All Things Considered: Insight and analysis from the leaders in Physical Identity & Access Management

Underlining the Need for Physical Identity & Access Management
2009 security breach made headlines around the world and certainly caught our attention as well:  A Fannie Mae contract worker was fired from his computer programming job at Fannie Mae's data center in Urbana, about 35 miles from the company's Washington headquarters. 

Fannie Mae did not immediately terminate the worker's computer access after telling him he was fired, and before surrendering his badge and laptop computer about 3½ hours later, the worker allegedly then used his extended access to reset the company's servers, planting malicious code that was intended to execute on Jan. 31, 2009.  Luckily, this plan was thwarted by another worker, who stumbled upon the code bomb and brought it to the attention of the FBI.

Now let's pause and think about this event for a second. An additional unknown in this case is the fact that we do not know if or when his physical access privileges were revoked, either at the Urbana facility or at Fannie Mae's headquarters. But even if the worker was required to turn in his badge immediately, there is no guarantee that he didn't already replicate his physical access card along with all access codes—a $10 process that takes only minutes on the black market.

What is the guarantee that his access was terminated in all disparate and disjointed physical access control systems across their worldwide facilities?  Beyond the millions of dollars in damage this worker could have caused just a few lines of code, what if he had even more ominous goals in mind?

As a security professional, I'm left with a few simple takeaways:  Could this risk have been mitigated?  Could an event like this trigger an automated process—executed in real time—to bridge the gap between the physical and logical security systems at Fannie Mae?  Could this process remove the human element, which can quickly introduce latencies and errors?

Consider this:  with a policy-driven, automated process, as this contractor's dismissal was logged into the corporate HR system, it could have immediately resulted in instantaneous termination of his physical access privileges as well as his access to IT applications and networks around the world.

Case closed, right? Not just yet. Imagine if it was a hospital instead of Fannie Mae, where medical records can be accessed, drugs could be stolen and people's lives could be in danger. Imagine if we are talking about a nuclear plant, whereas a metropolitan area or perhaps an entire nation could be compromised. Have we really considered all things to mitigate risk?

Countries around the world have worked hard to establish governmental regulations such as SOX, HIPAA, HSPD-12 and Basel II to fight such challenges.  But complying with these regulations has proved—and will continue to prove—elusive for so many corporations from a converged physical and IT security standpoint.

Until corporations embrace this new, policy-based paradigm with regards to managing their physical and logical security infrastructure, we will continue to see stories such as Fannie Mae's—perhaps with worse outcomes. 

With a policy-based approach, however, automated rules can quickly meet both internal and external governance needs, reducing human errors and providing a holistic approach to managing security across disparate systems and multiple geographies.