Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Integrating Physical And Logical Security


Published on

Integration of Physical and IT Logical Security at Identity Summit Dubai UAE. Presented by Jorge Sebastiao from eSgulf.

Published in: Business, Technology
  • Hello, Very informative and very good and covering all the aspects. Can u share it with me. I am teaching this part to IT students in management in India. My email is Pls can you email it to me? Thank you.
    Are you sure you want to  Yes  No
    Your message goes here
  • Very nice and complete presentation.Could I have a copy of it? I'm teaching at some universities in Argentina, and would like to use your material. My email is . Thanks in advance. Roberto
    Are you sure you want to  Yes  No
    Your message goes here
  • hello, hope you could share to us a copy of this presentation. Please email me at . thanks
    Are you sure you want to  Yes  No
    Your message goes here
  • This is a pretty old doc. Having actually helped write the PHYSBITS doc, I can see that you have done a good job of extrapolating out the implications. However, it is still a bit esoteric. The idea that you can integrate these two disciplines is still beyond the scope of what most physical security groups can hope for; instead, the holy grail is to gain enough recognition for each sides' authority and technology requirements to ensure proper collaboration. The day of a physical security practitioner taking over an IT security practitioner's role, or vice versa is over. They are dramatically different disciplines. Instead, proper scoping and collaboration will help the two teams optimise their efforts based on where one ends and the other begins.
    Are you sure you want to  Yes  No
    Your message goes here
  • hey can u give me a copy of this at
    Are you sure you want to  Yes  No
    Your message goes here

Integrating Physical And Logical Security

  1. 1. Integrating Physical & Logical Security Jorge Sebastião, CISSP, ISP, BSLA Founder and CEO “ Security is:… a continuous skilled process which safeguards your business value…” Jorge S., 1999
  2. 2. Security <ul><li>Protection systems </li></ul><ul><ul><li>Safeguard assets </li></ul></ul><ul><ul><li>Safeguard of personnel </li></ul></ul><ul><ul><li>Integrate People, Process, Technology </li></ul></ul><ul><ul><li>Two major types: </li></ul></ul><ul><ul><ul><li>Physical Security </li></ul></ul></ul><ul><ul><ul><li>Information Security (infosec) </li></ul></ul></ul>
  3. 3. Physical Security-Focus <ul><li>Protection of physical assets </li></ul><ul><li>Personnel </li></ul><ul><li>Buildings </li></ul><ul><li>Computing Facilities </li></ul><ul><li>Physical Access Control </li></ul><ul><li>Power </li></ul>
  4. 4. Information Security-Focus <ul><li>Protection of information assets </li></ul><ul><li>Computer Systems </li></ul><ul><li>Data Networks </li></ul><ul><li>Databases, Applications </li></ul><ul><li>Logical Access Control </li></ul><ul><li>Disaster Recovery </li></ul>
  5. 5. Signal also applies to cars of other colors
  6. 6. Signal also applies to cars of other colors
  7. 7. Scenario <ul><li>CFO Traveling abroad for 2 weeks </li></ul><ul><ul><li>Normally in Riyadh HQ Office </li></ul></ul><ul><ul><li>Now in Dubai visiting </li></ul></ul><ul><li>Non-Integrated, non-compatible physical access control </li></ul><ul><li>Trusted employee uses CFO password to access confidential data in Riyadh </li></ul><ul><ul><li>Normal working hours </li></ul></ul><ul><ul><li>Sensitive files shared with competitors </li></ul></ul><ul><li>No Alarm raised by system??? </li></ul><ul><li>No violation in either physical sec or infosec systems </li></ul>
  8. 8. Data Center
  9. 9. Threats and risks Human faults Operational disruptions Software Faults In-compatability Fraud Forgery Access Control Espionage Illegal copying Virus Natural phenomena Fire, Smoke, Explosion Destruction, Sabotage Power Failure Water Damage Leakage Theft Vandalism Delivery Problem Service Disruption Loss of Key personnel Notice to quit, Sickness
  10. 10. Security as: TPP Technology Process People
  11. 11. Attack-NCR, IBM ATMs <ul><li>UAE Bank Attack May-June 2003 </li></ul><ul><li>Exploits ATM Vulnerabilities </li></ul><ul><li>Special Device capture cards </li></ul><ul><li>Physical Security </li></ul><ul><li>1.5-?.? Million Dhs </li></ul>Technology
  12. 12. Microsoft <ul><li>SQL Slammer Worm 25/01/2003 </li></ul><ul><li>Exploits SQL Server 2000 Vulnerabilities </li></ul><ul><li>Document since July 2002 </li></ul><ul><li>Traveled Globe in 15 min </li></ul>Process
  13. 13. Verisign <ul><li>Verisign 22/03/2001 Someone tricked digital security specialist VeriSign ( VRSN ) , which authenticates parties in e-commerce transactions, into issuing two digital certificates with Microsoft's name on them. The certificates could be used by a malicious poseur to spread viruses or other harmful programs by camouflaging them as Microsoft software. </li></ul>People
  14. 14. PDR <ul><li>Defence in Depth (layered security) </li></ul><ul><li>No Single Point of Vulnerability </li></ul><ul><li>Centralized Security Management </li></ul><ul><li>Heterogeneous </li></ul><ul><li>Effective </li></ul><ul><li>Process </li></ul><ul><li>Implement Protection, Detection, Response </li></ul>PROTECTION DETECTION RESPONSE FORENSICS
  15. 15. Security = Time Protection Detection Response SECURITY P>D+R Anti-virus VPN Access Control Firewall Intrusion Prevention Managed Services CIRT Patch Mgmt Vulnerability Testing Intrusion Detection CCTV Log Correlation
  16. 16. Securing the System Effective security requires a balanced application of all methods Personnel System Security Computer Security Physical Security Process Encryption
  17. 17. Security Continuous process ASSESS ARCHITECT APPLY ADMINISTER Business Risk Controls Maturity
  18. 18. Integrated Security Management Business Security Management Physical Security Management ICT Security Management
  19. 19. Security Management Processes
  20. 20. Convergence APPLY
  21. 21. Identity and Access Management Strategic Context Physical Security Network / System Application / Data Suppliers, Partners, Customers Employees
  22. 22. New Boundaries <ul><li>Platforms </li></ul><ul><ul><li>Data Center </li></ul></ul><ul><ul><li>Laptops </li></ul></ul><ul><ul><li>PDA </li></ul></ul><ul><ul><li>Mobiles </li></ul></ul><ul><li>Distributed Access </li></ul><ul><ul><li>Dialup, ADSL, VPN </li></ul></ul><ul><ul><li>VSAT </li></ul></ul><ul><ul><li>Wifi, WiMax </li></ul></ul><ul><ul><li>GPRS/3G </li></ul></ul><ul><li>Communication Centric Applications </li></ul><ul><ul><li>Web </li></ul></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>IPM </li></ul></ul><ul><ul><li>VoIP </li></ul></ul><ul><li>Multiple Networks </li></ul><ul><ul><li>Intranet </li></ul></ul><ul><ul><li>Extranet </li></ul></ul><ul><ul><li>Internet </li></ul></ul><ul><li>Users </li></ul><ul><ul><li>Employees </li></ul></ul><ul><ul><li>Partners </li></ul></ul><ul><ul><li>Suppliers </li></ul></ul><ul><ul><li>Customers </li></ul></ul><ul><ul><li>Consumers/Prospects </li></ul></ul><ul><li>Location </li></ul><ul><ul><li>Office </li></ul></ul><ul><ul><li>Internet Café/Restaurants </li></ul></ul><ul><ul><li>Airport </li></ul></ul><ul><ul><li>Hotels </li></ul></ul><ul><ul><li>Home </li></ul></ul>
  23. 23. Identity and Access Management Interoperability Control Loosely-coupled, Dynamic exterior Tightly-coupled, Persistent interior Intranet Extranets Customers Partners/Suppliers Employees Consumers Internet
  24. 24. Identity and Access Management Flexibility Intranet Extranets Internet Control Customers Partners/Suppliers Employees Consumers Federation, Cooperation Integration
  25. 25. Physical Security Physical Security Sprinkler hallon Alarm System UPS CCTV System Intrusion Detection Intercom Evacuation Physical Access Control Elevator Fire HVAC Lighting Power Mgmt
  26. 26. Physical Security Architecture
  27. 27. Biometrics Example
  28. 28. Storage SMART CCTV + biometrics Corporate LAN / WAN / VLAN Internet
  29. 29. Records Physical Protection
  30. 30. Physical Security
  31. 32. Info warfare C4 <ul><ul><li>Command, Control, Communications, Computers </li></ul></ul>
  32. 33. Logical Security Physical Security Data Encryption Host Intrusion Detection Antivirus Perimeter Security Network Intrusion Detection Remote Client VPN Access Control Remote Clientless HTTPS Disaster Recovery Content Filtering Anti-spam Intrusion Prevention Wireless Security Network / System Application/Data
  33. 34. Architecture Layers Extended Perimeter Perimeter Layer Control Layer Resource Layer Identity & Access Mgmt Physical Security Integrated Directory Security Management Policy Management Remote Employees Consumers Partners Customers Suppliers
  34. 35. Identity and Access Management Context Business policy: legal, liability, assurance for transactions Relationships to organization Applications/Services: access control and authorization Identity and information Presentation/Personalization: Identification Relationships Authentication: Identity (Person)
  35. 36. Architecture and Infrastructure Directory Access Mgmt Portal/Device Identity Mgmt Policy Propagation Administration Control Access Resources Authentication Authorization User Device? Applications Platforms Databases Physical Services
  36. 37. SSO~~Security <ul><li>SSO and security </li></ul><ul><ul><ul><li>Reducing sign-on a goal </li></ul></ul></ul><ul><ul><ul><li>S ingle sign on is a risk in security compromise </li></ul></ul></ul><ul><ul><ul><li>Standard authentication infrastructure is good </li></ul></ul></ul><ul><ul><ul><li>SSO is not always realistic </li></ul></ul></ul><ul><ul><ul><li>Different applications </li></ul></ul></ul><ul><ul><ul><ul><li>Different security </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Different application states </li></ul></ul></ul></ul><ul><ul><ul><li>Policy drives </li></ul></ul></ul><ul><ul><ul><li>No single credential should give access to everything </li></ul></ul></ul>
  37. 38. Where to spend? High Low Excessive Exposure Low High R I S K SECURITY INVESTMENT Excessive Cost Appropriate Security
  38. 39. Return On Investment (ROI)? ROI Curve Security Investment ROI design= 21% ROI implementation= 21% ROI testing= 12% ROI
  39. 40. Security Architecture Incidence Response Operational Monitoring Administration Change Procedures Guidelines Roles and Responsibilities Incident Reporting Physical Dynamic Controls Selection Policy Configurations Baselines Standards Awareness Education Training Logical BIA Mapping Perimeter Architecture InfoSec Policy Security Organization Conceptual P > D + R Strategy Scope Executive InfoSec Policy Steering Committee Contextual Time (Risk Management) Technology Process People
  40. 41. Beyond Technology
  41. 42. Knowledge Base Incidence Response Applying the Knowledge Incidence Response Multiple Sources of Information Partners, Vendors, CERT ,… Internal Security Research Internet, Mailing lists and other sources ADMINISTER
  42. 43. Integrated P+D+R Enterprise Security Management Routers Switches Firewall N-IDS H-IDS IPS Hosts Antivirus Access Ctrl Biometrics Smart Cards Power UPS Fire CCTV P-IDS Alarms Others…. 1.Logs 5. Response 2. Encrypted Logs 3. Analysis 6. (Ongoing) Patching Incidence Response Knowledge 4. Alerting
  43. 44. Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate
  44. 45. Integrated Infosec Framework Vulnerability & Risk Assessment Assess, Audits VA, Pen-Testing, Risk Technology Strategy & Usage Technology, Tools Policy Insfosec Policy, Standards Security Architecture and Technical Standards Technical Architecture Technical Standards, Baselines Security Model Information Classification and Controls Administrative and End-User Guidelines and Procedures Implementation and Configurations Administration Guidelines and Procedures Recovery Processes Incidence Response Processes Enforcement Processes Compliance Mgmt Processes CEO, Senior Management ISMS, Information Assets, IT Infrastructure Awareness, Training, Education Monitoring Processes Monitoring Processes Security Strategy Business Initiatives & Processes Business Initiatives & Processes Vulnerabilities Threats
  45. 46. Benefits of integration <ul><li>Better Security </li></ul><ul><li>Less Vulnerabilities </li></ul><ul><li>Better Auditing </li></ul><ul><li>Cost Savings </li></ul><ul><li>Mitigate legal liability (negligence) </li></ul>
  46. 47. Challenges <ul><li>Lack of Standards </li></ul><ul><li>Focus on technology rather then management </li></ul><ul><li>Reluctance of physical security to embrace ICT / IT </li></ul><ul><li>No roadmap for organization readiness </li></ul><ul><li> </li></ul>
  47. 48. Initiatives example <ul><li> </li></ul><ul><li>X-industry collaboration </li></ul><ul><li>Initial participants </li></ul><ul><ul><li>CA </li></ul></ul><ul><ul><li>Gemplus </li></ul></ul><ul><ul><li>HID </li></ul></ul><ul><ul><li>Software House </li></ul></ul><ul><li>PHYSBITS-Physical Security bridge to IT </li></ul>
  48. 49. ?