Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
January 2012 $99
Report ID: R3621111
Next
reports
Physical and LogicalSecurity ConvergenceAs employees become more dispersed, physical security measures
need to evolve and merge with logical controls. But our trending
shows a stunning dearth of innovation and investment in
technologies such as biometrics and smart cards, as well as a lack
of integration with SEIM systems. In this report, we’ll shed light on
this often overlooked but important part of any security posture.
You’ll be surprised at what we found in the dark corner.
By Michael A. Davis
reports. informationweek.com
Previous Next
reports
3 Author’s Bio
4 Executive Summary
5 Research Synopsis
6 Victim of Circumstances
9 Smart Ideas
11 SEIM on Steroids
12 Doing It Right
14 Evolving Risks
16 Appendix
29 Related Reports
Figures
6 Figure 1: Physical Security Measures
7 Figure 2: Security Group Integration
8 Figure 3: Legacy Security Plans
9 Figure 4: SEIM Integration With Access System
10 Figure 5: Access Via Key Cards
11 Figure 6: Access Card Integration With Printers
13 Figure 7: Security Video Footage
14 Figure 8: Legacy Security Systems
15 Figure 9: Integrated Smart Card Implementation
16 Figure 10: Employee Use of Key Cards
17 Figure 11: Types of Access Cards in Use
18 Figure 12: Access Card Integration With
Employee Databases
19 Figure 13: Deployment of Geolocation
Access Policies
20 Figure 14: Event Triggers Based on
Repeated Access Control Violations
21 Figure 15: Use of RFID for Asset
Management
22 Figure 16: Camera Security System
Monitoring
23 Figure 17: IP-Based Security System
Concerns
24 Figure 18: Compliance Requirements
25 Figure 19: Job Title
26 Figure 20: Company Revenue
27 Figure 21: Industry
28 Figure 22: Company Size
CONT
ENTS
reports.informationweek.com
TABLE OF
January 2012 2
P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e
January 2012 3
Previous Next
© 2012 InformationWeek, Reproduction Prohibited
reports
reports.informationweek.com
P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Michael A. Davis is the CEO of Savid Technologies, a technology and securityconsulting firm based in Chicago, and an InformationWeek Analytics contributor.Michael is also a contributing author of Hacking Exposed, the No. 1 text onhacker methodology, and the new Hacking Exposed: Malware and Rootkits.He is a senior member of the HoneyNet project, where he is working to de-
velop data and network control mechanisms for Windows-based honeynets.Michael is an active developer in the open source community and has portedmany popular network security applications to the Windows platform, includ-ing snort, honeyd, dsniff, and ngrep. He has spoken at several conferencesaround the world, including Defcon, CanSecWest, Toorcon and MISTI, as well asto local groups.
Michael A. DavisSavid Technologies
January 2012 4
Previous Next
Remember the days of strolling into a client’s building and meeting him just outside hisoffice for lunch? Try that now and you’re likely to be tackled by a security team maintainedby building management. And therein lies one reason the 334 respondents to our Informa-tionWeek 2012 Physical/Logical Security Survey haven’t integrated these groups—today,physical security is normally outsourced. Companies don’t build buildings for themselvesmuch anymore, especially in metropolitan areas. And when you lease space, building man-agement firms usually handle everything from key card provisioning to fire alarms andcameras. Even most Vegas casinos outsource physical security monitoring. Not coincidentally then, most of the protections our respondents have put in place
match the services these firms provide: 80% have fire and burglar alarms, 74% have cam-eras, and 69% have electronic door locks. Where respondents fall short is in use of newer technologies. Biometric controls, for ex-
ample, are used by just 10%, and PC-based proximity detectors by a mere 5%. Geoloca-tion policies, which reduce the available access points to a network based on physical lo-cation, are in use by just 12%. RFID isn’t doing much better. And integration of SEIM andaccess-control systems? Shy of 20%, even though new logging products, such as thosefrom ArcSight, LogLogic and Splunk, can give IT great insight. For example, when an em-ployee uses his key card to badge in to a door, the door sensor sends a log event to thelog management system, which can then correlate the event with a login via Active Direc-tory to the worker’s PC. Furthermore, some systems allow scenario-based control, where auser who badges in to a second location without badging out from the first location willhave her badge disabled automatically. Sadly, not many are using this integration. No matter how good your building’s security team, your organization’s data is your re-
sponsibility. Given new attack vectors and mobility work patterns, now is a great time toreview your physical controls.
EXECUTIVE
reports.informationweek.com
reports
SUM
MAR
Y
P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
January 2012 5reports.informationweek.com
Previous Next
RESEARCH
Survey Name InformationWeek 2012 Physical/Logical Security Survey
Survey Date September 2011
Region North America
Number of Respondents 334
Purpose To examine the convergence of the physical and logical security paradigms
Methodology InformationWeek surveyed business technology decision-makers atNorth American companies. The survey was conducted online, and respondents were re-cruited via an email invitation containing an embedded link to the survey. The email invi-tation was sent to qualified InformationWeek subscribers.
reports
SYNO
PSIS
P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
ABOUT US
InformationWeek Reports’
analysts arm business technol-
ogy decision-makers with real-
world perspective based on
qualitative and quantitative re-
search, business and technology
assessment and planning tools,
and adoption best practices
gleaned from experience.
To contact us, write to manag-
ing director Art Wittmannat [email protected],
content director
Lorna Gareyat [email protected],
editor-at-large AndrewConry-Murrayat [email protected], and
research managing editor
Heather Vallis at [email protected].
January 2012 6
The wheels have officially come off the se-curity convergence bandwagon, according toour InformationWeek 2012 Physical/LogicalSecurity Survey of 334 business technologyprofessionals. And that’s too bad, because asour users have become more geographicallydispersed, there’s an even greater need to ver-ify identity.You remember—it all started in August
2004, when President George W. Bush signedthe ambitious HSPD-12 security directivemandating smart identification cards to con-trol physical and logical access to all federalsystems and facilities. We were all going tolink badges to computer access, thus inte-grating end users’ cyber identities with theirphysical identities. It was the holy grail of in-tegration, enabling IT to guarantee, with theuse of biometric devices, that the personwho logged in really was the account owner.In response, vendors started investing signif-icant R&D resources in smart card technol-ogy. Many private firms, seeing potential sav-
ings, announced plans to implement. Party-ing ensued.
Well, at least, that was the plan. Then hardbudget times set in. Our February 2009 survey
Previous Next
What type(s) of physical security do you have in place?
Physical Security Measures
Base: 334 respondents in September 2011 and 314 in February 2009Data: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/1
R
2012 2009
Stan
dard
fire
and
bur
glar
ala
rms
Surv
eilla
nce
cam
eras
Elec
tron
ic do
or ke
ys
Acce
ss ca
rds t
o sp
ecifi
c are
as o
f the
facil
ity
Pres
ence
det
ecto
rs
Noise
/roo
m m
onito
ring
Biom
etric
acc
ess c
ontr
ols
PC-b
ased
pro
xim
ity d
etec
tors
Othe
r
None
Don’
t kno
w
80%
88%
74%
71%
69% 71
%
64% 69
%
26%
26%
10% 13
%
10% 12
%
5% 5% 4% 2%
N/A 5%
2% 1%
reports.informationweek.com
Victim of Circumstances
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 1
January 2012 7
of 314 business technology professionalsshowed that 49% planned to be or were al-ready in compliance with HSPD-12. In ourSeptember 2011 survey of 334 business pro-fessionals, that number dropped to 43%. Today, half of our respondents have sepa-
rate physical and information securitygroups and plan to keep it that way; that’srelatively unchanged since our 2009 poll. Sowhat have those folks with internal physicalsecurity operations been up to? Not much.Most—88%—are limiting their efforts to mi-nor upgrades, gradually moving from alegacy to an IP-based system, or just main-taining what they have. Only 7% plan to domajor overhauls within the next 12 months.By “minor upgrades” we mostly mean re-
placing aging equipment with new IP-basedgear that runs over the existing data network.Meanwhile, we’re dealing with trends thatwould seem to make identity verificationmore critical and technology that makes iteminently doable. Mobile employees arelooking to gain access to your data, and soare criminals in Kyrgyzstan. Regulations aren’t
going away, but security event informationmanagement systems are more capable. Let’s zero in on geolocation, the technology
that was to single-handedly cause the inte-gration of physical and logical securitygroups. We asked respondents whether they
disable access to specific company resourcesbased on where an employee has successfullyauthenticated; 12% said yes, and 10% saidthey plan to within 24 months. The classic ex-ample is denying a user access to log in to hisworkstation unless he badged in to the front
Previous Next
2012 2009
Is your physical security group integrated with your information security group?
Security Group Integration
Yes; for 1 to 5 years
Yes; for 6 to 10 years
Yes; for more than 10 years
Not yet, but we’ll be integrating this year
No, and we have no plans to do so
Base: 334 respondents in September 2011 and 314 in February 2009Data: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/4
18%21%
13%9%
13%5%
6%14%
50%51%
R
FAST FACT
44%have integrated the
physical and information
security groups in their
companies.
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 2
January 2012 8
Previous Next
door and the third floor, where his desk is. Oryou could disallow access to a VPN from anoverseas mobile device because the em-ployee is badged in to the building in Dallas.Early implementations were plagued by prob-lems, largely related to the annoyance levelwhen an employee would forget to badgein—or worse, would forget to badge out, gethome, 45 minutes away, and could not log into the VPN because the geolocation systemstill thought he was in the office. Today, geolocation has been integrated into
many single sign-on and identity manage-ment products, and vendors such as Imprivataand Entrust have found ways around theseproblems. But the general annoyance hang-over is still hampering adoption, except in oneindustry: healthcare. Hospitals are deployinggeolocation capabilities to help increase pri-vacy and reduce the risk of unauthorized ac-cess to medical records. When a doctor entersa room, she can use her badge to log in to thePC there; when she leaves, the PC auto locksor logs her off. That doctor’s credentials can-not be used on a system at the nurses’ station
while she is in a room with a patient.There are some obvious ways these capabil-
ities could help companies with highly mobileworkforces, and the budget money may bethere: 56% of the 605 business technologypros responding to our Outlook 2012 Surveysay their companies plan to increase IT spend-ing in 2012, with just 16% foreseeing cuts. Ouradvice, given the growth of mobility, is to use
this as a driver to look at geolocation systemsrather than depending on compliance man-dates, a time-honored way to get budget forsecurity. That’s because regs generally haverelatively weak requirements around physicalsecurity controls. HIPAA, for example, simplystates that you must “implement policies andprocedures to safeguard the facility and theequipment therein from unauthorized physi-
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
2012 2009
What is the plan for your legacy security systems?
Legacy Security Plans
Major overhaul; we plan to migrate to a modern system within six to 12 months
Minor upgrades; we’re gradually moving to all IP-based equipment as legacy systems reach end of life
Status quo; we’re just maintaining what we have
We have no choice in the matter; we lease space and have little control over building physical security
Base: 171 respondents in September 2011 and 169 in February 2009 with legacy security systemsData: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/3
7%9%
46%44%
42%40%
5%7%
Figure 3
January 2012 9
cal access, tampering, and theft.” “Safeguarding” could be anything from sim-
ple keyed door locks to advanced geolocationtechnology integrated with RFID badges.There’s no mandate for the integration of log-ical identities, such as an Active Directory ac-count, with a badge, or even that securitycameras be used. A more pressing reason toget the best converged security you can af-ford: theft and the requirement for asset track-ing. Proving someone broke in is only half the
battle; how will you es-tablish that a plain-vanilla laptop recov-ered from a warehouseis yours without bothvideo and other assettracking?Not convinced? Some
other recent changes in the physical securityworld just might cause you to reconsider.
Smart IdeasWe’ve talked to a number of vendors that
are starting to provide newer technologies
and simpler integration that, depending onyour needs, may provide a good return on in-vestment for merging physical and logical se-curity functions.One such company, RFIdeas, provides prox-
imity sensors for PCs so that the smart card(which is tied to an Active Directory account)can be used as a second factor of authenti-
cation. Employees will need to have thecards on them when they sit down at theirPCs and know their passwords before theycan log in. If someone gets up to grab a cupof coffee, the sensor will automatically lockher workstation. Doctors and other officefolks who are constantly on the go are jump-ing on this technology because it allows
Previous Next
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Regulations such as HIPAA
generally have relatively weak
requirements around physical
security controls.
Have you implemented a security event information management (SEIM) system that is integrated with your access system?
16%
19%
53%
12%
SEIM Integration With Access System
Yes; all access events are logged and sent to our SEIM
No, we do not have a SEIM
No; we have a SEIM but are not logging the physical access control
No; our access system is not compatible with our SEIM
Data: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011 R3621111/12
R
Figure 4
January 2012 10
them to move to different PCs around thehospital or office and not have to worryabout, for example, logging off or locking thescreen. Other vendors, such as Imprivata, have tied
proximity cards into their single sign-onproducts. Sit down at your PC, and the cardunlocks the local password store and pro-vides the capability to automatically log youin to Web and other applications across thenetwork, but only while you are at your PC.Leave and go home or walk away, and youwill need to provide a password. So in short,check out:> Active Directory integration with physi-cal smart card/badge readers. Benefit:Disable the AD account and the badge isdisabled.
> Physical card/badge readers that run overdata networks and can take advantage ofcentralization for management. Benefit:No more security system per office.
> Use of chargebacks for printer/shared de-vice usage. Benefit: Save money by dis-couraging wasteful or personal printing.
Previous Next
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
2012 2009
For which of the following are access cards required?
Access Via Key Cards
Exterior door access
Interior/room access
Data center rack access
Time-card system
Network login (RSA-style ID)
Network login (smart card)
Payment method (e.g., vending machines, cafeteria)
Non-IT resource checkout (AV, library, resources)
Note: Multiple responses allowedBase: 236 respondents in September 2011 and 232 in February 2009 at organizations issuing key cards to employeesData: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/8
91%92%
77%71%
52%55%
17%20%
12%17%
9%10%
9%9%
9%9%
Figure 5
January 2012 11
Previous Next
SEIM on SteroidsSo given such advances, why aren’t we do-
ing at least a little better? The integration oflog management and physical security con-trols, including locks, cameras and otherproximity devices, adds up to the holy grailwe identified earlier, but it comes with signif-icant problems, including uncooperativebuilding managers, back-end technical diffi-culties and human nature. It was very com-mon for an employee to badge in but forgetto badge out, which would generate helpdesk calls and other problems. Imagine theanger if you forgot to badge out of the officefront door, drove home to finish working andcouldn’t log in. Quickly, these features be-came novelties. Maybe that’s why most ofthe analysis we do with our clients showsthat they aren’t bothering to log such infor-mation, if they even have a log managementsystem in place. This is usually because build-ing management refuses to provide logs ordoes so only on an ad hoc basis, in tandemwith an investigation. Then there are the storage issues, especially
when cameras are involved. One commenterlamented the lack of DVR reliability, and wecouldn’t agree more. If a system isn’t scalableenough to connect to a SAN or NAS, it usuallyfails because of SATA drives that are not wellventilated. Oh, and forget about easy reten-tion-period configuration. OK, you get it. The technology isn’t managed
by the proper folks, so we can’t get access tothe data, and if we manage it ourselves, theproducts are hard to integrate, fail often andaren’t easily configurable. What else could gowrong? Plenty.The main reason most organizations don’t
merge their physical and information security
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Do you integrate access cards with company printers in order to track who prints what documents and uses what amount of printing resources?
9%
91%
Access Card Integration With Printers
No
Yes
Data: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011 R3621111/10
R
Figure 6
January 2012 12
Previous Next
groups is, simply, because they report to dif-ferent business units. Traditionally, informa-tion security groups report to the CIO orboard of directors, while the physical securityofficer is part of the building maintenanceteam reporting to the CFO or COO. Physicalsecurity officers have other duties, too, be-sides access to corporate facilities. Most alsohave to deal with executive kidnapping issuesand insurance and theft reports, and someeven have general building maintenance
(such as roof repairs)reporting to them, socollapsing the job intothe CISO’s role justwon’t work. More importantly, a
few years ago, most or-ganizations needed to
secure access to their buildings because that’swhere all their confidential data was. Not somuch anymore. Many of our clients have gov-ernment or sustainability mandates to elimi-nate paper, and most businesses have theirservers in remote data centers staffed with an-
other set of outsourced security officers tohandle access and cameras. Sometimes, data’sin the cloud.Here’s an exercise: Compare your risk assess-
ment from 2000 with the 2011 version. Wethink you’ll find risk levels have actuallydropped in many areas. If you have a multilo-cation business, for example, not every sitewill likely house sensitive or confidential data,so you don’t need tight physical security con-trols everywhere. Add to that the growth intelecommuting, and you have a situationwhere many organizations cannot justify hav-ing anything more than a key card on thefront door—which, let’s face it, is more orna-mental than functional because people tail-gate—that is, wait for someone to badge inand enter right behind. Maybe it’s a case of anemployee with her hands full, but maybe not.
Doing It Right For those who want to implement physical
security properly, our suggestion is to startwith a list of risks you want to ameliorate andareas where you may need to have evidence
in case of a trial. Second, use as many doorlocks/sensors as possible. We’ve mentionedintegration of proximity cards with PCs, butopt for a system that has the ability to knowthat an employee did not badge in to thefront door, so why should he be able to badgein to the fourth-floor door? This type of de -fault/deny doesn’t upset employees as muchwhen they forget because it’s a simple eleva-tor ride back down to badge in, and mean-while, the setup provides you with muchmore granular access capabilities. What you definitely don’t want is to allow
general access to the building after someonehas gained admission to the main entrance.When we perform social engineering assess-ments for our clients, we regularly see thefront door as the only point that requires abadge. Once I am in, I can go to any floor andany room. This is simply the weakest way toimplement physical security as it provides noprotection at all if someone tailgates. Fortunately, 77% of our respondents require
access cards for interior rooms. We would likethis control extended to printer rooms and
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
The main reason most organizations
don’t merge physical and information
security groups is because they
report to different business units.
January 2012 13
Previous Next
shared areas, but only 9% of our respondentsuse access cards with their printers. Newerprinters allow documents to print only after acard has been swiped or a PIN provided. Theprinter can then correlate what documentswere printed by whom and be set to print outdocuments only when requested, which re-duces the chance confidential data gets takenfrom the printer when someone accidentallygrabs the two pages you printed along withthat 32-page report.One last point on designing your physical
security controls: Make sure they’ll function inthe real world. For example, you know howannoying it is to have to take an access cardout of your wallet or wear it around your neckall the time. Put your sensors in spots wherethey can easily read cards in purses or backpockets (butt level is good for most), andmake sure the sensor reading zone is wideenough that people don’t need to put thecard right next to the sensor. The more workemployees have to do, the more likely theyare to tailgate when they have two coffees intheir hands and are late to the 8 a.m. meeting.
Most of our discussion has been focusedaround access cards, but video recording isthe second-most-used physical security con-trol and is very valuable, especially if you’rein an environment where theft is possible.Back 10 or 15 years ago, CCTV was the onlyoption for security cameras, but times havechanged. Most cameras today are IP-basedand record to a variety of video formats.These enhancements are great for storinglarger quantities of data but can cause band-
width issues on your network if not config-ured properly. Also, while 61% of respondents who use
camera systems say they have reviewed videofootage or provided it to law enforcement, weroutinely see companies not deploying cam-eras properly. And most of the time, they don’tstore the video long enough. We recommendkeeping six months of footage at minimum,more if you have the storage. It can takemonths for a crime to come to light, and when
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
2012 2009
Has your company ever reviewed video security footage or provided video security footage to law enforcement?
Security Video Footage
Yes
No
Don’t know
Base: 226 respondents in September 2011 and 203 in February 2009 at organizations with camera security systemsData: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/17
61%47%
19%18%
20%35%
Figure 7
January 2012 14
Previous Next
an investigation starts, you want to make surethe video is available.Second, make sure you analyze the place-
ment and focus of each camera. While thisseems like a simple concept, you’d be sur-prised how often we see cameras mountedwhere they’re pointing to the street or can’tsee faces! We recommend a simple process:Perform a mock theft or whatever scenariosyou’re looking to prevent. Give the recordingto someone not involved in the exercise, andhave her ask questions to figure out what wasdone and by whom. If you cannot use thevideo to answer questions, tweak the angles,length, lighting or whatever is needed to getcomplete info. It’s a tough day in the officewhen you review video and see only 50% ofwhat you need to convict someone of a crime.
Evolving RisksWhile not much has changed in the physi-
cal security space for our survey respon-dents, and we’d like to see more evolutionof technologies and tools, the environmentsin which these systems are deployed and
the risks they’re expected to address havechanged. Employees are more mobile thanever, and the amount of paper-based sensi-tive data is falling. This doesn’t mean youcan ignore physical security, but you can be-come more strategic to ensure that whetheryou’re using proximity cards or biometricsor cameras, you properly match technologywith risk.Newer integration capabilities enable key
cards, such as proximity cards and biometrics,to be used at the PC automatically. Reducingthe barriers to using access technology
greatly increases the number of people whowill comply, thereby providing a goodamount of risk reduction. If you’re moving toa newer proximity system, we strongly recom-mend you look at its ability to integrate withthe identity management and single sign-ontechnologies you have in place or plan toadopt.Not many of our respondents have merged
the information security and physical securityroles, and most don’t see a need to do so be-cause the amount of time physical security of-ficers dedicate to cameras and access cards is
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
2012 2009
Do you employ legacy (non-networked) security systems, such as CCTV or proprietary card readers?
Legacy Security Systems
Yes
No
Base: 334 respondents in September 2011 and 314 in February 2009Data: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/2
51%54%
49%46%
R
Figure 8
Related Report: Securityvia SOX Compliance
Achieving compliance with Sarbanes-Oxley requirements remains a chief chore for all pub-licly traded companies—and achief budget driver for IT compli-ance and security initiatives. YetSOX’s computer security require-ments remain vague, and audi-tors’ evaluations continue to besubjective. In this report, we offeran updated look at the securityelements in SOX compliance ini-tiatives and how to keep yourcompany up to date and ready topass the next audit. We also dis-cuss the ways in which SOX com-pliance initiatives (and budgetdollars) can be used to drivebroader security efforts withinthe enterprise.
DownloadDownload
January 2012 15
Previous Next
dropping and being replaced with other con-cerns, such as kidnapping and loss preven-tion. Unless you have a compelling reason tomerge these two groups, we think it’s simplerto keep them separate. However, ensure thatlines of communication are open.Finally, while many of our respondents
stated that they are not investing in physicalsecurity controls and are buying informationsecurity controls instead, realize that manybuilding management companies will pro-vide relatively advanced physical security ca-pabilities at a price that’s usually much lowerthan what it would cost your company to doit internally. Meet with the company, or an-other outsourced firm, lay out your risks andsee what it comes up with. You might be sur-prised at how inexpensive physical securitycomponents are compared with the risk re-duction you will achieve.
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
2012 2009
In August 2004, President Bush issued HSPD-12, which mandated a secure and reliable form of identification for federal employees and contractors. In response, NIST drafted standards that defined how to comply on a technical level via identification cards that would control physical and logical access to all federal systems and facilities. Is your organization moving toward an integrated smart card similar to the models outlined by the U.S. government?
Integrated Smart Card Implementation
Yes; we are subject to HSPD-12 and we’re already there
Yes; though we aren’t subject to HSPD-12, we’ve implemented something very close to it
Yes; within 6 to 12 months
Smart cards are part of our long-range planning
Not on the map
Base: 334 respondents in September 2011 and 314 in February 2009Data: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/5
7%5%
11%12%
4%7%
21%25%
57%51%
R
Figure 9
January 2012 16
Previous Next
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e
APPE
NDIX
Table of Contents
2012 2009
Are employees issued one or more key cards?
Employee Use of Key Cards
Yes; multiple cards for physical and computer access
Yes; one for both physical and computer access
Yes; just for physical access
Yes; just for computer access
No
Base: 334 respondents in September 2011 and 314 in February 2009Data: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/6
6%9%
7%12%
56%51%
2%2%
29%26%
Figure 10
FAST FACT
29%don’t issue any key cards
to employees.
January 2012 17
Previous Next
2012 2009
What type(s) of access card(s) do you use?
Types of Access Cards in Use
Proximity access cards
Magnetic stripe access cards
Smart cards
RFID cards
RFID tags
Other
Note: Multiple responses allowedBase: 236 respondents in September 2011 and 232 in February 2009 at organizations issuing key cards to employeesData: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/7
52%61%
32%32%
21%23%
18%N/A
3%N/A
2%7%
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 11
January 2012 18
Previous Next
2012 2009
With which of the following employee databases are your access cards integrated?
Access Card Integration With Employee Databases
Security event management
HR/ERP systems
User data directories like Active Directory, LDAP
Single sign-on
None of these
Don’t know
Note: Multiple responses allowedBase: 236 respondents in September 2011 and 232 in February 2009 at organizations issuing key cards to employeesData: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/9
24%29%
18%22%
17%20%
13%13%
37%31%
15%19%
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 12
January 2012 19
Previous Next
Do you disable access to specific company resources based on where (geolocation) employees have successfully authenticated with their access cards (e.g., you disable VPN access when employees have badged into the corporate office, since they are physically at the office and not working externally)?
4%
6%
12%
64%14%
Deployment of Geolocation Access Policies
Yes
No, we have no plans to deploygeolocation policies
No, but we plan to deploy geolocation policies in the next 12 months
No, but we plan to deploy geolocation policies in the next 12-24 months
No, but we are considering deploying geolocation policies
Data: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011 R3621111/11
R
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 13
January 2012 20
Previous Next
Do you automatically trigger any events based on repeated physical access control violations? For example, if a Windows ID fails to log in three times, do you trigger a CCTV camera to move and record that office/PC location?
29%30%
23%
7%
11%
Event Triggers Based on Repeated Access Control Violations
YesNo; we have no plans to add correlation
No, but we are considering adding correlation
No, but we plan to add correlation in the next 12 months
No, but we plan to add correlation in the next 12-24 months
Base: 45 respondents at organizations logging all access events and sending them to their SEIMData: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011
R3621111/13
R
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 14
January 2012 21
Previous Next
Do you leverage RFID tags or RFID tag-like technologies to provide asset management of equipment and company resources such as IT equipment, retail products or warehouse management?
14%
86%
Use of RFID for Asset Management
No
Yes
Data: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011 R3621111/14
R
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 15
January 2012 22
Previous Next
2012 2009
Which best describes how your camera security system is monitored?
Camera Security System Monitoring
Legacy, independent security network (i.e., CCTV)
IP-based protocols over shared data network
Hybrid, legacy protocols over a shared IP network
Don’t have cameras
Don’t know
Base: 334 respondents in September 2011 and 314 in February 2009Data: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/15
25%25%
24%20%
18%20%
21%17%
12%18%
FAST FACT
21%don’t have a camera
security system.
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 16
January 2012 23
Previous Next
What are your biggest concerns, if any, about IP-based security systems and cameras?
IP-Based Security System Concerns
Note: Multiple responses allowedBase: 226 respondents in September 2011 and 203 in February 2009 at organizations with camera security systemsData: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/16
R
2012 2009
Band
wid
th im
pact
Stor
age
impa
ct
Vide
o qu
ality
Relia
bilit
y
Secu
rity o
f tra
nsm
issio
ns
Priv
acy
Secu
rity t
eam
’s la
ck o
f kno
wle
dge
abou
t IP-
base
d sy
stem
s
Othe
r
No m
ajor
conc
erns
; tes
ted
and
relia
ble
tech
nolo
gy
48%
48%
38%
36%
36%
24%
33%
32%
28%
35%
26%
31%
20%
26%
23%
22%
4% 3%
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 17
January 2012 24
Previous Next
2012 2009
Does your organization fall under any of the following compliance requirements?
Compliance Requirements
HIPAA
Sarbanes-Oxley
PCI-DSS (Payment Card Industry Data Security Standards)
Gramm-Leach-Bliley Act
Children’s Internet Protection Act
Other
None
Note: Multiple responses allowedBase: 334 respondents in September 2011 and 314 in February 2009Data: InformationWeek Physical/Logical Security Survey of business technology professionals
R3621111/18
34%34%
28%40%
25%24%
10%N/A
6%8%
6%6%
36%32%
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 18
January 2012 25
Previous Next
Which of the following best describes your job title?
14%
2%3%
7%
40%
4%
30%
Job Title
IT director/manager
IT executive management (C-level/VP)
Non-IT executive management (C-level/VP)
Line-of-business management
ConsultantOther
IT/IS staff
Data: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011 R3621111/19
R
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 19
January 2012 26
Previous Next
Which of the following dollar ranges includes the annual revenue of your entire organization?
20%
20%
12%
6%9% 9%
6%
6%
12%
Company Revenue
$6 million to $49.9 million
Less than $6 million
Don't know/decline to say
Government/nonprofit
$5 billion or more
$50 million to $99.9 million
$100 million to $499.9 million
$500 million to $999.9 million
$1 billion to $4.9 billion
Data: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011 R3621111/20
R
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 20
January 2012 27
Previous Next
What is your organization’s primary industry?
Industry
Cons
truc
tion/
engi
neer
ing
Cons
ultin
g an
d bu
sines
s ser
vice
s
Cons
umer
goo
ds
Educ
atio
n
Elec
tron
ics
Fina
ncia
l ser
vice
s
Gove
rnm
ent
Heal
thca
re/m
edica
l
Insu
ranc
e/HM
Os
IT ve
ndor
s
Logi
stics
/tra
nspo
rtat
ion
Man
ufac
turin
g/in
dust
rial, n
onco
mpu
ter
Med
ia/e
nter
tain
men
t
Nonp
rofit
Reta
il/e-
com
mer
ce
Tele
com
mun
icatio
ns/IS
Ps
Utili
ties
Othe
r
Data: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011 R3621111/21
3%
5%
2%
12%
2%
12%
11%
7%
3%
8%
2%
8%
2% 2%
3%
5%
3%
10%
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 21
January 2012 28
Previous Next
Approximately how many employees are in your organization?
7%
14%
8% 17%
25%
18%11%
Company Size
100-499
Fewer than 50
50-99
10,000 or more
5,000-9,999
500-999
1,000-4,999
Data: InformationWeek 2012 Physical/Logical Security Survey of 334 business technology professionals, September 2011 R3621111/22
R
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e Table of Contents
Figure 22
SubscribeSubscribe
Newsletter
Want to stay current on all newInformationWeek Reports? Subscribe to our weeklynewsletter and never miss a beat.
January 2012 29
Previous
reports.informationweek.com
reports P h y s i c a l a n d L o g i c a l S e c u r i t y C o n v e r g e n c e
MOR
ELIKE THIS
Want More Like This?InformationWeek creates more than 150 reports like this each year, and they’re all free to reg-istered users. We’ll help you sort through vendor claims, justify IT projects and implementnew systems by providing analysis and advice from IT professionals. Right now on our siteyou’ll find:
Research: Identity Management:We know we have to get a handle on access. But what’s areasonable technical road map for rolling out cost-effective ID management? How do youproperly implement user provisioning? We’ll analyze our data and help you draw up a plan.
IT Pro Impact: Top 5 Mobile Security Threats for 2012:What should IT pros worry about aswe dive head first into the mobility era? Just ask the 59% allowing access to cloud services orSaaS via mobile devices, or the 64% planning to build custom apps. In this IT Pro Impact re-port, we’ll delve into these and other potential problems.
Strategy: SOX Security:We share 10 best practices to meet Sarbanes-Oxley security-relatedrequirements and help ensure you’ll pass your next compliance audit.
Strategy: Justifying Security Training: In this report, we’ll discuss how to get the mostbang for your buck by identifying the key components for effectively delivering securityawareness training to employees.
PLUS: Find signature reports, such as the InformationWeek Salary Survey, InformationWeek500 and the annual State of Security report; full issues; and much more.
Table of Contents