Home Uncategorized Public and Private Sector Security

Uncategorized

Public and Private Sector Security

Identify and discuss three essential elements of convergence within the realm of public and private sector security. Formulate a hypothesis as to the effectiveness and extent of convergence efforts over the next decade. Please note you must present a hypothesis and discuss it – not merely state a hypothesis alone.

Instructions: Fully utilize the materials that have been provided to you in order to support your response. Your initial post should be at least 350 words. APA citations.

Need in 48 hrs.

20 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/

/20/the-compelling-case-for-unifying-it-and-physical-security/ 1/2

(https://www.
securityindus
try.org/)

(/center-of-excellence/)

The Compelling Case for Unifying IT
and Physical Security 
By Thomas L. Norman, CPP/PSP (https://www.securityindustry.org/author/thomaslnorman/) on November 20, 20

 (https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/?
share=facebook&nb=1)

 (https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/?
share=linkedin&nb=1)

 (https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/?
share=twitter&nb=1)

UPCOMING EVENTS

Home (https://www.securityindustry.org) | Cybersecurity (https://www.securityindustry.org/category/solutions/information-
technology/cybersecurity/) / Data Storage & Management (https://www.securityindustry.org/category/solutions/information-
technology/data-storage-management/) / Information Technology
(https://www.securityindustry.org/category/solutions/information-technology/) / Solutions
(https://www.securityindustry.org/category/solutions/) | The Compelling Case for Unifying IT and Physical Security

Home

Center of Excellence

https://www.securityindustry.org/author/thomaslnorman/

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/?share=facebook&nb=

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/?share=linkedin&nb=1

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/?share=twitter&nb=1

Home

https://www.securityindustry.org/category/solutions/information-technology/cybersecurity/

https://www.securityindustry.org/category/solutions/information-technology/data-storage-management/

https://www.securityindustry.org/category/solutions/information-technology/

https://www.securityindustry.org/category/solutions/

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 2/

September 14 @ 2:00 pm – 3:00 pm EDT

September 16 @ 3:00 pm – 4:00 pm EDT

September

@ 12:00 pm – 1:00 pm EDT

VIEW ALL EVENTS

(HTTPS://WWW.SECURITYINDUSTRY.ORG/EVENTS/)

MOST RECENT

WEBINAR: COMMUNICATION SKILLS FOR WOMEN: BALANCING WARMTHORITY AND THE LANGUAGE OF
POWER (HTTPS://WWW.SECURITYINDUSTRY.ORG/EVENT/COMMUNICATION-SKILLS-FOR-WOMEN-BALANCING-
WARMTHORITY-AND-THE-LANGUAGE-OF-POWER/)

WEBINAR: REOPENING FACILITIES AND MANAGING DATA PRIVACY CONCERNS IN THE ERA OF COVID-1

(HTTPS://WWW.SECURITYINDUSTRY.ORG/EVENT/REOPENING-FACILITIES-AND-MANAGING-DATA-PRIVACY-
CONCERNS-IN-THE-ERA-OF-COVID-19/)

WEBINAR: HOW TO FINGERPRINT VEHICLES USING COMPUTER VISION
(HTTPS://WWW.SECURITYINDUSTRY.ORG/EVENT/HOW-TO-FINGERPRINT-VEHICLES-USING-COMPUTER-
VISION/)

https://www.securityindustry.org/events/

https://www.securityindustry.org/event/communication-skills-for-women-balancing-warmthority-and-the-language-of-power/

https://www.securityindustry.org/event/reopening-facilities-and-managing-data-privacy-concerns-in-the-era-of-covid-19/

https://www.securityindustry.org/event/how-to-fingerprint-vehicles-using-computer-vision/

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 3/24

More on the NSA Hack

As this paper is being written, the forensics on the NSA attack are underway. Early
indications are that this was a Russian FSB operation, aimed at embarrassing the Obama
administration. The material posted on the Dark Net included scripts from 2013 such as one
called “Extra Bacon” that could gain access to common �rewalls (in this case, the Cisco ASA
�rewall). However, the Cisco ASA �rewall has had a major upgrade since this script was
written that would make it impossible to use against newer versions, only working on older
versions that have not been updated. So far, all exposed scripts are from this era. This
indicates that the insider was not directly part of the famed “Equation Group,” but someone
else who worked peripherally around that group, who had only limited access to current
scripts.

In August 2016, news came that the NSA itself had been hacked , possibly by Russia. The
recent security attack on the National Security Agency was both audacious and very
e�ective. The news came in the form of exploit kits being sold on the dark web. O�ered for
sale there were a number of exploit kits used exclusively by the NSA to break into common
�rewalls and routers by virtually every major manufacturer. In other words, what many
would consider the crown jewels of the NSA!

Sources within the NSA who don’t want to be quoted say that this incredible “hack” was not a
hack at all. It was instead the result of an insider with critical access who simply walked out
the door with a USB chip full of the NSA’s top secrets. In other words, it was a physical
security exploit, not an IT security attack.

The federal security agency most capable of IT security lost its crown jewels to a physical
security exploit!

Case 2: Veteran’s Administration (VA) Massive Data Breach

Personal identifying information on about 26.5 million U.S. military veterans was stolen from
the residence of a Department of Veterans A�airs data analyst who took the material home
in violation of VA security policies. The data stolen included names, Social Security numbers
and dates of birth of the veterans. Inside sources have reportedly claimed that the data are
from the VA Bene�ts Administration branch. If so, such data would also likely contain ratings
and entitlements as well. Such information would typically also contain the amounts of VA
disability deposits and the account numbers and routing numbers of banks into which such
deposits are to be made. 26.5 million information technology records of the most vulnerable
among us, lost to a physical security breach.

Case 3: DDOS Attack Using

,513 IP Video Cameras from 105 countries

Just when you thought it was safe to go back into the water, researchers from the security
�rm Sucuri discovered that in a very unique attack, 25,513 internet-connected IP security
video cameras (physical security devices) have been connected into a massive denial-of-
service botnet used in a “proof of concept” distributed denial of service (DDOS) attack
against a jewelry store site. The source article indicated that this massive botnet was

6 7

9
10

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 8/24

against a jewelry store site. The source article indicated that this massive botnet was

generating nearly 50,000 HTTP requests per second. However, Jason Thacker of White
Badger Group, LLC, a leading cybersecurity consulting group, states that it is more likely that
these were not HTTP requests, which would require running malware on the cameras, but
rather simply HTTP/RTSP streams, which could run from unmodi�ed cameras. The attack
continued for days and researchers found that the botnet had leveraged only Internet of
Things (IoT) CCTV devices from 105 countries.

This attack is truly unique. It is believed that absolutely nothing can stand up against an
attack of this magnitude. Not Google, not Amazon, not the U.S. military, not anything.
Further, this attack was primarily launched from IoT security CCTV devices that had been
reprogrammed into multicast mode. While many believe that they should be safe against a
multicast DDOS attack because they have not subscribed to it, in fact, the multicast server
holds the subscription list. And that list can include any group of IP addresses, or range of IP
addresses. The range could include a jewelry store, all the IP addresses served by an
individual ISP, or something as large as the IP address range including the entire United
States of America (however an attack of this scale is highly unlikely due to the demands on
the multicast server). And all executed within milliseconds with no obvious weaponry.
Obvious defenses against an attack like this include sending out multicast unsubscribe
messages to the multicast servers. This would be e�ective because it would have an
asymmetric e�ect against the attackers, in favor of the defenders. Thanks to Jason Thacker,
CISSP, CEH, vice president and chief technology architect, White Badger Group for
information on multicast attack and defense strategies.

Is Physical Security at Risk of Hacking?

Case 4

A worker at a Ukraine electrical distribution plant control center was ending his shift when
he was stunned to see the cursor suddenly move across the screen and click on buttons that
opened the circuit breakers that took the substation o�ine. The worker stared in disbelief
as he watched the cursor move to a dialog box on the screen to con�rm that the circuit
breakers were to be taken o�ine.

In that moment, thousands of residents had just lost their lights and heaters.

The operator found that the mouse would not respond to his commands and continued to
take additional breakers o�ine. Then, the machine logged him out of the control panel.
Trying to log back in, the worker found that his password had been changed, and he could
not regain control of the system. All he could do was stare hopelessly at the screen as the
machine clicked o� breaker after breaker, taking 30 substations o�ine. At the same time,
two other power distribution centers were hacked, plunging 230,000 residents into the dark
and the cold of winter. The operators themselves were fumbling in the dark. Real physical
damage from a cyberattack.

C 5

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 9/24

Case 5
In 2008, cyber terrorists hacked into the majority BP-owned Baku-Tblisi-Ceyhan pipeline in
Turkey causing an explosion with �ames as high as 150 feet. Previously, the Baku-Tblisi-
Ceyhan was believed to be one of the most secure pipelines in the world. But in this attack,
the terrorists in�ltrated the pipeline through a wireless network, tampered with the systems
and caused severe physical damage. The U.S. has millions of miles of pipelines that
distribute oil, hazardous liquids, natural gas and chemicals. Many of these can be reached
above ground simply by walking up to them (providing for physical attacks) and also seem to
be vulnerable to cyberattacks that can in�ict the same kind of serious physical damage as
physical attacks.

NSA Director Admiral Michael Rogers said in November 2014 that several foreign
governments had already hacked into U.S. energy, water and fuel distribution systems,
potentially damaging essential services, according to Bloomberg.

Case 6

At a recent DEFCON conference, Dennis Maldonado, security consultant at KLC Consulting
showed exactly how to hack into a variety of common access control systems, providing
access to anywhere in the facility to persons who had no authorization whatsoever to be
there. Physical access via a cyberattack.

At another DEFCON, Jason Ostrom and Arjun Sambamoorthy demonstrated how to hijack
various common video surveillance systems and extract, record and replace video on their
servers, providing attackers a way to replace video of a physical intrusion with looped video
showing no intrusion.

Case 7

As a global security consultant, I sometimes get called to evaluate system weaknesses.
Here’s an example of one involving a physical security vulnerability to IT attacks.

At an overseas facility that had switched out all of its exterior analog security video cameras
for IP cameras, I noticed that bare IT cables were attached to a wall in a publicly accessible
parking structure (one could simply walk into the structure). Following the cables, I
discovered that the cable was an un-conduited connection to a small consumer-grade digital
switch contained within an electrical panel near the parking gate.

This panel sat on a raised curb next to an adjacent parking space, and the door swung into a
walkway next to the parking space, making the panel accessible to the parking space. The
lock on the panel was broken, so it could be opened by anyone and there was no tamper
switch on the panel, so no alarm would have been reported upon opening the panel. The
digital switch inside the panel served several IP cameras, two security intercoms and an
access control panel, all located near the parking gate.

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 10/24

Sni�ng the connection, we realized that unencrypted tra�c on all of these systems �owed
through the digital switch. This parking space provided unhindered access to the security
system IP network including the video servers and access control system servers. In other
words, using information readily available on the internet, this security system could be
hacked into while sitting in a car in the public parking structure, providing the hacker with
the ability to remotely unlock vehicle gates and doors, bypass alarms, guide the intruder
through the facility and into the most restricted areas of the facility, and after having left, he
could overwrite the video with looped video showing no intrusion during the time period of
the intrusion. Because this was an enterprise-class system connecting every facility in the
organization, the hacker could gain entry to any facility in the entire enterprise, all from the
comfort of his car.

This would classify as a failure of both IT and physical security for the organization on a
colossal scale. And we see things in some way like this almost every month.

IT and Physical Security – Or Just One Security Model Including Both?

Have one goal: overlapping security. Understanding that IT security attacks often involve
physical security breaches and physical security breaches sometimes involve IT security
hacks means a dedication to both is necessary.

From the illustrations above, we can see that an organization’s physical security and their IT
security are each at risk from vulnerabilities in the other. One cannot secure their
organization without securing both properly. Each is dependent on the other. While lawsuits
against organizations involving physical security insu�ciencies abound, failure to comply
with IT security requirements, particularly HIPAA (Health Insurance Portability and
Accountability Act) compliance, can have truly profound and devastating e�ects on the
organization and individuals within the organization who violate HIPAA guidelines and
regulations. In one case in 2010, a former UCLA Healthcare System surgeon was sentenced
to four months in prison for a HIPAA violation. In April 2013, Helene Michel, the former
owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison
in a case that included criminal HIPAA violations.

Compliance violation �nes can also be severe. In 2014, a New York Hospital and major
university were �ned $4.8 Million for HIPAA violations. Small businesses are not immune
either. Mom and pop businesses have been hit with �nes and remediation costs, legal fees
and others totaling up to six �gures. Since October 2006, Visa has levied $3.3 million in
�nes for post-incident discovery of non-compliance, with more than 80 percent of the credit
card breaches having occurred at small businesses. It’s not any better for enterprise class
organizations. “… Target incurred a $162 million loss over 2013–2014 after its data breach, in
addition to experiencing a staggering 46 percent drop in pro�ts in the Q4 2013 holiday
shopping season immediately following the attack. More recently, the company has agreed
to pay $67 million to �nancial institutions that issued credit cards for which the security was
compromised in the breach. And now the courts have opened the gates for banks a�ected
by the attack to �le additional class action suits against the retailer.” And this does not
include the long- term loss of business due to the damage to their business reputation. Data
loss incidents can be very, very expensive.

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 11/24

The “Ponemon Institute 2016 Cost of Data Breach Study: Global Analysis”
reported that the average organizational cost of data breach in the U.S. rose
from $5.85 million in 2014, to $6.53 million in 2015, to $7.01 million in 2016.

So compliance with IT security standards is essential to the welfare of the organization,
whether large or small. It is essential then, that organizations large and small secure both
their IT systems and data, and their physical access to the facility containing sensitive
information, whether in paper or binary form.

A Compliance-Based Data Loss Protection Plan

A comprehensive IT/physical security program requires a plan. Nearly every organization
today falls under one or more data privacy compliance standards. This is not only one of
the best ways to start a data protection plan, but to take any other approach risks putting
the organization into non-compliance and subjecting it to legal penalties.

The major compliance standards include:

HIPAA (Health Insurance Portability and Accountability Act): HIPAA applies to any
business that touches health care records with personally identifying information (PII),
including hospitals, clinics, senior care facilities, pharmacies, even janitorial �rms and
security �rms, etc., that could see such records in a health care environment.

SOX (Sarbanes Oxley Act of 2002): SOX is designed to protect shareholders and the
public from accounting errors and fraudulent practices from a�ected organizations.

FISMA (Federal Information Security Management Act of 2002): FISMA protects
government information, operations and assets against natural or man-made threats.

GLBA (Gramm Leach Bliley Act): GLBA requires many companies to protect
themselves against unauthorized access, anticipate security risks, and safeguard a
consumer’s nonpublic information. It also prohibits individuals and companies from
obtaining consumer information using false representations. GLBA also gives
consumers privacy notices that explain the institutions’ information-sharing practices.

FERPA (Family Educational Rights and Privacy Act): FERPA gives parents access to
their child’s education records, an opportunity to have the records amended, and some
control over the disclosure of information from the records.

PCI/DSS (Payment Card Industry Data Security Standard): PCI/DSS is the premier
compliance standard in the private sector and it applies to any business or individual
that is processing payments by Visa, MasterCard, American Express, Discover and JCB.
Companies and organizations perform validation annually, by an external quali�ed
security assessor (QSA) or by a �rm-speci�c internal security assessor (ISA) who creates
a report on compliance (ROC) for those companies that are processing large volumes
of transactions. For smaller companies, a self-assessment questionnaire (SAQ) is used.

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 12/24

These are the most common data privacy protection compliance standards. There are
additional federal, state and contractual standards that may apply.

There is a huge security exposure for any organization accepting credit card payments.
These businesses are easy targets for hackers due to the inadequate technical security
provisions available from the credit card industry, and the penalties and all of the risk have
been pushed down from the �nancial institutions and payment processors, down to the
companies that accept credit cards. Finally, the �nancial penalties for non-compliance for
businesses that accept credit cards can be crushing, especially on small and medium-sized
businesses.

It is unlikely that any single organization will be held accountable under more than a few of
these requirements. But it is certainly necessary for every organization today to understand
which standards and acts they are held accountable under. Remember, penalties for non-
compliance can be severe, and for small businesses, it could mean the end of their
business.

The following is a 10-point plan to get any organization to full compliance with government
(HIPAA, SOX, FERPA, GLBA and FISMA, etc.) and contractual obligations (PCI/DSS), and can
also help secure the treasured data from unauthorized access, disclosure and harm.

1. Get a “C-Level” Commitment to Security

C-level executives set the culture for the entire organization. Others follow their example.
When a C-level executive short-cuts security measures, you can expect that others will too.
When they are scrupulous in following security policy, others will be too. So commitment
from the “C-suite” to security policy is essential to the success of the program, and essential
to the success of the organization. This commitment minimizes not only the organization’s
risk of security incidents themselves, but also minimizes the organization’s risk of �ndings of
negligence related to a compliance-involved security breach, which may occur no matter
what security measures are taken. It is important to understand that security breaches do
occur, even to the best prepared organizations (the NSA, for example). And when the
compliance auditors come to examine the breach, a �nding that the organization has taken
reasonable measures to prevent and mitigate a breach goes a long way towards keeping any
compliance �nes as low as possible, or nothing. Obvious non-compliance, the lack of a
coordinated security program either in IT security or physical security can result in six-�gure
�nes, and for some individuals, jail time.

One of the C-level executives should be named as the chief security compliance o�cer. This
is essential because, in the event of a compliance-related security breach, the C-suite will be
held responsible by the compliance agency for the breach and may in some cases be held
individually responsible for �nes and other penalties. It is far better for a C-level executive to
take that responsibility on so that the security program has guidance from a company
o�cer who is committed to the success of the program, and the authority to ensure that
commitment is followed by everyone in the organization.

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 13/24

2. Know Your Legal Obligations for Data Protection

Few organizations thoughtfully realize that security is part of the core mission of their
organization.

Every organization begins with a mission. It develops programs in support of that mission,
and those programs acquire four kinds of assets:

people: employees, contractors, vendors and customers

property: real property, �xtures, furnishings and equipment including IT systems

proprietary information: information to be safeguarded, especially under mandated
compliance requirements

the organization’s brand: the business reputation of the organization

Intrinsic in the sustainability of any organization is the obligation to keep those four classes
of assets secure. Organizations often think of security as a non-revenue producing business
unit that usually cannot display its value as well as, for example, the accounting department
can. But a relaxed attitude about security can lead to disastrous results, especially in
compliance areas.

Every organization must know the compliance standards that it is mandated to follow.
Ignorance of such is not an acceptable excuse.

Compliance standards may emanate from federal or state laws or regulations, and are
enforced by federal or state agencies, or by civil or criminal lawsuit.

Compliance standards may also emanate from private contracts with other
organizations, such as �nancial or health care institutions.

Many small and medium-sized businesses may not even be aware that they are legally
obligated to follow speci�c compliance standards, those legal obligations being part of a
private contract that the organization may have signed. Those obligations have legal and
�nancial rami�cations.

The two most common ways to determine what compliance standards your organization is
required to follow are to �nd an attorney who specializes in data loss protection compliance
law, or to use a software program such as ZenGRC from Reciprocity that walks you through
a series of questions to determine which federal, state and commercial compliance
standards may apply to your organization.

Understand What Assets Need Protection

Classify your assets by criticality. The top critical assets of every organization include:

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 14/24

people

business operations

business reputation (the brand)

proprietary information, especially compliance-related information that the
organization is legally obligated to protect and defend

3. De�ne Your Risks

The simpli�ed risk formula R = P*V (Risk = Probability * Vulnerability) includes the probability
of threat scenarios occurring multiplied by vulnerability.

IT security vulnerabilities include, among others, poor user authentication, inadequate and
miscon�gured �rewalls, failure to read logs, rogue access devices, company data stored on
personal devices, mobile devices, and unpatched and unpatchable devices.

IT security threats include disgruntled and negligent employees (insider threats), third-party
service providers, malware (especially ransomware), targeted hacking and email phishing,
among others.

Key mistakes include overreliance on security monitoring software, technology innovations
that outpace security provisions, outdated operating systems, lack of encryption,
organization data on unregistered user-owned mobile devices, IT “diplomatic immunity”
within your organization, lack of management support, challenges recruiting and retaining
quali�ed IT sta�, and failure to segregate IT security audit duties.

Firms should understand the source of threats and weigh the probability of being struck by
each. For example, malware and phishing attacks have a much higher likelihood of occurring
than a targeted attack. However the potential for damage from a targeted attack, if carried
out, is much higher; especially against highly proprietary information such as compliance
mandated PII, trade secrets, patents, formulas and the business reputation, etc.

Then, perform an IT system audit to evaluate the system vulnerabilities. This includes:

data loss protection measures (for data at rest and data in motion)

data backup measures (frequency, completeness and immunity from ransomware) …
and don’t forget backup images of servers and workstations (operating systems,
applications and con�gurations)

map the infrastructure

map the endpoints including wired, wireless and mobile devices including printers

24
25

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 15/24

map the operating systems in use by all servers and endpoints, ideally including
patch/update status

review the IT security policies and procedures

review applications in use and their update status (understand that some applications
may not be compatible with the latest patches of certain software on the machine, for
example some apps may not work with the latest version of Flash, or the operating
system may not be compatible with the latest version of an
application … hint: operating system update is indicated)

All of this above establishes the IT security risk (R=P*V).

4. Perform a Gap Analysis

Compare what the organization is legally required to do for IT security (from a mandated
compliance standpoint) with the vulnerabilities exposed in the system audit. The delta is the
gap that must be �lled to be compliant. This forms the basis for the IT security
implementation plan, which typically includes factors such as:

existing equipment and software (determines compatibilities and incompatibilities)

business culture (determines user interfaces, if applicable)

�nancial issues (for example, can the organization a�ord managed services vs.
something less proactive?)

end user preferences, if any

5. Set Forth an IT Security Implementation Plan

The gap analysis will help create a roadmap for what policies, procedures, hardware,
software and con�gurations are needed to bring the IT system from where it is now relative
to full compliance, to where it needs to be to achieve full compliance.

Create an implementation plan from the gap analysis.

Budget and acquire necessary hardware, software and third-party assistance to
implement the plan, prioritized by the highest priority assets and any exigent
emergencies.

Schedule the implementation plan based on priorities above.

Implement controls for the minimum acceptable downtime.

Verify system operations after each part of the implementation plan to be sure that
one doesn’t need to step back due to an incompatibility.

Verify that the desired readiness to pass a compliance audit is reached

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 16/24

Verify that the desired readiness to pass a compliance audit is reached.

6. De�ne the Physical Security Risks

The same four top critical assets apply to physical security for the organizations:

people

business operations
business reputation (the brand)

proprietary information, especially information that they are legally obligated to
protect the privacy of

Again, Risk = Probabilities * Vulnerabilities. Probability is comprised of the applicable threat
scenarios.

Determine Possible Threat Actors and Likely Threat Scenarios

Physical security threat actors may include terrorists, violent criminals, economic criminals,
activists and petty criminals.

The possible threat scenarios will depend on the physical environment at the facility and the
existing countermeasures in place. It is best to retain a quali�ed consultant to determine
possible threat scenarios. Malicious IT threat actors who would gain access through physical
vulnerabilities should be included in the threat scenario mix. From the list of considered
scenarios, estimate the probabilities prioritized by asset criticality (focus on people).

Assess the Physical Security Vulnerabilities

An assessment of the organization’s physical security vulnerabilities should include a review
of:

where unauthorized access may be occurring, or could occur

where entrances and exits to critical spaces may not have a quality working security
video camera

where undetected and/or unobserved intrusions could occur to the property, the
buildings and critical areas within the buildings

the access control process to make certain that access credentials are su�cient, up-to-
date, and that the access control database is current and that granted access areas are
kept up-to-date to be appropriate for the users

the physical security policies and procedures, including hiring background checking as
it relates to security vetting, and look for any discrepancies against the needs of the
organization

current security sta�ng to be certain that it �ts the current needs of the organization

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 17/24

Calculate the Risk: Risk = Probability * Vulnerability

7. Perform a Physical Security Gap Analysis

Review the risk analysis and create a gap analysis from the remaining vulnerabilities after
looking at the risk minus the existing mitigating measures.

8. Create a Physical Security Plan

From the gap analysis, create a proposed physical security implementation plan, which will
include:

update to physical security policies and procedures

policy driven vulnerability patches (additional card readers, alarm points, video
cameras, intercoms, etc.)

updates to security sta�ng, if needed

budget and acquire necessary security hardware, software, con�gurations and sta�ng

implement the plan

review the results to be sure it is meeting the needs of the organization

9. Training and Testing

Both IT security and physical security policies need to be pushed out to employees in a way
that can help ensure the success of the program. Employees who are not aware of security
policies cannot be expected to follow them. Review C-suite security policy compliance and
remind if necessary that employees emulate what they see from upper management.

Employee training and compliance involves �ve elements:

Update the employee policy manual and ensure that all employees sign o� on the
updates.

The Compelling Case for Unifying IT and Physical Security © 2016 Security Industry
Association 14

Provide ongoing training on areas of widespread non-compliance.

Counsel individual employees on individual non-compliance.

Test employees on compliance (bait phishing emails, be observant of employees who
indicate resistance to security policies and may have expressed a willingness to
circumvent the security policies and record the non-compliance for counseling).

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 18/24

Discipline (advisory notice, up to termination) for repeated evidence of non-
compliance.

10. Putting It All Together

When developing the security plans for both IT security and physical security, pay special
attention to how cyber risks can create physical security vulnerabilities and how physical
security risks can create cyber vulnerabilities.

Cyber risks that can create physical security vulnerabilities:

IP devices outside the skin of the building that are not on their own VLAN and
�rewalled

digital switches that h ave open unused ports

no VLAN between the physical security system and the organization’s business network

shared physical security/business IT system servers

unencrypted communications on the physical security system (should be encrypted all
the way to the endpoints)

switches that are not “locked” onto the MAC address and (if possible) the chipset of the
attached endpoint, allowing a replaced device attack

switches that are not con�gured to lock out any device if the connected device is
disconnected (I know, it’s a pain to reprogram each time you replace a failed device,
but this con�guration completely blocks anyone who unplugs a device and tries to tap
into the new open port.)

Physical Security Vulnerabilities That Can Create Cyber Risks :

Pay attention to employee vetting. Ask the NSA about Edward Snowden, ask the Army
about Private Bradley Manning, ask any organization about the one they took just
because he looked good to the interviewer and turned out to be a criminal afte rwards.
Every organization needs to have good criminal background and psychological vetting.
And trust me, criminal background vetting can be done in a way that does not violate a
paroled or fully served criminal from getting a good job. Just don’t allow a person with
a criminal history in say, identity theft to get anywhere near personal identifying
information.

Keep all cabinets with IP connection in them locked and �tted with an operating
tamper switch.

Ensure that all digital switches, routers and servers are located behind locked doors
(that are kept locked!), and the rooms they are in are �tted with motion detectors and
security video cameras.

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 19/24

Keep security servers in locked racks �tted with tamper switches.
Keep video cameras viewing sensitive areas out of the view of the public or non-
quali�ed viewers.

Make sure that the physical security system is �rewalled and equipped with an IP
intrusion detection system and that the �rewall and server logs are viewed or audited
daily (best if by automated software, followed by a quali�ed analyst or manager for the
�ltered log report).

Disconnect all USB and DVD drives on security workstations except for the workstation
that is designated to export security text reports and video incident report DVDs.

Summary

Both IT security and physical security will always have exposed vulnerabilities. Increasingly
skilled threat actors look for and exploit these vulnerabilities within each discipline, and
increasingly across the chasm between IT security and physical security. There really isn’t a
line anymore. Vulnerabilities in one system can and are easily being used to exploit the
other. Compliance driven requirements can present great exposure to the organization,
where vulnerabilities can be exploited. Organizations should blend both physical security
and IT security programs for their own welfare, using specialists in each domain who work
together to seal the doors against determined threat actors. This additional element will also
further assist in reducing the organization’s liability exposure for any compliance breaches
that may occur.

The risk model outlined in the paper is a simpli�ed risk model (to keep the text within
length). Each of the elements discussed herein contain other constituent components that
may need to be explored, especially if the case in point is an enterprise-class organization.

Constituent Components

Risk components:

probability (or likelihood)

vulnerability

(rank risks by consequences)

consequences (can be applied to each asset)

asset value to the sustainability of the organization

asset value to ongoing operations

asset value in terms of direct and indirect costs of a breach

Probability components:

h i

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 20/24

threat scenarios
likelihood

Vulnerability components:

accessibility

surveillance opportunities

intrinsic vulnerability (with no countermeasures)

natural countermeasures

physical measures (locks, barriers, fences, lighting, etc.)

electronic measures (access control, video, communication, etc.)

operational measures

Thomas L. Norman (tnorman.ppi@gmail.com (mailto:tnorman.ppi@gmail.com)) is global
security consultant for Ingram Micro (http:/ / www.ingrammicro.com/
(http://www.ingrammicro.com/)).

References

1. Items 1 and 2 above are both referenced from Rand Corporation, “Emerging Threats and Security
Planning – How Should We Decide What Hypothetical Threats to Worry About,” Rand Occasional Paper,
Homeland Security Division, 2009, Rand Corporation.
2. PCI Fines for SMB businesses can reach up to $100,000 per month of non-compliance, possibly
bankrupting some SMB businesses.
PCI NonCompliant Consequences, http:/ / www.focusonpci.com/ site/ index.php/ PCI-101/ pci-
noncompliant-consequences/ Print.html (http://www.focusonpci.com/site/index.php/PCI-101/pci-
noncompliant-consequences/Print.html)
3. CSO Magazine, “Does a data breach really a�ect your �rm’s reputation?” by Doug Drinkwater, CSO,
January 7, 2016. 4. Chief
Executive Magazine, “Existential Threats: 5 Tips for Educating Boards on Data Security” by Brian Sta�ord,
February 17, 2016, http:/ / chiefexecutive.net/ existential-threats-5-tips-for-educating-boards-on-
data-security/ (http://chiefexecutive.net/existential-threats-5-tips-for-educating-boards-on-data-
security/ )
5. Security InfoWatch, “When will your data breach happen: Not a question of if but when,” by David
Barton, March 10, 2015.
6. Cato Institute, “CATO at Liberty,” by Julian Sanchez, August 19, 2016, http:/ / www.cato.org/ blog/ nsa-
hackers-hacked?gclid=CKGF15aK2M4CFdg9gQod_P8Ftw (http://www.cato.org/blog/nsa-hackers-
hacked?gclid=CKGF15aK2M4CFdg9gQod_P8Ftw)
7. Business Insider, “Edward Snowden: Russia might have leaked alleged NSA cyberweapons as a
warning,” by Rob Price, August 15, 2016, http:/ / www.businessinsider.com/ shadow-brokers-claims-to-
hack equation group group linked to nsa 2016 8 (http://www businessinsider com/shadow

mailto:tnorman.ppi@gmail.com

http://www.ingrammicro.com/

http://www.focusonpci.com/site/index.php/PCI-101/pci-noncompliant-consequences/Print.html

http://chiefexecutive.net/existential-threats-5-tips-for-educating-boards-on-data-security/%E2%80%8B

http://www.cato.org/blog/nsa-hackers-hacked?gclid=CKGF15aK2M4CFdg9gQod_P8Ftw

http://www.businessinsider.com/shadow-brokers-claims-to-hack-equation-group-group-linked-to-nsa-2016-8

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 21/24

hack-equation-group-group-linked-to-nsa-2016-8 (http://www.businessinsider.com/shadow-

brokers-claims-to-hack-equation-group-group-linked-to-nsa-2016-8)
8. ARS Technica, August 22, 2016, “Hints suggest an insider helped the NSA “Equation Group” hacking
tools leak,” by Sean Gallagher.
9. SC Magazine, “U.S. Veteran A�airs Department settles data breach case,” by Chuck Miller, January 28,
2009, http:/ / www.scmagazine.com/ us-veteran-a�airs-department-settles-data-breach-case/
article/ 126518/ (http://www.scmagazine.com/us-veteran-a�airs-department-settles-data-breach-
case/article/126518/)
10. ThreatPost, “Botnet Powered by 25,000 CCTV Devices Uncovered,” by Chris Brook, June 28, 2016
https:/ / threatpost.com/ botnet-powered-by-25000-cctv-devices-uncovered/ 118948/
(https://threatpost.com/botnet-powered-by-25000-cctv-devices-uncovered/118948/)
11. Wired Magazine, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” by Kim Zetter,
March 3, 2016 https:/ / www.wired.com/ 2016/ 03/ inside-cunning-unprecedented-hack-ukraines-
power-grid/ (https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-
power-grid/)
12. Bloomberg Technology News, “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar,” by Jordan
Robertson and Michael Riley, December 10, 2014, http:/ / www.bloomberg.com/ news/ articles/ 2014-12-
10/ mysterious-08-turkey-pipeline-blast-opened-new-cyberwar
(http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-
opened-new-cyberwar)
13. DEFCON Communications Inc., DEF CON 23 Presentation by Dennis Malsonado, KLC Consulting,
https:/ / media.defcon.org/ DEF%20CON%2023/ DEF%20CON%2023%20presentations/ DEFCON-23-
Dennis-Maldonado-Are-we-really-safe-bypassing-access-control-systems-UPDATED
(https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-
Dennis-Maldonado-Are-we-really-safe-bypassing-access-control-systems-UPDATED )
14. ViperLab, Sipera Systems, DEF CON 17, “Advancing Video Attacks with Video Interception, Recording,
and Replay,” by Jason Ostrom and Arjun Sambamoorthy, July 31, 2009, https:/ / www.defcon.org/ images/
defcon-17/ dc-17-presentations/ defcon-17-ostrom-sambamoorthy-video_application_attacks
(https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-ostrom-
sambamoorthy-video_application_attacks )
15. Outpatient Surgery, “UCLA Researcher Gets Jail Time for HIPAA Violations,” April 2010, http:/ /
www.outpatientsurgery.net/ surgical-facility-administration/ legal-and-regulatory/ ucla-researcher-
gets-jail-time-for-hipaa-violations-corrected-version–04-29-10
(http://www.outpatientsurgery.net/surgical-facility-administration/legal-and-regulatory/ucla-
researcher-gets-jail-time-for-hipaa-violations-corrected-version–04-29-10)
16. InfoRiskToday, “Prison Term in HIPAA Violation Case,” by Marianne Kobasuk McGee, February 20,
2015, https:/ / www.inforisktoday.com/ prison-term-in-hipaa-violation-case-a-7938
(https://www.inforisktoday.com/prison-term-in-hipaa-violation-case-a-7938)
17. HHS.gov, “Data Breach Results in $4.8 Million HIPAA Settlements,” May 7, 2014, http:/ / www.hhs.gov/
about/ news/ 2014/ 05/ 07/ data-breach-results-48-million-hipaa-settlements.html
(http://www.hhs.gov/about/news/2014/05/07/data-breach-results-48-million-hipaa-
settlements.html )
18. PMQ Pizza Magazine, “Don’t Let Credit Card Fraud Put You Out of Business,” by Tracy Morin, May 2016
http:/ / www.pmq.com/ May-2016/ Dont-let-credit-card-fraud-put-you-out-of-business/
(http://www.pmq.com/May-2016/Dont-let-credit-card-fraud-put-you-out-of-business/)
19. Braintree, “PCI Compliance Fines for Small Business Breaches,” October 17, 2007 https:/ /
www.braintreepayments.com/ blog/ pci-related-�nes-for-breaches-at-small-businesses/
(https://www.braintreepayments.com/blog/pci-related-�nes-for-breaches-at-small-businesses/)
20. Chief Executive Magazine, “Existential Threats: 5 Tips for educating Boards on Data Security,” by Brian

http://www.businessinsider.com/shadow-brokers-claims-to-hack-equation-group-group-linked-to-nsa-2016-8

http://www.scmagazine.com/us-veteran-affairs-department-settles-data-breach-case/article/126518/

Botnet Powered by 25,000 CCTV Devices Uncovered

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar

https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Dennis-Maldonado-Are-we-really-safe-bypassing-access-control-systems-UPDATED

https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-ostrom-sambamoorthy-video_application_attacks

http://www.outpatientsurgery.net/surgical-facility-administration/legal-and-regulatory/ucla-researcher-gets-jail-time-for-hipaa-violations-corrected-version–04-29-10

https://www.inforisktoday.com/prison-term-in-hipaa-violation-case-a-7938

http://www.hhs.gov/about/news/2014/05/07/data-breach-results-48-million-hipaa-settlements.html%E2%80%8B

http://www.pmq.com/May-2016/Dont-let-credit-card-fraud-put-you-out-of-business/

https://www.braintreepayments.com/blog/pci-related-fines-for-breaches-at-small-businesses/

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 22/24

Sta�ord, February 17, 2026, http:/ / chiefexecutive.net/ existential-threats-5-tips-for-educating-
boards-on-data-security/ (http://chiefexecutive.net/existential-threats-5-tips-for-educating-
boards-on-data-security/) The “Ponemon Institute 2016 Cost of Data Breach Study: Global Analysis”
reported that the average organizational cost of data breach in the U.S. rose from $5.85 million in 2014,
to $6.53 million in 2015, to $7.01 million in 2016.
21. Business Law Today, “The Practical Tech Lawyer: Advising a Company on Data Security Compliance,”
by Theodore F. Claypoole, November 2014, http:/ / www.americanbar.org/ publications/ blt/ 2014/ 11/
04_claypoole.html (http://www.americanbar.org/publications/blt/2014/11/04_claypoole.html)
22. Thomson Reuters, “Demonstrating how non-compliance can mean the end of a �rm or career,”
December 3, 2014, http:/ / thomsonreuters.com/ en/ articles/ 2014/ demonstrating-how-non-
compliance-mean-the-end-of-a-�rm-or-career.html
(http://thomsonreuters.com/en/articles/2014/demonstrating-how-non-compliance-mean-the-end-
of-a-�rm-or-career.html)
23. InformationWeek, DarkReading, “It’s Time to Treat Your Cyber Strategy Like a Business,” by Jason
Polancich, January 9, 2015, http:/ / www.darkreading.com/ messages.asp?
piddl_msgthreadid=22391&piddl_msgid=278778 (http://www.darkreading.com/messages.asp?
piddl_msgthreadid=22391&piddl_msgid=278778)
24. Includes information from: CIO Magazine, “6 Biggest Business Security Risks and How You Can Fight
Back,” by Jennifer Lono� Schi�, January 20, 2015, http:/ / www.cio.com/ article/ 2872517/ data-breach/ 6-
biggest-business-security-risks-and-how-you-can-�ght-back.html
(http://www.cio.com/article/2872517/data-breach/6-biggest-business-security-risks-and-how-you-
can-�ght-back.html)
25. Includes information from: Berry Dunn, “The Top 10 Information Security Risks for 2015,” http:/ /
www.berrydunn.com/ news-detail/ top-10-information-security-risks
(http://www.berrydunn.com/news-detail/top-10-information-security-risks )

(https://www.securityindus
try.org/2018/06/19/gauging-
the-risks-of-connected-
security-devices/)

(https://www.securityindus
try.org/2019/08/05/sia-
member-pro�le-
aerodefense/)

(https://www.securityindus
try.org/2016/04/01/it-
security/)

Existential Threats: 5 Tips for Educating Boards on Data Security

http://www.americanbar.org/publications/blt/2014/11/04_claypoole.html

http://thomsonreuters.com/en/articles/2014/demonstrating-how-non-compliance-mean-the-end-of-a-firm-or-career.html

http://www.darkreading.com/messages.asp?piddl_msgthreadid=22391&piddl_msgid=278778

http://www.cio.com/article/2872517/data-breach/6-biggest-business-security-risks-and-how-you-can-fight-back.html

http://www.berrydunn.com/news-detail/top-10-information-security-risks%E2%80%8B

Gauging the Risks of Connected Security Devices

SIA Member Profile: AeroDefense

Don’t Be the Weakest Link

https://mysia.securityindustry.org/NewUser.aspx

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 23/24

SIA Center of Excellence (https://www.securityindustry.org/knowledge-center/)

Member Resources (https://www.securityindustry.org/member-resources/)

Industry Standards (https://www.securityindustry.org/industry-standards/)

Industry Events Calendar (https://www.securityindustry.org/upcoming-events/events/)

Professional Development (https://www.securityindustry.org/professional-development/)

 Facebook (https://www.facebook.com/SecurityIndustryAssociation)

 Twitter (https://twitter.com/SIAonline)

 LinkedIn (https://www.linkedin.com/company/53084?trk=tyah)

 YouTube (https://www.youtube.com/user/SIAonlineTV)

Join SIA (https://www.securityindustry.org/join-sia/)

SIA Store (https://mysia.securityindustry.org/ProductCatalog/Default.aspx)

About SIA (https://www.securityindustry.org/about-sia/)

Member Directory (https://mysia.securityindustry.org/Directories/Browse.aspx?
Type=Company)

Newsroom (https://www.securityindustry.org/member-resources/newsroom/)

Premier sponsor of ISC expos and conference. (https://www.iscwest.com/)

8405 Colesville Road, Ste 500
Silver Spring, MD 20910
(https://www.google.com/maps/place/Security+Industry+Association/@38.9949857,-77.03361
17,17z/data=!3m1!4b1!4m5!3m4!1s0x89b7c8b8f0321b85:0x43b6b8ecc4f67582!8m2!3d38.994
9857!4d-77.0314177)

Main: 301-804-4700 (tel://301-804-4700)
Fax: 301-804-4701 (fax://301-804-4701)
Email: info@securityindustry.org (mailto:info@securityindustry.org)
Contact Us (https://www.securityindustry.org/about-sia/contact-us/)

SIA Center of Excellence

Member Resources

Industry Standards

https://www.securityindustry.org/upcoming-events/events/

Professional Development

https://www.facebook.com/SecurityIndustryAssociation

Tweets by SIAonline

https://www.linkedin.com/company/53084?trk=tyah

https://www.youtube.com/user/SIAonlineTV

Join SIA

https://mysia.securityindustry.org/ProductCatalog/Default.aspx

About SIA

https://mysia.securityindustry.org/Directories/Browse.aspx?Type=Company

Newsroom

https://www.iscwest.com/

https://www.google.com/maps/place/Security+Industry+Association/@38.9949857,-77.0336117,17z/data=!3m1!4b1!4m5!3m4!1s0x89b7c8b8f0321b85:0x43b6b8ecc4f67582!8m2!3d38.9949857!4d-77.0314177

tel://301-804-4700

fax://301-804-4701

mailto:info@securityindustry.org

Contact Us

9/14/2020 The Compelling Case for Unifying IT and Physical Security | Security Industry Association

https://www.securityindustry.org/2017/11/20/the-compelling-case-for-unifying-it-and-physical-security/ 24/24

SIGN UP FOR THE SIA UPDATE NEWSLETTER
CREATE AN ACCOUNT TO SUBSCRIBE TO OUR COMMUNICATIONS, INCLUDING OUR WEEKLY SIA UPDATE

AND OTHER MESSAGES.

https://www.securityindustry.org/privacy-policy/

Terms of Use

https://mysia.securityindustry.org/NewUser.aspx

9/14/2020 Centrify: 2012 in Cloud Computing — Expect More Consumerization and More Security Concerns : @VMblog

https://vmblog.com/archive/2011/11/08/centrify-2012-in-cloud-computing-expect-more-consumerization-and-more-security-concerns.aspx#.X1_admhKiUl 1/3

Headlines
Interviews
White Papers

Events
Archives

Syndication
Tags
Links

About Us
Advertise With Us

Article Search:

Follow VMblog.com:Is your Office 365 data protected? Find out more.
Centrify: 2012 in Cloud Computing — Expect More Consumerization and More Security Concerns

What do Virtualization and Cloud executives think about 2012? Find out in this VMblog.com series exclusive.

2012 in Cloud Computing – Expect More Consumerization and More Security Concerns

A Contributed article by Tom Kemp, President and CEO of Centrify Corporation

Many IT folks and virtualization and cloud vendors see cloud computing as a logical extension of virtualization technologies, and rightly so. But I have a
extension of the “consumerization” of Information Technology (“IT”) trend that has been sweeping through organizations and corporate IT departments
vis the cloud is: Expect more of that same mentality shaping the cloud.

Let me drill down on that a bit. When most people think of the consumerization of IT happening in organizations, they think of end users bringing into w
connecting them to the corporate network. This Bring Your Own Device (“BYOD”) phenomenon is definitely widespread as one looks around today’s con
been there for many years even before iPads and Android devices were being brought into the workplace. End users and departments for years now hav
deployments of Dropbox, Salesforce.com, etc. And these same users and departments are also BYO-ing Servers (“BYOS”) by independently spinning up
with virtualization being an enabling technology to make that happen.

They did this BYO-ing because it was cheaper and easier to spin up new apps and servers in the cloud, and they got more functionality, and they were n
and timelines. The end result is that we are seeing a shift from IT assets inside the firewall to IT assets migrating outside the firewall. And in the future
off-premise resources.

Tweet ShareShareLike

Free copy of Backup Bible ebook by MS MVP Eric Siron DOWNLOAD

http://www.facebook.com/vmblogcom

Tweets by vmblog

http://www.linkedin.com/in/davidmarshall

https://vmblog.com/home.aspx

https://vmblog.com/archive/tags/Interviews/default.aspx

https://vmblog.com/whitepapers.aspx

http://events.vmblog.com/

https://vmblog.com/archives.aspx

https://vmblog.com/syndication.aspx

https://vmblog.com/tags.aspx

https://vmblog.com/links.aspx

https://vmblog.com/about.aspx

https://vmblog.com/mediakit.aspx

https://vmblog.com/contact.aspx

https://vmblog.com/login.aspx?ReturnUrl=%2farchive%2f2011%2f11%2f08%2fcentrify-2012-in-cloud-computing-expect-more-consumerization-and-more-security-concerns.aspx

https://vmblog.com/user/CreateUser.aspx?ReturnUrl=%2farchive%2f2011%2f11%2f08%2fcentrify-2012-in-cloud-computing-expect-more-consumerization-and-more-security-concerns.aspx

https://vmblog.com/blogs/wam/click.ashx?9a48a728f078484d991b41fafec8cc6a

https://vmblog.com/archive/2011/11/08/centrify-2012-in-cloud-computing-expect-more-consumerization-and-more-security-concerns.aspx

http://bit.ly/2NLwuNd

https://vmblog.com/blogs/wam/click.ashx?1f01100e37524535b6a2ab14c80c0e11

https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fvmblog.com%2F&ref_src=twsrc%5Etfw&text=Centrify%3A%202012%20in%20Cloud%20Computing%20%E2%80%94%20Expect%20More%20Consumerization%20and%20More%20Security%20Concerns%20%3A%20%40VMblog%3A&tw_p=tweetbutton&url=https%3A%2F%2Fvmblog.com%2Farchive%2F2011%2F11%2F08%2Fcentrify-2012-in-cloud-computing-expect-more-consumerization-and-more-security-concerns.aspx%23.X1_ado-CnJ9.twitter

https://www.addthis.com/website-tools/overview?utm_source=AddThis%20Tools&utm_medium=image&utm_campaign=Marketing%20tool%20logo

https://www.altaro.com/ebook/backup-bible.php?LP=vmblog-sc-Article-ebook-backup-bible-2-EN&Cat=SC&ALP=ebook-ebook-backup-bible-2-vmblog-sc-article&utm_source=sc-vmblog&utm_medium=sc&utm_campaign=ebook-backup-bible-2&utm_content=article

9/14/2020 Centrify: 2012 in Cloud Computing — Expect More Consumerization and More Security Concerns : @VMblog

https://vmblog.com/archive/2011/11/08/centrify-2012-in-cloud-computing-expect-more-consumerization-and-more-security-concerns.aspx#.X1_admhKiUl 2/3

Historically, IT departments provided company-owned desktops and laptops operating inside the company and the corporate firewall, or via secured VPN
accessing IT resources from outside the firewall from their own computers, smart phones and tablets.

Similarly, historically an organization’s IT department has selected, operated and controlled applications inside the corporate firewall. And these applicat
servers that were also managed, secured and controlled by IT. But now with BYOA, users and departments are subscribing to their own applications out
Google Analytics, etc. And if they need servers to build custom applications, some users and departments are turning to BYOS by spinning up servers ru
control.

Furthermore, besides altering the economics of enterprise IT by shifting IT assets from inside the firewall to outside the firewall, this consumerization tre
Historically IT has primarily been about automating the white collar worker’s desk circa 1970 (think of the classic “inbox” and “outbox” on a white collar
typewriters being replaced by PCs running Microsoft Office, etc.). But now with the consumerization/BYO phenomena, IT services are further expanding
services are out in the cloud. For example, many users that historically may not have had computing devices (e.g. nurses, retail sales, etc.) are now be
productivities.

The net net is this consumerization/BYO trend is altering the economics of enterprise IT by shifting IT assets from inside outside the firewall to the cloud
security challenges that are emerging. That is my second prediction for 2012 vis-a-vis cloud computing: Expect more security challenges.

Clearly while costs may be lowered and productivity increased by BYO-ing new devices, applications and servers, the potential downside of lack of visibil
premise IT assets may negate some of the cost savings and slow adoption. For example, to address auditors’ needs and make sure proprietary informat
have end-to-end visibility and control over users, applications, servers and devices to ensure the business is protected while being agile enough to respo
involved securing and locking down on-premise devices, servers and applications. Now the same type of security capabilities must apply to IT resources
by IT departments. That’s a nut that needs to be cracked.

This also means we have a password problem that is getting worse as usage of the cloud expands. More users are getting access to more cloud-based s
Users are facing a huge burden of password management, and we are seeing a marked increase in hacking and identity theft. So clearly more effort ne
may see even more Anonymous and Lulzsec type hacking incidents.

We live in exciting times with the huge growth of virtualization and cloud technology. We have whet the whistle of end users in terms of what they can g
within our organizations will be acting like consumers and pushing for even more cloud-based services or walking them through the side door. And we n
we have adequate security and visibility over those same cloud-based services.

###

About the Author

Tom Kemp is the CEO and co-founder of Centrify Corporation (http://www.centrify.com), a leading provider of enterprise security software solutions for
Entrepreneur in Residence at Mayfield, a leading Silicon Valley venture capital firm. Tom was also one of the first employees and a founding team memb
his career at Oracle Corporation. He holds a Bachelor of Science degree in computer science and in history from the University of Michigan. You can follo
or follow his Centrify blog at http://www.centrify.com/blogs/overview.asp or his Forbes blog at http://blogs.forbes.com/tomkemp.

Published Tuesday, November 08, 2011 5:30 AM by David Marshall
Filed under: Prediction 2012

Get This Featured White Paper: Citrix UPM and AppDisk Comparison to ProfileUnity and FlexApp
You may also be interested in this white paper: The SysAdmin Guide to Azure Infrastructure as a Service

Comments
VMblog.com – Virtualization Technology News and Information for Everyone – (Author’s Link) – January 4, 2012 7:08 AM

I’d like to personally welcome each and every one of you to the start of 2012! As we begin what will certainly prove to be a fantastic new year, I wanted
readers of VMblog.com. Once again, with the help

rimonabantexcellence site title – (Author’s Link) – July 15, 2013 2:35 PM

PingBack from http://www.rimonabantexcellence.com/t.php?
aHR0cDovL3ZtYmxvZy5jb20vYXJjaGl2ZS8yMDExLzExLzA4L2NlbnRyaWZ5LTIwMTItaW4tY2xvdWQtY29tcHV0aW5nLWV4cGVjdC1tb3JlLWNvbnN1bWVyaXp

To post a comment, you must be a registered user. Registration is free and easy! Sign up now!

Back to the article
Back to the comments

Tweet ShareShareLike
Free copy of Backup Bible ebook by MS MVP Eric Siron DOWNLOAD

http://www.centrify.com/blogs/overview.asp

http://blogs.forbes.com/tomkemp

https://vmblog.com/user/Profile.aspx?UserID=2103

https://vmblog.com/archive/tags/Prediction+2012/default.aspx

https://vmblog.com/externalwhitepaper.aspx?wp=1AC03E3028D00625FF6BBB313AD5F4D9134095E985D1FF1871E5D74095277AF828BD85C5E10720CD9A50525AE509432C20CA42A28A7136622D9582AEDBA8A66C

https://vmblog.com/externalwhitepaper.aspx?wp=1AC03E3028D00625FF6BBB313AD5F4D9134095E985D1FF1871E5D74095277AF80997BAC090524C544CB20B63A737F38D1CBA2FD0F834BF88EC987D9E598BA580

http://vmblog.com/archive/2012/01/04/virtualization-and-cloud-predictions-for-2012-find-out-in-vmblog-s-4th-annual-prediction-series.aspx

http://www.rimonabantexcellence.com/t.php?aHR0cDovL3ZtYmxvZy5jb20vYXJjaGl2ZS8yMDExLzExLzA4L2NlbnRyaWZ5LTIwMTItaW4tY2xvdWQtY29tcHV0aW5nLWV4cGVjdC1tb3JlLWNvbnN1bWVyaXphdGlvbi1hbmQtbW9yZS1zZWN1cml0eS1jb25jZXJucy5hc3B4

https://vmblog.com/user/createuser.aspx?ReturnUrl=/archive/2011/11/08/centrify-2012-in-cloud-computing-expect-more-consumerization-and-more-security-concerns.aspx

https://www.addthis.com/website-tools/overview?utm_source=AddThis%20Tools&utm_medium=image&utm_campaign=Marketing%20tool%20logo

9/14/2020 Centrify: 2012 in Cloud Computing — Expect More Consumerization and More Security Concerns : @VMblog

https://vmblog.com/archive/2011/11/08/centrify-2012-in-cloud-computing-expect-more-consumerization-and-more-security-concerns.aspx#.X1_admhKiUl 3/3

Headlines
Interviews
Archives

Syndication
Tags
Links
About Us
Advertise With Us
Contact Us

https://

vmblog.com

Recommended for you

AddThis

VMware Named a
Leader in Evaluation
of Infrastructure
vmblog.com

VMblog Expert
Interview: Jeff
Kukowski Talks
vmblog.com

National Coding Week
Has Begun : @VMblog

vmblog.com

10 Steps to
Developing an
Effective Web
vmblog.com

Free copy of Backup Bible ebook by MS MVP Eric Siron DOWNLOAD

https://vmblog.com/home.aspx

https://vmblog.com/archive/tags/Interviews/default.aspx

https://vmblog.com/archives.aspx

https://vmblog.com/syndication.aspx

https://vmblog.com/tags.aspx

https://vmblog.com/links.aspx

https://vmblog.com/about.aspx

https://vmblog.com/mediakit.aspx

https://vmblog.com/contact.aspx

https://vmblog.com/

https://www.addthis.com/website-tools/overview?utm_source=AddThis%20Tools&utm_medium=image&utm_campaign=Recommended%20content%20logo

https://v1.addthis.com/live/redirect/?url=http%3A%2F%2Fvmblog.com%2Farchive%2F2020%2F09%2F09%2Fvmware-named-a-leader-in-evaluation-of-infrastructure-automation-platforms-by-independent-research-firm.aspx%23at_pco%3Dsmlre-1.0%26at_si%3D5f5fda766e317db9%26at_ab%3Dper-2%26at_pos%3D0%26at_tot%3D4&uid=5d701fbace2341d8&pub=ra-50bfc4733474bd5d&rev=v8.28.7-wp&per= &pco=smlre-1.0

https://v1.addthis.com/live/redirect/?url=http%3A%2F%2Fvmblog.com%2Farchive%2F2020%2F09%2F14%2Fvmblog-expert-interview-jeff-kukowski-talks-cloudbolt-software-acquisition-of-kumolus.aspx%23at_pco%3Dsmlre-1.0%26at_si%3D5f5fda766e317db9%26at_ab%3Dper-2%26at_pos%3D1%26at_tot%3D4&uid=5d701fbace2341d8&pub=ra-50bfc4733474bd5d&rev=v8.28.7-wp&per= &pco=smlre-1.0

https://v1.addthis.com/live/redirect/?url=http%3A%2F%2Fvmblog.com%2Farchive%2F2020%2F09%2F14%2Fnational-coding-week-has-begun.aspx%23at_pco%3Dsmlre-1.0%26at_si%3D5f5fda766e317db9%26at_ab%3Dper-2%26at_pos%3D2%26at_tot%3D4&uid=5d701fbace2341d8&pub=ra-50bfc4733474bd5d&rev=v8.28.7-wp&per= &pco=smlre-1.0

https://v1.addthis.com/live/redirect/?url=http%3A%2F%2Fvmblog.com%2Farchive%2F2020%2F09%2F11%2F10-steps-to-developing-an-effective-web-presence.aspx%23at_pco%3Dsmlre-1.0%26at_si%3D5f5fda766e317db9%26at_ab%3Dper-2%26at_pos%3D3%26at_tot%3D4&uid=5d701fbace2341d8&pub=ra-50bfc4733474bd5d&rev=v8.28.7-wp&per= &pco=smlre-1.0

https://www.addthis.com/website-tools/overview?utm_source=AddThis%20Tools&utm_medium=image&utm_campaign=Marketing%20tool%20logo

9/14/2020

The Convergence of Physical & Logical Access

https://www.securitylinkindia.com/white-paper/2018/04/11/convergence-physical-logical-access/ 1/7

Tuesday, September 15, 2020

Advance 

Calculate the price of your order

Type of paper needed:

Pages:

You will get a personal manager and a discount.

Academic level:

We'll send you the first draft for approval by at

Total price:

$0.00

Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.

Power up Your Study Success with Experts We’ve Got Your Back.

Order Now Order Now