Managing cloud security takes a holistic approach

Oct. 14, 2013
A fully integrated plan involving both physical and IT security is critical

The face of security has changed forever and now involves converged risk mitigation strategies for both physical and logical threats.

Security professionals across the world face an unending wave of cyber attacks – people looking to exploit any and every loophole or gap in protection. It is no longer safe to assume that internal personnel are exempt from suspicion, and diligence is the key to prevention.

Some of these attacks take a high-tech approach while others go to the source, which means that the number of potential threats is infinite and methods of attack always changing. As we enter a new world that increasingly relies upon technology and the cloud, it is clear that a fully integrated plan involving both physical and IT security is critical, but, alarmingly, is often given minimal attention and puts everyone involved at more risk.

Cloud computing, while still in a growth stage, is growing exponentially and is quickly becoming the most significant tool for almost every industry. In short, cloud computing lets you use files and applications over the Internet – not exactly a new concept. But use of the cloud has increased tremendously over the past few years as service providers looked for a way to increase capacity or add capabilities on the fly for clients without having to invest in new infrastructure. The security industry, often one to experiment with new trends first, jumped right in. Now, handheld devices and cloud-based applications have become the new standard for managing and viewing all aspects of physical security including video monitoring and access control.

With this move to online access of applications, physical security professionals must incorporate concerns about cyber security into their repertoire. It is critical for security professionals to understand how physical and cyber security teams must work together to protect all assets, including data management and physical devices.

While current trends and usage of both public and private cloud environments bring seemingly unlimited mobile access to security systems, we must fully understand both the risks and benefits of cloud computing for physical security, and develop a cohesive plan before implementing it across the enterprise.

Convergence -- a holistic approach to security -- remains a hot topic. It is no secret that when we augment security personnel with automation, overall coverage can be vastly improved, costs reduced and the ability to prevent crime before occurring substantially increased. 

While the ultimate goal of any security system is to lower response times and increase overall situational awareness, security personnel and emergency responders must be both capable and knowledgeable in how technology is used to augment those real-time events. That’s why both the IT organization and the security team must develop an easy to implement, organized plan that incorporates all aspects of security. The benefits of such a plan can reduce criminal activity, service disruptions and other risk factors that could impede business continuity.

The days of using only padlocks and fences for security are definitely long gone. Now, it takes critical thinking to guard against not only the usual types of threats, but also the unimaginable -- as impossible as that may seem. Through the integration of advanced security technology, such as IP video surveillance and electronic track and trace, with professionally trained guard services, security directors now can implement comprehensive asset protection plans that go far beyond the traditional. This combination improves security practices, reduces overall costs and enhances efficiency to track, monitor, and protect personnel, corporate information, and assets.

A security system needs to be approached holistically to help ensure the prevention of breaches and reduction of threats. In today’s environment, it seems we are more focused on resolving threats and crimes after they occur, instead of taking an aggressive proactive approach to securing our assets. Security systems are too often installed using the least expensive option, with little thought given to training personnel on its usage or giving them an easy way to share data and knowledge.

For instance, one typically under-utilized opportunity for integration is surveillance systems. While video today is ubiquitous, there are still many systems that utilize older analog equipment where digital and IP technology is readily available and can be less expensive in the overall cost of ownership. Moving to digital IP video systems enables roaming guards to receive real-time alerts through the use of handheld devices, which allows for rapid response to potential threats.

Video analytics have traditionally been rules-based systems, meaning software that allows you to write a rule using Boolean logic to anticipate suspicious behavior. The problem in that scenario is rules must be written for every camera since they will all have different views and encounter different potential threats. In addition, the operator needs to anticipate every potential threat, which is not really feasible. This setup can make rules based analytics software difficult to manage, while requiring substantial upkeep and providing disappointing results.

However, next-generation behavioral analytics packages operate by “learning” behavior through observation, completely eliminating the need to write rules. Within a few hours, the software learns to identify ongoing “normal” behavior and only sends out alerts or alarms related to “out of the ordinary” behavior, which can then be sent to a guard’s handheld unit to facilitate rapid response and stop potential breaches. This kind of system essentially allows the user to “set it and forget it,” making it one of the easiest, most effective systems to install and use.

The advent of IP video enables the monitoring of locations remotely via online IP networks. The beauty of this monitoring option is that it keeps a watchful eye and enables rapid, on-site response while continuing to monitor the situation. Implementing security solutions that are both cost effective and friendly to the environment are now paramount to safeguarding our nation’s future -- a future that depends on us developing long-term strategies that anticipates threats and adapts to trends in both physical and IT security.

Louisiana’s Port Fourchon, which services over 90 percent of the Gulf of Mexico's deepwater oil production, recently partnered with Crescent Guardian security and BRS Labs to integrate next generation behavioral analytics software to accompany its new advanced video surveillance system. This award-winning, state-of-the-art system began to operate immediately -- generating alerts, alarms and learning behavior from the moment it was turned on.

This kind of software instantly recognizes anything out of the ordinary and automatically sends alerts to officials, without needing to be programmed. This breakthrough ensures that first responders in Port Fourchon are receiving real-time alerts, ultimately improving response times and increasing situational awareness.

The US Department of Defense supported Port Fourchon's efforts by sharing the DoD-developed capabilities of the Knowledge Display and Aggregation System (KDAS) to serve as the basis for the Port's incident command and control system. The use of KDAS provides Port Fourchon with the unique ability to network its system with the DoD in the event of an incident requiring crucial information sharing.

The Greater Lafourche Port Commission’s new system, developed through a collaboration of several companies, is comprised of Disparate Data Sets, Incident Management, What If? Analysis, CCTV integration, Video Analytics, and Alerting integration. Soon, the Harbor Intrusion Detection System (Waterside Radar) will be integrated as well.

As criminals become more tech-savvy, it is up to security professionals to stay several steps ahead. While completely eliminating all threats is impossible, a comprehensive, integrated security plan that converges both physical and IT security can put companies in a position of power instead of fear, action instead of reaction.

Securing both public and private cloud environments, along with understanding both the risks and benefits of cloud computing for physical security, presents a sizeable challenge for security professions -- but nothing the continuously evolving security industry can’t handle. In short, physical and cyber security teams simply must work together now to better anticipate, thwart and reduce threats.

When considering your overall security system, it is important to ensure it is fully integrated and working as one cohesive unit. If you have grown your legacy system through piecemeal retrofit projects and aren’t sure if all your departments are aligned, having full service security firm perform an assessment is a prudent move. The greatest security challenge in the new century won’t be figuring out how to stop outside threats, but instead making sure your solutions are cohesive and unified. In reality, the greatest threat often comes from within.

About the Author:

Ray Cavanagh is the vice president of Crescent Guardian, Inc. (cgiprotects.com), a national security firm with offices in Atlanta, Boston, Dallas and New Orleans. He is also a board member of the ASIS (American Society For Industrial Security) Physical Security Council and also the Physical Security Council For Cloud Computing and holds CVI Certification (Chemical-terrorism Vulnerability Information) from the Department of Homeland Security.

Ray previously has led information sessions at ASIS conferences in Philadelphia and Chicago on The Convergence of Physical and IT Security and was also on an expert panel for the AAPA's 2013 spring seminar on The Role of Technology in Physical Security.

Photo courtesy of Infinova
The Universal Security Platform from Infinova takes a modular approach to moving the analog infrastructure to digital and allows a mix of products or all IP migration.