and utilizations.

An ideal solution should also allow the identity to execute a part of any of the

above activities through an easy to use and intuitive self-service interface. For

example, end users should be able to make request (like for a new access) and

later track its status through self-service.

AUTOMATES POLICY DEFINITION AND DEPLOYMENT The solution should enable security department to centrally define, deploy and

monitor the vast number of global and regional policies. Security practitioners

should be able to easily create new and update existing policies from within the

software. Once deployed, the software should execute the logic behind the

scene without any manual intervention. For example, the user can create a rule

including set of activities connected through a workflow for granting role-based

access to data center. Once the rule is deployed, the software should

automatically broadcast access to the data center PACS for the pertinent

identities.

INTEGRATES WITH PHYSICAL SECURITY AND LOGICAL

IDENTITY MANAGEMENT SYSTEMS The solution should enable various PACS, alarms, event management systems

and other devices to integrate and interoperate with enterprise IT systems such

as SAP, PeopleSoft, IDMS systems, LDAP, MS Active Directory. It should be pre-

integrated with leading systems thereby reducing the need for custom

integration.

Disparate systems lead to operational inefficiencies as a security staff needs to

manually assign access to an identity to various physical security systems. With

a unified solution, user should be able to configure and integrate both the

physical and logical security systems. The integration should capture identity,

security and event data from these systems and trigger execution of relevant

rules for seamless automation. For example, if a new employee is added to the

HR system, then the unified solution should automatically capture and store the

information in its local repository. Thereafter, if a policy is configured within the

solution to automatically assign access to certain PACS, then it should be

triggered and the access details should be broadcasted to the relevant PACS.

Policy automation

dramatically lowers cost of

operations while giving

security staff complete

control over the enforcement.

It helps security respond

quickly to changes by

updating policies and

deploying them within no

time

Integration minimizes

manual effort of security

staff. It improves

operational efficiency while

retaining the existing

physical security

infrastructure. It gives

complete control as security

staff can have a central view

of their infrastructure


of 19

Figure – Integrating Disparate Systems using Unified Solution

AUTOMATES COMPLIANCE INITIATIVES The solution should allow security practitioners to enforce governance across

diverse systems, and to create a transparent, traceable, and repeatable real-

time unified compliance process. The solution should allow users to centrally

define controls as per external regulations and internal policies. It should

subsequently automate the measurement, remediation and reporting actions

against these controls.

UNIFIES SECURITY EVENTS AND CORRELATES WITH

IDENTITY DATA The solution should allow correlation of physical identity, access and event data

by integrating with physical security event management systems. This can

provide security administrators with complete control and visibility into physical

security operations. The integrated solution should provide activity profiling to

determine combinations of actions that raise a warning. For example, it can

scan the activities of the last 50 terminated employees to see which actions

might serve as early warnings about future at-risk employees, automatic watch-

list creation and escalation of users to different severity levels, out-of-the-box

rules for anomaly detection, unauthorized actions, etc.

Compliance automation

minimizes risk and reduces

manual effort.

It helps avoid potential fines,

and penalties, and puts

security practitioners in good

light both within and outside

the organization

Event correlation improves

the quality and time of

security response through

policy-based actions based on

association of events with

identity data


of 19

PROVIDES EXECUTIVE-LEVEL , DETAILED REPORTING OF THE

OVERALL STATE OF SECURITY OPERATIONS An ideal solution should also retrieve, aggregate and store data from various

operational systems. Its analytics capabilities should process and incorporate

this data into interactive reports that can provide a high-level snapshot of the

physical security operations and at the same time provide drill-down

capabilities. For example, the solution can provide security practitioners with a

high-level snapshot of the total alarm count across all the global sites and at the

same time it can provide easy drill-down into details of an individual alarm.

Security analytics allows

informed decision making

for management by

providing insights generated

from analysis of historical

data


of 19

THE QUANTUM SECURE SOLUTION: SAFE Quantum Secure has created the industry’s first and most comprehensive

physical security management software – SAFE. SAFE is designed to connect

disparate physical security and IT and operational systems, automate manual

security processes and reduce both costs and risks.

COMPONENTS OF QUANTUM SECURE SAFE

Figure – Building Blocks of SAFE

As shown above, the building blocks of SAFE are:

SAFE INTEGRATION FRAMEWORK

The SAFE Integration Framework includes out-of-the-box adapters for all leading

physical access control systems, biometric systems and other security devices.

It also comes pre-integrated with enterprise IT systems, logical identity

management systems, LDAP, MS Active Directory and more. The framework

supports native API and Web services-based integration, such as interoperability

via SPML and SAML standards for badge issue, termination, badge-location

validation, SSO and RFID interface. This framework also includes connectors to

various databases for background screening like the TSA No-Fly List, CHRC.


of 19

SAFE POLICY SERVER

The SAFE Policy Server is the industry’s first patented policy management

engine that allows users to deploy globally proven best practices and policies

across disparate applications, systems and devices without requiring training or

knowledge of individual systems programming. Users can create new or update

existing policies by simply dragging and dropping appropriate live objects and

linking them on an electronic whiteboard. The SAFE Policy Server automatically

converts the visual schematic drawing of a policy into appropriate rules and

instruction set applicable to the underlying physical security infrastructure.

SAFE SUITE APPLICATIONS

ID E N T I T Y A N D AC C E S S M A N A G E M E N T

SAFE Physical Identity and Access Manager allows enterprises to manage the

lifecycle of identities as they relate to physical access. It includes wide range of

functions, including synchronized on-/ off-boarding across all systems harboring

an identity record, access profile and zone management, and role-based

physical access.

Other related modules are:

SAFE Self Service which enables identities (end users) with proper login

privileges to carry out part of physical security processes on their own.

SAFE Visitor Manager which provides an easy way to centrally pre-

register, approve, enroll and subsequently manage visitors.

SAFE Web Badging which allows to easily design and manage badge

templates, and provides centralized badge enrolment.

SAFE Physical Identity and Access Manager for PIV allows government

agencies to integrate with LDAP/HR systems to provision cardholders

(PIV, CAC, TWIC etc) in their PACS. It provides policies for PIV card

registration, identification, certificate check, and card authentication.

SAFE Visitor and Credential Management for PIV allows to enroll FIPS

201 compliant cardholders into the PACS.

SAFE Asset Manager provides central management of physical security

assets like metal keys, fobs, tokens, access cards which have been

provisioned to identities managed within SAFE.


of 19

C O M P L I A N C E A N D R I S K M A N A G E M E N T

SAFE Compliance Regulator provides a central place to enforce and monitor

compliance to external regulations (like NERC/FERC, CFATS, SOX, FDA/DEA) and

internal policies. Using a closed-loop approach, this solution allows users to

define controls for measuring and reporting compliance. Subsequently, the

system automates assessment and if found out of compliance, acts and auto-

remediates the exception scenario. It closes the loop by providing “one-click”

compliance reporting for the control back to the user..

SAFE Infraction Manager automates the process of managing security policy

infractions against the centrally-managed identities and issues any resulting

notifications or automates access privilege changes.

SAFE Document Management provides integrated document management to

facilitate collection of identity documents.

SAFE Log Analysis/ Log Management maintains log details or audit trail records

for various transactions executed within SAFE.

SAFE Watch List Manager manages an internal list of physical identities who are

potential threats to an organization along with their risk profile and historical

details.

ID E N T I T Y A N D EV E N T C O R R E L A T I O N

SAFE Event Correlation Engine provides unified user management of events and

associated identities. It is a data exchange interface for sharing identity status

and usage related to physical security alarms. It includes policy management to

configure responses and actions to identity and alarm events. It also integrates

reporting and analytics across identities and events.

S E C U R I T Y IN T E L L I G E N C E

Also called as SAFE Analytics, this block provides an executive-level, graphical

dashboard view of the overall state of an organization’s physical security

infrastructure. Each day, operational data is retrieved, aggregated and stored in

the solution. Data is processed and incorporated into web-ready reports that

contain information for higher-level analysis and drill-down capabilities. Some

of such metrics displayed include alarms by site, by alarm type, by count; sites

and devices that are generating the most alarms; badge allocation by type.

Related modules are:


of 19

SAFE Identity Analytics captures and reports metrics related to facility

occupancy and space utilization from identity data

SAFE Alarm Analytics captures and reports key security operational

metrics such as alarm count and alarm response times


of 19

TRANSFORMING PHYSICAL SECURITY USING

QUANTUM SECURE SAFE Quantum Secure has been transforming the physical security departments for

organizations of all types and magnitude to address the present-day challenges

and prepare for a secure future.

COST SAVINGS Automation of physical security processes and compliance initiatives,

integration of disjointed systems, self-service and delegated administration

results in immediate cost savings for organizations. By centralizing security

operations, organizations can do more with fewer resources.

COMPLIANCE SAFE makes physical security compliance a real-time, repeatable, sustainable

and cost-effective process. Since it eliminates manual compliance initiatives, it

has helps organizations avoid any penalties and ensures that the organization

doesn’t face any embarrassment because of compliance exceptions.

INVESTMENT PROTECTION AND FUTURE-PROOFING SAFE gives organizations the flexibility to use existing systems seamlessly

without worrying for the huge capital expenses involved in any rip-and-

replacement exercise. Organizations making frequent acquisitions can easily

integrate disparate physical security systems using SAFE.

SECURITY & REDUCED RISK SAFE enables physical security department to ensure a more secure and risk-

free workplace. Automating policies using SAFE eliminates human-led errors

and delays. Dashboards showing consolidated and correlated events reduce

time and improve quality of response from security staff. SAFE delivers

unprecedented control over the scattered infrastructure to the security

practitioners.

SAFE has improved physical

security KPIs:

Decreased average cost of

managing physical identity

by up to 30%

Reduced enrollment time by

up to 96%

Decreased average service

time for a physical security

request by up to 66%


of 19

CONCLUSION – WHY QUANTUM SECURE? The current complications and resulting implications for physical security

practitioners should encourage them to look at resolving the problem in an

innovative and yet least-disruptive manner. Quantum Secure SAFE is the only

product in the physical security industry that unifies global identity, compliance

and risk assessment in one seamlessly integrated web console. Also SAFE is the

only offering that delivers a holistic approach to identity and access

management by integrating logical security with physical security.

Marquee organizations across the world have recognized the unique value

proposition of Quantum Secure and are using SAFE to streamline their physical

security operations. Organizations of all types, including global Fortune 500

enterprises, some of the world’s largest airports, leading government

institutions have turned their investment in SAFE into a strong ROI and in the

process have minimized the risk of theft/fraud and non-compliance.

SAFE also allows the physical security department to align itself closer to the

business and more importantly to the employees. With better visibility into all

facets of the security infrastructure, security practitioners can provide key data

and insight to their peers in the real estate and property management

functions, helping save costs via better space utilization and user self service.

Quantum Secure augments the strength of its product SAFE with its high-quality

support and professional services. The testimony to the success of its vision is

the fact that its customers are now partnering in this revolutionary innovation

through a world class advisory council.

Quantum Secure recommends physical security practitioners to evaluate their

current physical security operational costs especially with respect to alignment

of security with core business of the respective organization. One will soon

realize that apart from guarding budgets, most physical security operational

costs is tied to management of identities, events and compliance across multiple

physical security systems.

Practitioners will be able to relate with one or more challenges outlined in this

paper, which can be addressed without being disruptive to the current

operations. Quantum Secure Subject Matter Experts can be reached at

[email protected] to further explain how these challenges could be

addressed. To find more about Quantum Secure and its breakthrough SAFE

solution, visit www.quantumsecure.com or call 1-408-453-1008.

Save multi-million dollars

towards rip and replace effort

Reduce operational expenses

and resources required to

operate security

infrastructure

Get real-time policy

compliance

mailto:[email protected]

http://www.quantumsecure.com/

gds international - next - generation - security - summit - us - 7

Technology