Check Out Our Latest Webinars!
Click on the Webinars tab at
securitytoday.com
to view our latest archived webinars.
Emergency Response to an Active Shooter 1.5988 in Sponsored by Asset Defense Consulting, L.L. C., Hanwha Techwin America, NAPCO Security Systems, Safety Technology International, Inc., System Surveyor, Talkaphone
Best Practices in Temporary Access for Visitors and Short-Term Contractors at Government Facilities Sponsored by Quantum Secure, part of HID Global
Make No Mistake: PoE is a Business Saver
Sponsored by NVT Phybridge
Becoming an Organizational Strategic Partner: Transforming the End User Relationship to Meet Today’s Business Needs
Sponsored by Quantum Secure, part of HID Global
The Use of Drones
in Commercial Video Surveillance
Sponsored by FLIR Systems
Plus More!
Schedule your webinar today with Kevin O’Grady kogrady@1105media.com
Go to sp.hotims.com and enter 16 for product information.
Management (PIAM) platforms open the door to a fully bi-directional physical secu- rity and IT governance program.
Privileged Access Devices and IoT Governance
Moving beyond fundamental cybersecurity provisions, identity access management is a hidden mountain of opportunity for se- curing a company’s physical security en- terprise. Showcased in recent Hollywood productions is the now famous “Snowden” incident primarily involving the component of “Insider Threat.”
Through social engineering and other means, Edward Snowden obtained and abused the network privileges of up to six of his colleagues prior to releasing sensi- tive information outside the agency. Banks, healthcare and other businesses have equal- ly suffered this sort of blow to their public trust due to confidential information be- ing exported by a trusted administrator. A question arises: is the network login identity being abused by the person it was assigned to or was it hijacked by a third party? The matter of the network login accessing assets and data to which it was assigned privileges is at stake.
Administrative and delegated permis- sions must exist for a company to function. However, best practices around identity ac- cess management must be leveraged in order to tighten the usage of precious network permissions. Elastic rights provisioning, abnormal or harmful behavior monitoring and iterative privilege audits need to be au- tomated. This is done by implementing the correct technology solutions and crafting a policy and procedure culture around manag- ing these permissions across the enterprise.
Critical infrastructure and financial and aviation facilities have been forced to the forefront of this accountability framework. Contractors should not have privileges for longer than their work order/task requires and those privileges should be revoked im- mediately and automatically upon comple- tion. Next, sudden departures from normal behavior for security card or network ac- cess should be flagged immediately to raise awareness. An employee may have adminis- trative permission to go into the data center but has never before had a need to enter at 2 a.m. and access the customer account file.
This insight is achieved through today’s proliferate machine learning and data min- ing engines. This fully convergent data shar- ing should also bear the minimum fruit of allowing security (physical and IT) a trans- parent view across the enterprise to drive internal controls, policy enforcement and awareness of possible misuse of corporate trust and assets.
Physical Identity and Access Management
“Securing security” has been a battle cry for a small band of forward-thinking manu- facturers within the physical security mar- ket. Advanced IP architecture products have often been shut down at the proposal stage during meetings with IT staff who are scouring what is and is not allowed on their corporate network. Progressive security integrators have found the need to recruit cybersecurity-minded talent to accelerate alignment to today’s requirements and avail- able technology. By taking the “fight” to the cybersecurity arena, these progressive inte- grators and manufacturers can support not only IT and cybersecurity departments but compliance, risk management and other in- ternal stakeholders.
Additionally, several organizations’ CIO and CSOs have begun to advocate cross- team hiring between IT and physical security. An IT liaison is embedded within physical security and trained on the equipment, and a physical security team member is similarly attached to IT. This cultural blending has proven to shorten project design and deploy- ment time-frames and has shown a tremen- dous return on investment for service and maintenance initiatives.
When considering physical security to- day, organizations need to take a clear in- ventory of their respective teams’ technol- ogy strengths and supplement accordingly. Humbly navigating the daunting board room meetings where cybersecurity subject matter experts may have had a negative experience with physical security is the next step. Most often, there is widespread relief to find that the integrator and manufacturers have not just an awareness of cybersecurity but an ur- gent business posture to collaborate for the greater good. Victory comes when IT is allied to assist in protecting physical security.
Lance Holloway is the di- rector of vertical technolo- gy at STANLEY Security.
References
1 https://www.symantec. com/connect/blogs/mirai- what-you-need-know-about-botnet-behind- recent-major-ddos-attacks
2 http://www.nerc.com/pa/CI/ESISAC/ Documents/E-ISAC_SANS_Ukraine_ DUC_18Mar2016.pdf
3 https://www.wired.com/2014/11/count- down-to-zero-day-stuxnet/
4 http://www.businessinsider.com/snowden- leaks-timeline-2016-9
0118 | SECURITY TODAY
PHYSICAL SECURITY