Physical Security at Microsoft

Transcription

1 Physical Security at Microsoft Taking Advantage of Strategic IT Convergence Technical White Paper Published: September 2009

2 CONTENTS Executive Summary... 3 Key Challenges In Microsoft Physical Security Operations... 4 Microsoft Solution for Physical Security... 5 Convergence Strategy... 6 Business Benefits... 9 Reduced Costs 9 Improved Security 9 Scalability and Extensibility 9 Business Continuity 10 Security Operations Centers Technical Load Sharing 12 Operational Load Sharing 13 Physical Security Operations Interoperability 16 Automated Event Monitoring by Priority 17 Alarm/Event Monitoring and Precision Response 18 Remote Monitoring and Event Management 19 Storage and Sharing of Personal Data 19 Real-Time Site Information and Global Event Notification 20 Enterprise Maintenance 20 Provisioning Life Cycle 21 Situational Awareness Through Geospatial Mapping 22 Conclusion For More Information... 25

3 Situation Implementing and monitoring physical security for an enterprise the size of Microsoft can be cumbersome and expensive. Traditional approaches to physical security are inefficient and difficult to manage effectively on a global scale. Solution By building a strategy for physical security that relies on standard offthe-shelf products and the existing IP networking infrastructure, Microsoft has been able to realize substantial cost savings, improved security, and other significant benefits. Benefits Cost savings Improved security Scalability and extensibility Continuity of service Products & Technologies Microsoft Office SharePoint Server 2007 Microsoft Office InfoPath 2007 Microsoft Office Communicator 2007 Microsoft Virtual Earth 2007 Microsoft Office system Microsoft SQL Server 2005 Microsoft SQL Server 2008 Lenel OnGuard Remote Desktop and Terminal Services EXECUTIVE SUMMARY A comprehensive security program for an organization includes both the physical security of facilities and the logical security of IT resources. Physical security includes restricting access to buildings and monitoring alarm systems for fire or break-ins. Logical security of IT resources includes restricting access to sensitive data and monitoring network traffic for signs of suspicious or malicious activity. At Microsoft, the strategy for developing the processes and solutions that help provide physical security includes a partnership between the internal Global Security and Microsoft Information Technology (Microsoft IT) teams. This partnership takes advantage of the available technology and technical resources to provide a scalable system for life safety and facility monitoring that can be managed from virtually anywhere in the world. Through the establishment of three regional Global Security Operations Centers (GSOCs) and the strategic deployment of security systems, the Global Security team is improving the way it protects Microsoft assets, information, and employees. By aligning physical security drivers and IT delivery mechanisms, the team can produce an environment where physical security and IT complement each other rather than compete with each other. Microsoft encompasses more than 700 sites globally. The Global Security team must protect resources at those sites. This task includes monitoring more than 27,000 pieces of hardware: card readers for physical access, cameras, fire panels, environmental alarms, biometric security systems, duress alarms, and additional devices and sensors. Global Security must also manage more than 185,000 active holders of access cards and more than 30 million system events each month (for example, users who have misplaced their access cards, maintenance alarms, unauthorized access, building fires, or natural disasters). With an enterprise as large as Microsoft, monitoring and protecting assets around the world is a challenge. The traditional security strategies were too cumbersome and costly to be effective. Microsoft developed the convergence of physical security infrastructure with IT practices by using off-the-shelf software applications wherever possible, to create a more streamlined, efficient, and cost-effective security solution. This paper is for business and technical decision makers who are interested in learning how Microsoft uses the IT organization, Microsoft technology and products, and third-party resources to provide physical security services to Microsoft personnel and locations worldwide. Many of the principles and techniques that this paper describes can be employed to manage physical security in any organization. However, this paper is based on Microsoft experience and recommendations, and it is not intended to serve as a procedural guide. Each enterprise environment has unique circumstances; therefore, each organization should adapt the plans and lessons learned described in this paper to meet its specific needs. Note: For security reasons, the sample names of internal resources and organizations used in this paper do not represent real names used within Microsoft and are for illustration purposes only. Physical Security at Microsoft Page 3

4 KEY CHALLENGES IN MICROSOFT PHYSICAL SECURITY OPERATIONS Physical security operations are very important to Microsoft. The Global Security team is responsible for a large global organization with 700 sites and more than 185,000 employees and other personnel. The key challenge for Global Security is to provide a safe and secure environment at a reduced cost and to improve productivity by using solutions that are scalable and extensible. Previously, security solutions at Microsoft had been built using traditional physical security strategies. Closed circuit television (CCTV) cameras existed at each location and fed to traditional video recording equipment. The tapes in these video recorders had to be constantly changed as they reached capacity, and they had to be securely archived. Attempting to access the video data required sorting through hundreds or thousands of tapes, and then scanning them in a linear fashion to find a specific point in time. Without centralized monitoring facilities and the IT infrastructure to support the security model, each site required more personnel on site to monitor and respond to alarms. In addition, outsourcing the monitoring and response of the fire alarm system represented a substantial ongoing expense. Finally, the 60 different proprietary hardware and software products used for physical security were not scalable, extensible, or easily supported by the existing IT organization. Physical Security at Microsoft Page 4

5 MICROSOFT SOLUTION FOR PHYSICAL SECURITY Microsoft built its converged approach to physical security on a foundation of information technology. Using standard, off-the-shelf software applications and the existing global IP networking infrastructure provides the keystone for the success of the solution. Taking advantage of the IT infrastructure in the Microsoft environment enables Microsoft to monitor its entire enterprise from centralized locations, and still respond or dispatch personnel wherever they are needed throughout the world. Approaching security as a unified initiative enables Microsoft to monitor and protect more assets by using fewer resources. Global centers for security monitoring can deliver total interoperability, including failover capabilities as necessary. To effectively monitor and protect its resources, Microsoft built its solution on 10 essential design principles to provide a layered security model. The design principles, which are discussed in detail in the "Convergence Strategy" section later in this document, helped the architects of the strategy for physical security to find a balance between providing security for the infrastructure and enabling business functions. Ultimately, the goal of the system of monitoring physical security is to extend human senses to the greatest extent possible via technology, in order to simulate or predict a ubiquitous presence and allow for timely mitigation. IP, low-light, and infrared cameras simulate sight. Motion sensors and proximity/barrier sensor alarms simulate touch. Audio sensors that detect anomalous noises or spikes in background volume simulate hearing. Using IT mechanisms to extend these senses around the world helps satisfy the mandate of physical security without necessitating the deployment of a static physical presence at every location. By using a variety of Microsoft technologies and some third-party technologies, the Global Security team can monitor sites around the world and direct a precision response that is appropriate to the event. The sensor data and information at the team's disposal enables it to quickly analyze and understand the impact of an event, and to engage the appropriate onsite resources when necessary. Physical Security at Microsoft Page 5

6 CONVERGENCE STRATEGY Microsoft based its initiative of converged physical security on a design philosophy that included a strategy for managing physical access to Microsoft resources and the Weighted Business Model. The Weighted Business Model (illustrated in Figure 1) incorporates the balance between technology, monitoring, and response, and the administration of all three. Figure 1. Depiction of the components of the Weighted Business Model The Weighted Business Model helped Global Security understand and define the key components of physical security and their relationship with each other. This understanding enabled the team to implement an effective and efficient strategy. Another key component of the success of the initiative for converged physical security is the cooperation of different departments and teams within Microsoft. A fundamental part of this cooperation is establishing relationships and expectations between the various entities. The Global Security team understands that the success of any project in a corporate environment depends on support from senior and executive management. Global Security has worked diligently to ensure that senior management understands and supports the goals of the strategy for physical security. Analyzing the functions of the organization, and understanding the benefits and pitfalls of different approaches, assisted Global Security in developing physical security objectives to meet the unique needs of the business across all regions. To produce the physical security design, Microsoft managers agreed to a basic set of design principles and continually used them as the touchstone for new decisions. This enabled them to maintain the integrity of their design and not be distracted by the latest state-of-the-art of technology. The following design principles represent the business parameters and functional design elements that Global Security focused on. Deterrence value. Security measures must strike a balance between security and functionality. Because part of the strength of that balance is in creating the awareness that physical security exists, security measures should be conspicuous and strategically placed. Simply making people aware of monitoring devices and other physical security measures helps to deter theft or trespass. Remote monitoring. Monitoring security systems from a remote location provides the ability to centralize the administration and response. One of the benefits of integrating physical security with information technology is the ability to use a smaller, centralized team of individuals to monitor and respond to events throughout an entire region. Event-based Physical Security at Microsoft Page 6

7 response and signal prioritization ensure that the most important events receive immediate attention, and they help facilitate continuity of response throughout the enterprise. Microsoft also takes advantage of remote functionality to maintain and troubleshoot the physical security equipment over the network. Precision response. Closely related to remote monitoring, the solution must provide for precision response. If the design philosophy calls for remote monitoring from a central location, it also must ensure that the proper resources can be dispatched on site in a timely manner when an event is detected. By using the tilt and pan functionality of the IP cameras, and correlating information by using other technologies, Microsoft can remotely assess incidents and dispatch an appropriate response. Off-the-shelf infrastructure. By using standard off-the-shelf hardware and software, the Global Security team made a conscious decision to adapt its processes to the infrastructure and not the other way around. The use of off-the-shelf products reduces the costs of both implementation and maintenance while increasing continuity and efficiency in delivery because Microsoft can apply standard training and support services. Global Security has established long-term relationships with key vendors to build into their products new, standard features and functions according to business priority. These relationships help Global Security improve longevity of the product life cycle while still acquiring essential requirements over time. Use of Microsoft and partner products. Wherever possible, the design of physical security at Microsoft relies on Microsoft products. Global Security analyzed various Microsoft tools and applications and used them to deliver much of the core technology of the solution. As new Microsoft products are developed, Global Security evaluates them to determine what role or impact they might have in the strategy for physical security. The third-party products that Microsoft uses in its strategy are built on Microsoft technologies such as Microsoft SQL Server database software, Microsoft.NET connection software, and Microsoft SharePoint Products and Technologies. Remotely managed IP devices. Microsoft uses the existing global IP network to handle rapid changes in hardware and to achieve faster and more cost-effective scalability. Microsoft can deploy security devices, like IP cameras and card readers for physical access, more efficiently because installation is less likely to require additional proprietary components or a separate cabling or communications network. Using IP-based edge devices also enhances the ability to monitor and maintain the equipment at Microsoft. Defense in depth. Defense in depth provides multiple layers of security at a facility that is appropriate to asset risk. The foundation of the concept is that requiring additional security controls, or layers, along with an approach to protect critical assets, develops a mechanism to systematically delay, effectively intervene in, and mitigate risks. A threat that infiltrates one layer is detected at another layer, giving Microsoft multiple opportunities to detect and respond to an event. Defense in depth for physical security begins with incorporating physical security into the design of facilities. It also considers property boundaries, building approaches, parking areas, ingress and egress points of a building, and flow of human traffic through the building. It also includes physical security devices, like access card readers that grant or prevent access and log activity at facility entry points, biometric authentication, camera systems, hardened construction, and other discreet sensors that monitor specific areas. All of these functions combined provide a layered defense strategy in protection of Microsoft resources. Physical Security at Microsoft Page 7

8 Forensics/investigative model. A critical component of the design philosophy is to ensure that video data, access logs, and other pertinent information are properly captured and stored for investigation if a physical security incident occurs. The Global Security team must be able to retrieve and analyze monitoring data and log information in order to determine when and how an event occurred, or the identity of relevant persons if necessary. Reliability. An infrastructure must be reliable and work when needed. New technologies may promise additional functionality but can be a hindrance if they do not have a consistent expectation of availability. Microsoft evaluates all new technologies against this core ability to provide a consistent level of expected uptime. Sustainability. Sustainability is the ease in which a new infrastructure or device can be maintained and supported. As the environment increases in size and complexity, this element is crucial to keep support costs low. Physical Security at Microsoft Page 8

9 BUSINESS BENEFITS Microsoft has experienced a variety of benefits from merging physical security with IT, including the ability to automate many functions and the increased ability to use monitoring technologies in forensic investigations. However, four benefits have affected Microsoft the most: reduced costs, improved security, scalability and extensibility, and business continuity. These benefits help provide more consistent and reliable delivery of security throughout the organization. Reduced Costs Centralized monitoring and management of physical security result in less need for on-site personnel, reducing licensing costs for hardware and software. Taking advantage of off-theshelf Microsoft applications provides added value through product familiarity and integration, and centralized training enables Microsoft to deliver consistent training efficiently around the world. In Europe alone, Microsoft estimates a cost savings of almost $4.4 million US. Using equipment that connects to and communicates over the existing IP network infrastructure greatly reduces the expense involved with deploying equipment or establishing entirely new sites. In addition, the automation and efficiency provided by IT enables Microsoft to monitor the infrastructure for physical security around the world from the three regional GSOCs, eliminating much of the need for costly outsourced personnel. By implementing and monitoring its own Underwriter Laboratories (UL) compliant fire alarm system, Microsoft also saves a significant amount of money over the cost of outsourcing that function. Improved Security Using IT tools and technologies, particularly off-the-shelf software applications, enables Microsoft to deliver physical security more effectively than it could with traditional methods. The integration of physical security and IT systems also provides a more direct and immediate link between the role and status of an individual in the organization and his or her ability to access specific sites or locations. Using the enterprise network and IP-based camera systems enables more sites to be monitored with fewer on-site personnel. Storing the recorded video data on DVRs allows for more efficient review of video feeds and helps the Global Security team operate more efficiently. Scalability and Extensibility Microsoft can quickly and cost-effectively scale its security needs as growth demands. With the core infrastructure in place, bringing additional sites online is relatively simple. Traditionally, Microsoft had to procure and implement new or separate systems for building alarms, physical access control, fire monitoring and alarms, closed-circuit cameras and recorders, and other systems. It also had to hire or outsource personnel to guard and manage the new site. Although some additional access control, alarm, and camera equipment is still necessary, the convergence of physical security with IT along with the central monitoring and response that the GSOCs provide means that Microsoft does not need to build a completely new infrastructure at each new site. The incremental increase to the existing infrastructure today is significantly less than with the old approach to physical security. Microsoft may need additional personnel to handle the monitoring and response for the increased signal load that adding more sites creates. Managing the monitoring from Physical Security at Microsoft Page 9

10 centralized security operations centers enables the organization to better balance scheduling needs and training, and to add resources as necessary. Business Continuity Each regional security operations center can receive and monitor signals from the entire enterprise. The Global Security team can therefore provide consistent service levels even if a significant event causes a temporary spike in security events, or if an entire operations center goes offline. By using centralized policies and procedures, in addition to consistent training materials, the Global Security team can also ensure that Microsoft will receive the same service, delivered in the same manner, regardless of which regional operations center is monitoring and responding to the security events. Physical Security at Microsoft Page 10

11 SECURITY OPERATIONS CENTERS Microsoft has three GSOCs that monitor security for all Microsoft assets on a regional basis. The primary GSOC is in Redmond, Washington. The Redmond GSOC establishes standard processes and procedures for the global infrastructure, so Microsoft classifies it as a Tier 1 facility. The other regional GSOCs the Tier 2 facilities are in Thames Valley Park (TVP), United Kingdom, and Hyderabad, India. Finally, 15 local Tier 3 facilities, called Campus Security Operations Centers, monitor their locations during business hours only and are monitored by Tier 1 or 2 operations centers after hours. All of the facilities share the same technical infrastructure, which enables managers to make business decisions to costeffectively add or consolidate centers as needed. The GSOCs monitor more than 700 physical sites worldwide. These sites include approximately 185,000 active personal accounts, 10,250 access card readers, 8,500 IPnetworked video cameras, and 330 fire panels. In addition, the sites include more than 8,000 other devices, including duress alarms, biometric security systems, and environmental alarms. Each GSOC monitors and responds to signal data and event notifications within its region. Signal data includes incoming data from all of the equipment related to physical security access control, monitoring, and communications. The GSOCs also facilitate communications and dispatch on-site security in response to events. Figure 2 maps the GSOC monitoring coverage. Figure 2. Map of GSOC monitoring coverage Microsoft developed this security network to flexibly share the operational workload globally. If an event is large enough to require the attention of an entire GSOC or if a GSOC becomes inoperable because of a catastrophic event, the affected GSOC can transfer its operational and technical responsibilities to another GSOC, which will then assume the control over both regions. This process occurs through technical and operational load sharing. Physical Security at Microsoft Page 11

12 Technical Load Sharing Technical load sharing creates an environment in which any of the GSOCs around the world can access and operate every system. This network enables the systematic and seamless transferring of alarm monitoring and integrated access, video monitoring, fire and life safety systems, Radio over IP (RoIP), emergency phone call (911) monitoring, and event notification and escalation. Alarm Monitoring and Integrated Access To monitor all of these sites around the world and provide an interoperable environment, Microsoft uses Lenel OnGuard. Lenel serves as the primary signal monitoring and integrated access backbone for the global security infrastructure. The application uses Microsoft SQL Server 2005 to store and maintain the data that it needs to manage and monitor the physical security devices throughout the Microsoft infrastructure. Lenel works seamlessly with more than 27,000 devices globally to give operators information about alarms and notification of events. From this information, the operators can determine a precision response to an event. The information is logic driven. In other words, the Lenel system can programmatically assess the severity of the information to automatically determine which information is most urgent. Figure 3 demonstrates how access control is integrated into other elements of the technical environment. This is a detailed depiction of the relationship between the systems for physical security card access, the data storage repositories, the application and communication servers, and the end-user computers. Video Environment Figure 3. Technical overview of integrated access The security cameras are mapped to devices and access card readers in Lenel to enable one-click retrieval of live video as notification of events and alarms arrive from the Lenel system. The GSOC team can remotely tilt and pan many video cameras to get a panoramic Physical Security at Microsoft Page 12

13 view of the area. Relevant video captures are stored on 750 digital video recorders (DVRs) and network video recorders (NVRs) that are integrated into the global network infrastructure to provide viewable archive data. Microsoft can modify its retention practices on a country-bycountry basis to support local regulations. Operators can also retrieve recorded video footage from the DVR to analyze the minutes leading up to the event to help them identify the cause of the alarm. This robust viewing environment enables users to view a prior event and forensically identify who may have been at the scene. Fire and Life Safety Systems At Microsoft, fire and life safety systems extend to more than 330 panels, and the monitoring solution is a UL-listed central station. This certification enables Microsoft to self-monitor fire alarm signals within the United States and thereby reduce overall monitoring costs and quickly support business continuity. The U.S.-based GSOC monitors the fire sensors and alarms and dispatches local emergency response as needed for fire events. The system uses several types of hardware but is primarily based on Radionics panels mapped to Lenel, Simplex, or Siemens monitoring services. Radio over IP Microsoft security requirements call for each GSOC to monitor and manage security response over very large geographic areas where typical radio frequency (RF) communication is limited. The Global Security team extends the reach of RF communications by using RoIP over robust network services. This capability enables specific monitoring centers to communicate directly with responders at remote locations without relying on cellular phone technology. In the Microsoft environment, this functionally enables the GSOC in India to speak directly to a field officer in the United States. Alternatively, a field officer in the United Kingdom can speak with a field officer at any RF-enabled facility worldwide. Microsoft uses a standard Motorola solution to deliver RoIP. 911 Monitoring In the event of a life safety emergency, Microsoft personnel are directed to call 911, or their regional public safety number, as the first response. The Redmond GSOC is notified of all 911 calls that occur from locations on the Microsoft campus and can listen to the calls as the individuals speak with the 911 center. The GSOC can then validate each situation, collect valuable information about the event, and dispatch responders as needed. The Microsoft response teams can help route and escort the police or fire teams to the location and provide access to secure facilities. Event Notification and Escalation Event notification and escalation are critical to the deployment of a precision response throughout the Microsoft global environment. Microsoft uses AlertFind as an externally hosted application and notification service that delivers messaging to people through multiple devices by using user-specified escalation rules. This application has persistence in notification, may require acknowledgement, and can be configured for use over secondary communication lines. Operational Load Sharing Operational load sharing refers to the applications that enable all three of the GSOCs to access and operate any of the other regions at a tactical level. It includes areas such as consistent policies and procedures, management of critical incidents, geographic mapping, internal communications, and investigative case management. Physical Security at Microsoft Page 13

14 Consistent Policies and Procedures Whereas Lenel is the bckbone of technical load sharing at Microsoft, Microsoft Office SharePoint Server 2007 gives the global organization an operational backbone. This application enables all of the GSOCs to pull data from the same sources, yet presents it in a way that is regionally based. Files such as policies and procedures, points of contact, and training all reside on a SharePoint site that can be accessed from anywhere. If a GSOC becomes inoperable, another GSOC can easily obtain the needed information to tactically respond to an event outside its region with little, if any, downtime. In addition, the SharePoint site is a hub for each operations environment to access administrative files such as evaluations and time-off requests. Users can also see their schedules online, even from home. Management of Critical Incidents and Site-Specific Data The Microsoft Office InfoPath 2007 information-gathering program enhances the data management functionality of Office SharePoint Server Office InfoPath is an application that enables the primary party to create and deploy electronic forms to gather information efficiently and reliably. Microsoft uses the automation of Office InfoPath and Office SharePoint Server to manage contacts and associated escalations for more than 700 sites. Office InfoPath enables users to enter instructions and help text directly on the form while completely automating the submission and database connection to Office SharePoint Server. The built-in management and automation of Office SharePoint Server helps ensure that the data goes to the appropriate teams and sends updates or follow-up instructions without requiring an investment in a large amount of administrative effort. Taking advantage of the synergies of these two applications has reduced administrative time from months to hours. All GSOCs currently use Office InfoPath forms for acquiring site-specific data such as headcount, total square footage, and whether a building is in fire hold or bypass. In addition, Office InfoPath has become the primary means by which GSOCs compile and present information related to critical incidents that directly affect Microsoft sites or staff. This capability gives key security personnel a single source for accurate, up-to-date information about incidents as they occur, eliminating time delays and miscommunications. Geographic Mapping Microsoft uses IDV Solutions Visual Fusion product, which is a partner product that takes advantage of the Microsoft Bing Maps platform to geographically display all site locations around the world. Visual Fusion also displays site-specific data that the GSOCs collect through Office InfoPath and Office SharePoint Server, in addition to publically available GeoRSS feeds. This mapping helps determine what sites are within affected areas and other critical information needed when natural disasters, weather events, or political events occur. During high-priority incidents inside buildings, relevant video feeds and building maps with device overlays are displayed in the GSOC to enable tracking and monitoring of an event. Security personnel can operate devices such as door readers and video cameras directly from the maps. Internal Communications Another tool that the GSOCs rely on to effectively manage the global security infrastructure is Microsoft Office Communicator Office Communicator is a unified communications tool that ties together instant messaging (IM), voice, video, online collaboration, and more. It also Physical Security at Microsoft Page 14

15 helps ensure that the interactions between the GSOC personnel are quick, accurate, selfdocumented, and easily retrievable for case records. Office Communicator helps the GSOCs be more productive by enabling them to communicate with each other across different regions of the world and across time zones. By using Office Communicator, GSOC personnel can identify in real time who is available in a particular region and instantly share critical information. They can also start a phone call, a video conference call, or a Microsoft Office Live Meeting session with the click of a mouse. If pertinent individuals are not currently available, a GSOC staff member can use Office Communicator to alert them when they come online, to schedule a meeting, or to send another user an message or a file attachment. Investigative Case Management Microsoft uses a third-party product, PPM 2000 Perspective, running on SQL Server 2005, to manage all of its investigations and cases around the world. Perspective is an incident reporting and investigation management application. It integrates with the Microsoft Office Outlook 2007 messaging and collaboration client and includes a browser tool. This application provides a common platform that anyone on the Microsoft network can use to file a report. The familiar and consistent interface enables Microsoft to maintain global reporting, while still managing regulatory compliance concerns through regional investigative teams. This tool takes advantage of the security of SQL Server to maintain the integrity of some of the Global Security team s most sensitive data. Note: More information about PPM 2000 Perspective is available at Physical Security at Microsoft Page 15

16 PHYSICAL SECURITY OPERATIONS Through a convergence of information technology and physical security, Microsoft can provide physical security operations on a global basis more effectively and efficiently. The following scenarios help to illustrate how the Global Security team uses technology to provide physical security services at Microsoft. Interoperability As mentioned before, through technical and operational load sharing, the network of GSOCs creates an interoperable environment. This environment not only is flexible in terms of failover and redundancy capabilities, but also can provide a precision response to an event that occurs at any Microsoft location in the world. There have been several instances in which one GSOC has had to load share with another GSOC because of inclement weather or another event on a Microsoft campus. For example, the Redmond GSOC recently sustained a six-hour power failure when it moved operations into a new building. Because of this outage, the Redmond GSOC could not monitor its systems and had to load share with the TVP GSOC. In this case, the load sharing of systems spanned the core technical and operational components mentioned earlier. The Redmond GSOC initiated the transfer, but the TVP GSOC quickly acquired all of the regional responsibilities by following a checklist. As part of the transfer, the TVP GSOC modified its monitoring zone to include the Americas area, the system validated the transference of the monitoring of fire systems, and the system automatically routed all calls to the TVP GSOC. The TVP GSOC confirmed operational transfer by using RoIP connections. The TVP GSOC began monitoring the Redmond GSOC s region in addition to its own region both technically and operationally in minutes. Figure 4 illustrates the interoperability between the Redmond GSOC, which covers the Americas, and the TVP GSOC, which covers Europe, the Middle East, and Africa (EMEA). Figure 4. Interoperability between Redmond and TVP GSOCs Microsoft has designed its solution to literally move from one production environment to another. The preceding example highlights the simplicity and effectiveness of the load sharing between GSOCs. Traditional failover systems for physical security typically include a Physical Security at Microsoft Page 16

17 significant delay because backup systems require startup sequences before they go online. However, at Microsoft, because each GSOC can receive all global signal data, and personnel are cross-trained to handle different roles, the only time required for failover in a catastrophe is the time to assign personnel to monitor the data. In addition, the Global Security team has incorporated mobility into the monitoring stations for physical security. The personnel in a GSOC can move their operations simply by taking their laptops to another building that has access to the Microsoft corporate network if the two other GSOCs cannot acquire the region's responsibilities. Automated Event Monitoring by Priority Each GSOC is staffed for continuous operation. However, the team on duty at any particular time is relatively small and not capable of acknowledging, assessing, communicating, and coordinating a response to thousands of simultaneous events sequentially as they occur. Microsoft implemented business rules to prioritize the monitoring feeds and ensure that the GSOC personnel see the most urgent event notifications, or the events that might have the greatest impact on Microsoft assets. Rather than relying on the GSOC team to monitor and analyze every signal in order to assess and prioritize feeds, the system automatically prioritizes and presents the feeds. For example, a duress or fire alarm jumps to the top of the queue. It also instantly and automatically enables other aspects of the infrastructure for physical security, such as displaying the video feed and other relevant information (including maps and floor plans) from the site or area in question. The GSOC team can then understand the nature and extent of the threat and respond accordingly. In addition to the operational signal load (the volume of alerts, alarms, and other event notifications that flow into the GSOC), a significant amount of maintenance load is rerouted for later follow-up by the appropriate individuals when devices go offline. Although the highest-priority incidents receive the most urgent attention, the GSOCs receive and analyze other alerts and alarms as time permits to ensure that they address all issues, and not just the urgent incidents. Figure 5 illustrates automated event monitoring by priority. Physical Security at Microsoft Page 17

18 Figure 5. Automated event monitoring by priority Alarm/Event Monitoring and Precision Response Monitoring alarms and events, and responding to them, is at the core of the GSOC operations. A GSOC receives alarms and events in five ways: Receives , phone calls, and walk-ins Monitors subscription news services Receives event notifications from the physical access control systems and fire alarm systems Hears 911 calls as they are made to the local 911 call center Receives information from security officers via radios and cellular phones The following example of a monitoring and response scenario highlights how Microsoft integrates its technologies for processing alarms and events to enable a precision response: A GSOC receives a call from an individual who is concerned about a stranger who is acting suspiciously. The GSOC communications center sends the information to monitoring personnel and the dispatcher in the GSOC via Office Communicator The monitoring personnel then examine building maps and video on any of the cameras near the event location. By using pan, tilt, and zoom functionality, the monitoring personnel can follow events instead of being limited to a traditional fixed view. In this case, the monitoring personnel determine that the threat is actually from a group of individuals rather than one person. While the monitoring personnel are making this assessment, they are sending instant messages to the dispatcher about the nature of the event. The dispatcher provides an appropriate response to the location based on the seriousness of the event and calls the local police department to inform it about the situation. After dispatch has occurred, the monitoring personnel continue to view the video feeds to provide the dispatcher and local law enforcement with accurate real-time data of the event. Each workstation in the GSOC can perform all functions. Therefore, if needed, the monitoring personnel can take over dispatch functions, and vice versa. This ability means that Physical Security at Microsoft Page 18

19 individuals can focus on an event and allow others to temporarily cover other functions in the GSOC. Using Microsoft technologies like Office Communicator improves the efficiency of the GSOC and the accuracy of case management files. All information for case management summaries is pulled directly from the IM logs and represents actual communications that occurred. This capability eliminates the need to re-create or remember what happened during an event. Currently, Office Outlook 2007 and Office Communicator 2007 handle most of the incoming traffic. However, Microsoft is always looking for ways to implement new Microsoft products as enablers for the business. To that end, Global Security plans to implement Microsoft Dynamics CRM to track incoming messages and requests in the future. Remote Monitoring and Event Management The environment of technical and operational load sharing also enables the three GSOCs to monitor other sites in their region and to remotely dispatch personnel. During business hours, local campuses monitor themselves. But during off-peak times, they transfer controls to the GSOC within their region saving on monitoring costs. This system not only provides a staffing savings to Microsoft, but also provides on-site security for locations with the greatest need during the day. In cases such as the example described earlier, the regional GSOC reacts as if the situation is happening on the local campus. By using the SharePoint site, the GSOC personnel can access local points of contact and escalation plans. The difference in this case is that they dispatch precision responses to suspicious people in a building through RoIP and through coordination with law enforcement agencies local to the event. Storage and Sharing of Personal Data One of the key aspects of physical security convergence with IT is that data is collected once about the individuals who have access to Microsoft physical assets and then used in multiple downstream systems as needed. A data warehouse maintains the integrity of the source security data. The process of adding a new user to the Microsoft network includes gathering information to identify and contact the user, including photographs, access levels, and phone numbers. This information can be shared with applications like Office SharePoint Server 2007 or the products in the 2007 Microsoft Office system, in addition to other enterprise systems. The access control system also allows for the use of access control accounts in downstream systems. These systems include Point of Sale (POS) for paying by cardkey (an emerging technology to enable employees to link their access card with their financial accounts and use it for purchases within Microsoft), time tracking, and attendance metrics for training and events. To use the personal data while protecting it from unauthorized or inappropriate use, Microsoft does not allow any party to directly access the source data. A subscription data warehouse acts as an intermediary between the security-enhanced repository for personal data and the external application or service that needs the data. The subscriber receives only the data that has been requested and that is allowed by Microsoft policy and regulatory compliance. This system allows external applications and groups to use a common platform of tools and processes to access, work with, and manipulate the personal data in a variety of ways while Physical Security at Microsoft Page 19

20 maintaining the integrity of the original personal data stored in the security-enhanced repository. Real-Time Site Information and Global Event Notification The SharePoint portal and Office InfoPath infrastructure used for the management of critical incidents and data Management allows includes real-time site information and Global Event notification. The InfoPath electronic forms allow the capture of site-specific info at the source. The Point of Contacts (POCs) at each site update the information in InfoPath forms and submit the forms to the SharePoint portal. The SharePoint portal reflects site-specific information realtime, enabling a precise operational response to each event, In case of disaster, GSOC personnel fill in the global event notification InfoPath forms, the electronic forms notify and update key Global Security personnel of event status, site-related information, and other pertinent information. Figure 6 illustrates real-time site information and global event notification. Figure 6. Real-time site information and global event notification Enterprise Maintenance Security hardware requires regular service and maintenance to help ensure that it remains functional. Microsoft recognized the need to establish a scalable process for maintaining the infrastructure for physical security throughout the global enterprise. Microsoft also recognized the importance of managing the readiness of all devices and setting downtime expectations for the GSOC personnel. The Security System Team (SST) at Microsoft manages the maintenance and repair of the remote peripheral devices that compose the backbone of the infrastructure for physical security. As shown in Figure 7, the members of the SST can use their computers to remotely triage the peripheral security devices. After assessing and troubleshooting malfunctioning equipment, the SST either resolves the situation remotely, escalates to Microsoft IT if appropriate, or dispatches the issue to on-site personnel if necessary. Physical Security at Microsoft Page 20

21 Figure 7. Maintaining the physical security infrastructure The various devices that compose the infrastructure for physical security require periodic updates to keep them running smoothly. The SST manages and maintains the equipment remotely by using Microsoft tools such as Terminal Services and Remote Desktop. From anywhere in the world, the members of the SST can connect with the equipment located at the remote sites as if they were in the remote location. After establishing the connection, they can access the necessary software, management consoles, and Web sites to acquire and install any relevant software updates and implement any required firmware upgrades. With thousands of access card readers, IP-based video cameras, DVRs, and other devices spread over hundreds of sites around the world, on-site support or travel to sites is costly and impractical. The ability to remotely support the devices substantially saves support costs. Provisioning Life Cycle In a traditional solution for physical access security, the process of creating new accounts, granting and maintaining user rights, and revoking accounts when the access is no longer valid is both manual and separate from other human resources (HR) and IT account-creation processes. These limitations make the process more cumbersome to manage. They also often cause errors regarding data accuracy, delays in the setup of user rights, and removal of user rights after an employee has been removed from the other HR and IT systems. Converging physical security with information technology helps Microsoft solve these problems. Microsoft ties the process of creating, maintaining, and revoking physical access accounts and user rights into the setup and termination infrastructure. Microsoft developed an efficient system for creating network accounts and issuing physical access cards. The Microsoft system uses existing information, rather than collecting the same data repeatedly, to create the accounts as part of the process that adds the user to the HR system. When a manager hires a new employee, he or she adds the initial information into the SAP enterprise resource planning (ERP) system via HeadTrax. HeadTrax is an internal HR system that is built on.net and that ties together HR and SAP systems. An application called ACCMAN automatically adds user accounts to the Active Directory infrastructure where network access credentials are managed. This new account information is extracted from a data warehouse that is updated daily. In the same manner, the OnGuard Physical Security at Microsoft Page 21

22 physical access control system creates new accounts and updates relevant data from the HR system by using the data warehouse. Just as with the creation and maintenance of user rights for physical security, the process of revoking access is automated at Microsoft. HR is the catalyst for this process as well. As a manager makes changes to the status of an employee or a contractor in the HR system, the changes automatically propagate to Active Directory and physical access control systems. Figure 8 illustrates the process for creating or revoking user credentials. Figure 8. Overview of flow of information for creating or revoking user credentials This relation of user rights for physical security to the user s role and status in the HR system improves the efficiency of account creation, maintenance, and revocation. It also has the benefit of strengthening the security and compliance of Microsoft overall by helping to facilitate the concept of least privileged access. Users are granted only the user rights that they need while they need them, and those user rights are automatically revoked when no longer necessary. Situational Awareness Through Geospatial Mapping Bing Maps enables GSOC personnel to search, visualize, and collaborate by using data in the context of location. GSOC personnel extract point-of-interest data in case of a event that requires them to gather information such as site location and number of employees. Further, the GSOC personnel can access building-level maps and can identify the location of cameras and alarm systems. Through real-time GeoRSS feeds, Bing Maps geospatially displays each site location and world events on a SharePoint portal. The SharePoint portal provides up-to-the-minute site details (for example, headcount, floor space, and contact information). Bing Maps overlays of building floor plans and geo-coded camera locations on the SharePoint portal enable the control of IP cameras. Physical Security at Microsoft Page 22

23 Figure 9. Situational awareness through Virtual Earth and SharePoint portal Physical Security at Microsoft Page 23