Technical White Paper

Published: May 2008

Executive Summary

A comprehensive security program for an organization includes both the physical security of facilities, such as restricting access to buildings and monitoring alarm systems for fire or break-ins, and logical security of IT resources, such as restricting access to sensitive data and monitoring network traffic for signs of suspicious or malicious activity. At Microsoft, the strategy for developing the processes and solutions that help provide physical security includes a partnership between the internal Global Security and Microsoft Information Technology (Microsoft IT) teams. This partnership takes advantage of the available technology and technical resources to provide a scalable system for life safety and facility monitoring that can be managed from virtually anywhere in the world.

Through the strategic deployment of security systems, the Global Security team is improving the way it protects Microsoft assets, information, and employees. By aligning physical security drivers and IT delivery mechanisms, the team can produce an environment where physical security and IT complement each other rather than compete with each other.

Microsoft encompasses more than 670 sites globally. The Global Security team must protect resources at those sites. This task includes monitoring more than 23,000 pieces of hardware: card readers for physical access, cameras, fire panels, environmental alarms, biometric security systems, duress alarms, and additional devices and sensors. Global Security must also manage more than 150,000 active holders of access cards and more than 20 million system events each month (for example, users who have misplaced their access cards, maintenance alarms, unauthorized access, building fires, or natural disasters).

With an enterprise as large as Microsoft, monitoring and protecting assets around the world is a challenge. The traditional security strategies were too cumbersome and costly to be effective. Microsoft developed the convergence of physical security infrastructure with IT practices by using off-the-shelf software applications wherever possible, to create a more streamlined, efficient, and cost-effective security solution.

This paper is for business and technical decision makers who are interested in learning how Microsoft uses the IT organization, Microsoft technology and products, and third-party resources to provide physical security services to Microsoft personnel and locations worldwide. Many of the principles and techniques that this paper describes can be employed to manage physical security within any organization. However, this paper is based on Microsoft experience and recommendations, and it is not intended to serve as a procedural guide. Each enterprise environment has unique circumstances; therefore, each organization should adapt the plans and lessons learned described in this paper to meet its specific needs.

Introduction

Microsoft built its converged approach to physical security on a foundation of information technology. Taking advantage of the IT infrastructure within the Microsoft environment provides the keystone for the success of the solution. Using standard, off-the-shelf software applications and the existing global IP networking infrastructure enables Microsoft to monitor its entire enterprise from centralized locations, and still respond or dispatch personnel wherever they are needed throughout the world.

Approaching security as a unified initiative enables Microsoft to monitor and protect more assets by using fewer resources. Global centers for security monitoring can deliver total interoperability, including failover capabilities as necessary. To effectively monitor and protect its resources, Microsoft built its solution on nine essential design principles to provide a layered security model. The design principles, which are discussed in detail in the "Developing a Convergence Strategy" section later in this document, helped the architects of the strategy for physical security to find a balance between providing security for the infrastructure and enabling business functions.

Ultimately, the goal of the system of monitoring physical security is to extend human senses to the extent possible via technology, in order to simulate or predict a ubiquitous presence and allow for timely mitigation. IP, low-light, and infrared cameras simulate sight. Motion sensors and proximity/barrier sensor alarms simulate touch. Audio sensors that detect anomalous noises or spikes in background volume simulate hearing. Using IT mechanisms to extend these senses around the world helps satisfy the mandate of physical security without necessitating the deployment of a static physical presence at every location.

By using a variety of Microsoft technologies and some third-party technologies, the Global Security team can monitor sites around the world and direct a precision response that is appropriate to the event. The sensor data and information at the team's disposal enables it to quickly analyze and understand the impact of an event, and to engage the appropriate on-site resources when necessary.

Comparing this approach with what Microsoft did in the past, or with traditional physical security strategies, underscores its value. Previously, closed circuit television (CCTV) cameras existed at each location and fed to traditional video recording equipment. The tapes in these video recorders had to be constantly swapped out as they filled up, and they had to be securely archived. Attempting to access the video data required sifting through hundreds or thousands of tapes, and then scanning them in a linear fashion to find a specific point in time.

Without a central monitoring facility and the IT infrastructure to support the centralized security model, each site required more personnel physically on site to monitor and respond to alarms. Contracting the monitoring and response of the fire alarm system also represented a substantial ongoing expense.

Convergence Strategy

Microsoft based its initiative of converged physical security on a design philosophy that included a strategy for managing physical access to Microsoft resources and the Weighted Business Model. The Weighted Business Model (illustrated in Figure 1) incorporates the balance between technology, monitoring, and response, and the administration of all three.

Figure 1. Graphic depiction of the components of the Weighted Business Model

The Weighted Business Model helped Global Security understand and define the key components of physical security and their relationship with each other. This understanding enabled the team to implement an effective and efficient strategy.

Another key component of the success of the initiative for converged physical security is the cooperation of different departments and teams within Microsoft. A fundamental part of this cooperation is establishing relationships and expectations between the various entities. The Global Security team understands that the success of any project in a corporate environment depends on support from senior and executive management. Global Security has worked diligently to ensure that senior management understands and supports the goals of the strategy for physical security.

Analyzing the functions of the organization, and understanding the benefits and pitfalls of different approaches, assisted Global Security in developing physical security objectives to meet the unique needs of the business across all regions. To produce its physical security design, Microsoft managers agreed to a basic set of design principles and continually used them as the touchstone for new decisions. This enabled them to maintain the integrity of their design and not be distracted by the latest state-of-the-art of technology. The following design principles represent the business parameters and functional design elements that Microsoft focused on:

• Deterrence value
  Security measures must strike a balance between security and functionality. Part of the strength of that balance is in creating the awareness that physical security exists, so the attempt is to place the security measures strategically and make them conspicuous. By Simply making people aware of monitoring devices and other physical security measures helps to deter theft or trespass.
• Remote monitoring
  Monitoring security systems from a remote location provides the ability to centralize the administration and response. One of the benefits of integrating physical security with information technology is the ability to use a smaller, centralized team of individuals to monitor and respond to events throughout an entire region. Event-based response and signal prioritization ensure that the most important events receive immediate attention, and they help facilitate continuity of response throughout the enterprise. Microsoft also takes advantage of remote functionality to maintain and troubleshoot the physical security equipment over the network.
• Precision response
  Closely related to remote monitoring, the solution must provide for precision response. If the design philosophy calls for remote monitoring from a central location, it also must ensure that the proper resources can be dispatched on site in a timely manner when an event is detected. By using the tilt and pan functionality of the IP cameras, and correlating information by using other technologies, Microsoft can remotely assess incidents and dispatch an appropriate response.
• Off-the-shelf infrastructure
  By using standard off-the-shelf hardware and software, the Global Security team made a conscious decision to adapt its processes to the infrastructure and not the other way around. The use of off-the-shelf products reduces the costs of both implementation and maintenance while increasing continuity and efficiency in delivery because Microsoft can apply standard training and support services. By establishing long-term relationships with key vendors to build into their products new, standard features and functions according to business priority, Global Security improves longevity of the product life cycle while still acquiring must-have requirements over time.
• Use of Microsoft products
  Wherever possible, the design of physical security relies on Microsoft products. Microsoft analyzed its different tools and applications and used them to deliver much of the core technology of the solution for physical security. As new Microsoft products are developed, they are evaluated to determine what role or impact they might have within the strategy for physical security. The third-party products that Microsoft uses in its strategy for physical security are built on Microsoft technologies such as Microsoft® SQL Server® database software, Microsoft .NET, and Microsoft SharePoint® Products and Technologies.
• Remotely managed IP devices
  Microsoft uses the existing global IP network to handle rapid changes in hardware and to achieve faster and more cost-effective scalability. Microsoft can deploy security devices, like IP cameras and card readers for physical access, more efficiently because installation is less likely to require additional proprietary components or a separate cabling or communications network. Using IP-based edge devices also enhances the ability to monitor and maintain the equipment at Microsoft.
• Defense in depth
  Defense in depth provides for multiple layers of security at a facility that is appropriate to asset risk. The foundation of the concept is that requiring additional security controls, or layers, along with an approach to protect critical assets, develops a mechanism to systematically delay, effectively intervene, and mitigate against risks. A threat that infiltrates one layer is detected at another layer, giving Microsoft multiple opportunities to detect and respond to an event. Defense in depth for physical security begins with designing facilities with the strategy for physical security in mind, and it considers property boundaries, building approach, parking areas, ingress and egress points of a building, and flow of human traffic through the building. It also includes the physical security devices, like access card readers that grant or prevent access and log activity at facility entry points, biometric authentication, camera systems, hardened construction, and other discreet sensors that monitor specific areas. All of these functions combined provide a layered defense strategy in protection of Microsoft resources.
• Forensics/investigative model
  A critical component of the design philosophy is to ensure that video data, access logs, and other pertinent information are properly captured and stored for investigation if a physical security incident occurs. The Global Security team must be able to retrieve and analyze monitoring data and log information in order to determine when and how an event occurred, or the identify of relevant persons if necessary.
• Managed physical access
  The concept of managed physical access ensures that strategies, policies, and procedures for physical access support an effective security environment that is both more functional and more cost-effective than previous physical security solutions. Toward that end, Microsoft developed the following key strategies for managed physical access:
  • Alignment of accountability and authority
    The parties that are accountable for physical security and life safety should have the authority to directly manage and act. The Microsoft approach is to closely align influence and decision-making aspects with the responsibility for delivering the service. In some instances, this means providing authority to the appropriate group or role within a department. In other instances, it involves facilitating clear roles and collaboration between traditionally separate functions, such as IT administrators and facility maintenance.
  • Least privileged access
    Least privileged access simply means that users should have user rights to only the areas that they need to access, and only for as long as the need exists. With least privileged access in mind, Microsoft sought to establish clear expectations and define categories of people for simplified management. By grouping individuals based on their job function, Microsoft can define role-based user rights for groups like visitors, janitorial staff, and regular employees.
  • Policy and facility design
    Microsoft strives to implement policies that protect Microsoft assets without impeding productivity. Policies seek to empower and complement, rather than obstruct, the flow of business. Microsoft approaches facility design with a goal of reducing risk. Facilities are built to support security efforts by limiting the entry points, provide a logical layout that integrates smoothly with the concept of least privileged access, and provide optimal positioning for event-driven monitoring systems.
  • Awareness, education, and compliance
    Microsoft places great emphasis on ensuring that users are aware of the security policies and technologies in place, and that they understand their role in protecting Microsoft assets and themselves.
  • Provisioning process and life cycle
    A successful solution for managed physical access requires alignment and integration with HR. It encompasses the entire provisioning life cycle of access, from the point when a user is granted access to a facility or asset to the point when the access is revoked. In addition, some compliance and privacy requirements are inherent with the sharing of data between departments. Microsoft understands that it must define and manage privacy information and be cognizant of regulatory compliance issues that affect how the data can be used. Microsoft manages regulatory, corporate, and privacy compliance through close partnership with legal counsel.
  • Network tools
    Microsoft relies on both its own products and technologies and third-party commercial applications for automating access control to Microsoft assets and facilities. Product selection is directly related to business needs. Microsoft also relies on network services for voice and radio over IP (RoIP) solutions, enabling IP-based communications on a global scale.
  • Business intelligence
    Business Intelligence demonstrates the value of a particular security solution, and it justifies the continued investment in that solution. Whereas most business functions are measured by the revenue that they generate, security requires more unique or creative metrics. Demonstrating the value of a security solution requires capturing and analyzing data that illustrates how the current solution is more cost-effective than previous or proposed security solutions.

Security Operations Centers

Microsoft has three Global Security Operations Centers (GSOCs) that monitor security for all Microsoft assets on a regional basis. The primary GSOC is in Redmond, Washington. The Redmond GSOC establishes standard processes and procedures for the global infrastructure, so Microsoft classifies it as a Tier 1 facility. The other regional GSOCs—the Tier 2 facilities—are in Thames Valley Park (TVP), United Kingdom, and Hyderabad, India. Finally, 15 local Tier 3 facilities, called Campus Security Operations Centers, monitor their locations during business hours only and are monitored by Tier 1 or 2 operations centers after hours. All of the facilities share the same technical infrastructure, allowing management to make business deicisions to cost effectively add or consolidate centers as needed.

The GSOCs monitor more than 670 physical sites worldwide. These sites include approximately 156,000 active personal accounts, 8,200 access card readers, 6,500 IP-networked video cameras, and 330 fire panels. In addition, the sites include more than 8,000 other devices, including duress alarms, biometric security systems, and environmental alarms.

Each GSOC monitors and responds to signal data and event notifications within its region of the globe. Signal data includes incoming data from all of the equipment related to physical security access control, monitoring, and communications. The GSOCs also facilitate communications and dispatch on-site security in response to events.

Figure 2 maps the GSOC monitoring coverage.

Figure 2. Map of GSOC monitoring coverage

Microsoft developed this security network with the intent of flexibly sharing the operational workload globally. If an event is large enough to require the attention of an entire GSOC or if a GSOC becomes inoperable because of a catastrophic event, the affected GSOC can transfer its operational and technical responsibilities to another GSOC, which will then assume the control over both regions. This process is completed through technical and operational load sharing.

Technical Load Sharing

Technical load sharing creates an environment in which every system can be accessed and operated from any of the GSOCs around the world. Through this universal system, Microsoft creates an interoperable network that enables the systematic and seamless transferring of alarm monitoring and integrated access, video monitoring, fire and life safety systems, RoIP, emergency phone call (911) monitoring, and event notification and escalation.

Alarm Monitoring and Integrated Access

To monitor all of these sites around the world and provide an interoperable environment, Microsoft uses Lenel OnGuard. Lenel serves as the primary signal monitoring and integrated access backbone for the global security infrastructure. The application uses Microsoft SQL Server 2005 to store and maintain the data that it needs to manage and monitor the physical security devices throughout the Microsoft infrastructure. Lenel works seamlessly with more than 23,000 devices globally to give operators information about alarms and notification of events, from which the operators can determine a precision response to an event. The information is logic driven. In other words, the Lenel system can programmatically assess the severity of the information to automatically determine which information is most urgent.

Figure 3 demonstrates how access control is integrated into other elements of the technical environment. This is a detailed depiction of the relationship between the systems for physical security card access, the data storage repositories, the applications and communications servers, and the end-user computers.

Figure 3. Technical overview of integrated access

Video Environment

The security cameras are mapped to devices and access card readers in Lenel to enable one-click retrieval of live video as notification of events and alarms arrive from the Lenel system. The GSOC team can remotely tilt and pan many video cameras to get a panoramic view of the area. Relevant video captures are stored on 500 digital video recorders (DVRs) that are integrated into the global network infrastructure to provide Microsoft with viewable archive data. Microsoft is able to modify their retention practices on a country-by-country basis to support local regulations. Operators can also retrieve recorded video footage from the DVR to analyze the minutes leading up to the event to help them identify the cause of the alarm. This robust viewing environment enables users to view a prior event and forensically identify who may have been at the scene for later questioning.

Fire and Life Safety Systems

At Microsoft, fire and life safety systems extend to more than 330 panels, and the monitoring solution is an Underwriter Laboratories (UL) listed central station. This certification enables Microsoft to self-monitor fire alarm signals and thereby reduce overall monitoring costs and quickly support business continuity. The U.S.-based GSOC monitors the fire sensors and alarms and dispatches local emergency response as needed for fire events. The system uses several types of hardware but is primarily based on Radionics panels mapped to Lenel and Simplex or Siemens, monitoring services.

Radio over IP

Microsoft security requirements call for each GSOC to monitor and manage security response over very large geographic areas where typical radio frequency (RF) communication is limited. Global Security extends the reach of RF communications by using RoIP over robust network services. This capability enables specific monitoring centers to communicate directly with responders at remote locations without relying on cellular phone technology. In the Microsoft environment, this functionally enables the regional center in India to speak directly to a field officer in the United States. Alternatively, a field officer in the United Kingdom can speak with a field officer at any RF-enabled facility worldwide. Microsoft uses a standard Motorola solution to deliver RoIP.

911 Monitoring

In the event of a life safety emergency, personnel are directed to call 911, or their regional public safety number, as the first response. The Redmond GSOC is notified of all 911 calls occurring from locations on campus and can listen to the calls as the individuals speak with the 911 center. The GSOC can then validate the situation, collect valuable information about the event, and dispatch responders as needed. It also enables the Microsoft response teams to help route and escort the police or fire teams to the location and provide access to secure facilities.

Event Notification and Escalation

Event notification and escalation is critical to the deployment of a precision response throughout the Microsoft global environment. Microsoft uses AlertFind as an externally hosted application and notification service that delivers messaging to people through multiple devices by using user-specified escalation rules. This application has persistence in notification, may require acknowledgement, and can be configured for use over secondary communication lines.

Operational Load Sharing

Operational load sharing refers to the applications that enable all three of the GSOCs to access and operate any of the other regions at a tactical level. It includes areas such as consistent policies and procedures, management of critical incidents, geographic mapping, internal communications, and investigative case management.

Consistent Policies and Procedures

Whereas Lenel is the backbone of technical load sharing at Microsoft, Microsoft Office SharePoint Server 2007 gives the global organization an operational backbone. This application enables all of the GSOCs to pull data from the same sources, yet presents it in a way that is regionally based. Files such as policies and procedures, points of contact, and training all reside on a SharePoint site that can be accessed from anywhere. If a GSOC becomes inoperable, another GSOC can easily obtain the needed information to tactically respond to an event outside its region with little, if any, downtime. In addition, the SharePoint site is a hub for each operations environment to access administrative files such as evaluations and time-off requests. Users can also see their schedules online, even from home.

Critical Incident and Data Management

Microsoft Office InfoPath® 2007 enhances the data management functionality of Office SharePoint Server 2007. Office InfoPath is an application that enables the primary party to create and deploy electronic form solutions to gather information efficiently and reliably. Microsoft uses the automation of Office InfoPath and Office SharePoint Server to manage contacts and associated escalations for 670 sites. Office InfoPath enables users to enter instructions and help text directly on the form while completely automating the submission and database connection to Office SharePoint Server. The built-in management and automation of Office SharePoint Server ensures that the data goes to the appropriate teams and sends updates or follow-up instructions without requiring an investment in a large amount of administrative effort. Taking advantage of the synergies of these two applications has reduced administrative time from months to hours.

All GSOCs currently use Office InfoPath forms for acquiring site-specific data such as headcount, total square footage, and whether a building is in fire hold or bypass. In addition, Office InfoPath has become the primary means by which GSOCs compile and present information related to critical incidents that directly affect Microsoft sites or staff. This capability gives key security personnel a single source for accurate, up-to-date information about incidents as they occur, eliminating time delays and miscommunications.

Geographic Mapping

Microsoft uses Microsoft MapPoint® 2006 business mapping software to geographically display all site locations around the world. MapPoint also provides site data that the GSOCs collect through InfoPath and Office SharePoint Server. This mapping helps determine what sites are within affected areas and other critical information needed when natural disasters, weather events, or political events occur.

During a high-priority incident, in addition to the relevant video feed being displayed in the GSOC, Lenel can display building maps with device overlays to enable GSOC personnel to when tracking and monitoring an event.

Internal Communications

Another tool that the GSOCs rely on to effectively manage the global security infrastructure is Microsoft Office Communicator 2007. On the surface, Office Communicator appears to be essentially an enterprise instant messaging (IM) system. However, using Office Communicator ties together IM, voice, video, online collaboration, and more and ensures that the interactions between the GSOC personnel are accurate, self-documented and easily retrievable for case records. Office Communicator also dramatically increases the speed with which critical information is communicated.

Office Communicator helps the GSOCs be more productive by enabling them to communicate with each other across different regions of the world and across time zones. By using Office Communicator, GSOC personnel can identify in real time who is available in a particular region and communicate instantly. They can also start a phone call, a video conference call, or a Microsoft Office Live Meeting session with the click of a mouse. When dealing with individuals who are not currently available, a GSOC staff member can use Office Communicator to schedule a meeting, or to send another user an e-mail message or a file attachment.

Investigative Case Management

Microsoft uses a third-party product, PPM 2000 Perspective, running on SQL Server 2005, to manage all of its investigations and cases around the world. Perspective is an incident reporting and investigation management application. It integrates with the Microsoft Office Outlook® 2007 messaging and collaboration client, and it includes a browser tool. This application provides a common platform that anyone on the Microsoft network can use to file a report. The familiar and consistent interface enables Microsoft to maintain global reporting, while still managing regulatory compliance concerns through regional investigative teams. This tool takes advantage of the security of SQL Server to maintain the integrity of some of Global Security's most sensitive data.

Example Scenarios

Through a convergence of information technology and physical security, Microsoft can provide physical security operations on a global basis more effectively and efficiently. The following scenarios help to illustrate how the Global Security team uses technology to provide physical security services at Microsoft.

Interoperability

Through technical and operational load sharing, the network of Global Security Operations Centers creates an interoperable environment. This environment not only is flexible in terms of failover and redundancy capabilities, but at the same time can provide a precision response to any event occurring at any Microsoft location in the world.

During a recent demonstration, the Redmond GSOC simulated a six-hour power failure in its entire building. Because of this outage, the Redmond GSOC was unable to monitor its systems and had to load share with the TVP GSOC. In this case, the load sharing of systems spanned the core technical and operational components mentioned earlier.

The Redmond GSOC initiated the transfer, but the TVP GSOC quickly acquired all of the regional responsibilities by following a checklist. As part of the systematic transfer, the TVP GSOC modified its monitoring zone to include the Americas area, transference of the monitoring of fire systems was validated, and all calls were automatically routed to the TVP GSOC. The TVP GSOC confirmed operational transfer by using RoIP connections. The TVP GSOC began monitoring the Redmond GSOC's region in addition to its own region—both technically and operationally—within minutes.

Microsoft has designed its solution to literally move from one production environment to another. The demonstration highlights the simplicity and effectiveness of the load sharing between GSOCs. Traditional failover systems for physical security typically include a significant delay because backup systems require startup sequences before they go online. However, at Microsoft, because each GSOC can receive all global signal data, and personnel are cross-trained to handle different roles, the only time required for failover in the event of a catastrophe is the time to assign personnel to monitor the data.

In addition, the monitoring stations for physical security have been developed with mobility in mind. The personnel in a GSOC can move their operations simply by taking their laptops to another building that has access to the Microsoft corporate network if the two other GSOCs cannot acquire the region's responsibilities.

Automated Event Monitoring by Priority

The GSOC's are each staffed for 24/7 operation, but the team on duty at any given time is relatively small and not capable of acknowledging, assessing, communicating, and coordinating a response to thousands of simultaneous events sequentially as they occur.

Microsoft implemented business rules to prioritize the monitoring feeds and ensure that the GSOC personnel see the most urgent event notifications, or the events that might have the greatest impact on Microsoft assets. Rather than relying on the GSOC team to monitor and analyze every signal in order to assess and prioritize feeds, the system automatically prioritizes and presents the feeds. For example, a duress or fire alarm will jump to the top of the queue. It will also instantly and automatically enable other aspects of the infrastructure for physical security, such as displaying the video feed and other relevant information (including maps and floor plans) from the site or area in question. The GSOC team can then understand the nature and extent of the threat and respond accordingly. In addition to the operational signal load (the volume of alerts, alarms, and other event notifications flowing into the GSOC), a significant amount of maintenance load is rerouted for later follow-up by the appropriate individuals when devices go offline.

Although the highest-priority incidents receive the most urgent attention, the GSOCs receive and analyze other alerts and alarms as time permits to ensure that they address all issues, and not just the urgent incidents.

Precision Response

Monitoring alarms and events, and responding to them, is at the core of the GSOC operations. A GSOC receives alarms and events in five ways:

• Receives e-mail, phone calls, and walk-ins
• Monitors subscription news services
• Receives event notifications from the physical access control systems and fire alarm systems
• Hears 911 calls as they are made to the local 911 call center
• Receives information from security officers via radios and cellular phones

The following example of a monitoring and response scenario highlights how Microsoft integrates its technologies for processing alarms and events to enable a precision response:

A GSOC receives a call from an individual who is concerned about a stranger who is acting suspiciously. The GSOC Communications Center sends the information to monitoring personnel and the dispatcher in the GSOC via Office Communicator 2007. The monitoring personnel then examine building maps and video on any of the cameras near the event location. By using pan, tilt, and zoom functionality, the monitoring personnel can follow events instead of being limited to a traditional fixed view. In this case, the monitoring personnel determine that the threat is actually from a group of individuals rather than one person. While the monitoring personnel are making this assessment, they are sending instant messages to the dispatcher about the nature of the event. The dispatcher provides an appropriate response to the location based on the seriousness of the event and calls the local police department to inform it about the situation. After dispatch has occurred, the monitoring personnel continue to view the video feeds to provide the dispatcher and local law enforcement with accurate real-time data of the event.

It should be noted that each workstation in the GSOC can perform all functions. Therefore, if needed, the monitoring personnel can take over dispatch functions, and vice versa enabling individuals to focus on an event and allow others to temporary cover other functions in the GSOC.

Using Microsoft technologies like Office Communicator improves the efficiency of the GSOC and the accuracy of case management files. All information for case management summaries is pulled directly from the IM logs and represents actual communications that occurred. This capability eliminates the need to re-create or remember what happened during an event.

Currently, most of the incoming traffic is handled through Office Outlook 2007 and Office Communicator 2007. Microsoft is always looking for ways to implement new Microsoft products as enablers for the business; to that end, Global Security plans to implement Microsoft Dynamics® CRM to track incoming messages and requests in the future.

Remote Monitoring and Event Management

The environment of technical and operational load sharing also enables the three GSOCs to monitor other sites in their region and to remotely dispatch personnel. During business hours, local campuses monitor themselves, saving on monitoring costs. But during off-peak times, they transfer controls to the GSOC within their region. This system not only provides a staffing savings to Microsoft, but also provides on-site security for locations with the greatest need during the day.

In cases such as the example described earlier, the regional GSOC reacts as if the situation is happening on the local campus. By using the SharePoint site, the GSOC personnel can access local points of contact and escalation plans. The difference in this case is that they dispatch precision responses to suspicious people in a building through RoIP and through coordination with law enforcement agencies local to the event.

Storage and Sharing of Personal Data

One of the key aspects of physical security convergence with IT is that data is collected once about the individuals with access to Microsoft physical assets and used in multiple downstream systems as needed. A data warehouse maintains the integrity of the source security data.

During the initial process of adding a new user to the Microsoft network, information to identify and contact users is retained, including photographs, access levels, and other contact information. This information can be shared with applications like Office SharePoint Server 2007 or the products in the 2007 Microsoft Office system, as well as other enterprise systems. The access control system also correlates access control accounts with cardholders and allows for their use in downstream systems, like Point of Sale (POS) for paying by card key (an emerging technology to enable employees to link their access card with their financial accounts and use it for purchases within Microsoft), time tracking, and attendance metrics for training and events.

To use the personal data while protecting it from unauthorized or inappropriate use, Microsoft does not allow any party to directly access the source data. A subscription data warehouse acts as an intermediary between the security-enhanced repository for personal data and the external application or service that needs the data. The subscriber receives only the data that has been requested and that is allowed by Microsoft policy and regulatory compliance.

This system allows external applications and groups to use a common platform of tools and processes to access, work with, and manipulate the personal data in a variety of ways while maintaining the integrity of the original personal data stored in the security-enhanced repository. The system also eliminates the need to add more interfaces directly to the security system platform.

Enterprise Maintenance

All of the security hardware used throughout the enterprise requires regular service and maintenance to help ensure that it remains functional. Microsoft recognized the need to establish a scalable process for maintaining the infrastructure for physical security throughout the global enterprise. It was also important to manage the readiness of all devices and to set downtime expectations for the GSOC personnel.

The Security System Team (SST) at Microsoft manages the maintenance and repair of the remote peripheral devices that makes up the backbone of the infrastructure for physical security. As shown in Figure 4, the members of the SST can use their computers to remotely triage the peripheral security devices. After assessing and troubleshooting malfunctioning equipment, the SST either resolves the situation remotely, escalates to Microsoft IT if appropriate, or dispatches the issue to on-site personnel if necessary.  

Figure 4. Maintaining the physical security infrastructure

The various devices that make up the infrastructure for physical security require periodic patches and updates to keep them running smoothly. The Microsoft SST manages and maintains the equipment remotely by using Microsoft tools such as Terminal Server and Remote Desktop. From wherever they are sitting in the world, the members of the SST can connect with the equipment located at the remote sites as if they are in the remote location. After establishing the connection, they can access the necessary software, management consoles, and Web sites to acquire and install any relevant software updates and implement any required firmware upgrades.

With thousands of access card readers, IP-based video cameras, DVRs, and other devices spread over hundreds of sites around the world, on-site support or travel to sites is costly and impractical. The ability to remotely support the devices saves Microsoft substantially on support costs.

Provisioning Life Cycle

In a traditional solution for physical access security, the process of creating new accounts, granting and maintaining user rights, and revoking accounts when the access is no longer valid is both manual and separate from other HR and IT account-creation processes. These limitations make the process more cumbersome to manage, and they often cause errors regarding data accuracy and delays in the setup or removal of user rights, thus granting user rights long after an employee has been removed from the other HR and IT systems.

Converging physical security with information technology helps Microsoft solve these problems. Microsoft ties the process of creating, maintaining, and revoking physical access accounts and user rights into the setup and termination infrastructure.

Microsoft developed an efficient system for creating network accounts and issuing physical access cards. The Microsoft system uses existing information, rather than collecting the same data repeatedly, to create the accounts as part of the process that adds the user to the HR system.

When a manager hires a new employee, he or she adds the initial information into SAP via HeadTrax. HeadTrax is an internal HR system that is built on .NET and that ties together HR and SAP systems.

Through an application called ACCMAN, user accounts are automatically added to the Active Directory® infrastructure where network access credentials are managed. This new account information is extracted from a data warehouse that is updated daily. In the same manner, the Lenel physical access control system creates new accounts and updates relevant data from the HR system by using the data warehouse.

Just as with the creation and maintenance of user rights for physical security, the process of revoking access is automated within Microsoft. HR is the catalyst for this process as well. As a manager makes changes to the status of a given employee or contractor within the HR system, the changes are automatically propagated to Active Directory and physical access control systems.

Figure 5 illustrates the process for creating or revoking user credentials.

Figure 5. Overview of flow of information for creating or revoking user credentials

This relation of user rights for physical security to the user's role and status in the HR system improves the efficiency of account creation, maintenance, and revocation. It also has the benefit of strengthening the security and compliance of Microsoft overall by helping to facilitate the concept of least privileged access. Users are granted only the user rights that they need while they need them, and those user rights are automatically revoked when no longer necessary.

Business Benefits

Microsoft has experienced a variety of benefits from merging physical security with IT, including the ability to automate many functions and the increased ability to use monitoring technologies in forensic investigations. However, four benefits that have affected Microsoft the most are that the company has saved money, the security of the organization is improved, the security operations are scalable to meet growth needs, and there is more consistent and reliable delivery of security throughout the organization.

Reduced Costs

Centralized monitoring and management of physical security results in less need for on-site personnel, reducing licensing costs for hardware and software. Taking advantage of off-the-shelf Microsoft applications provides added value through product familiarity and integration, and centralized training enables Microsoft to deliver consistent training efficiently around the world. The net result has been compelling. In Europe alone, Microsoft estimates a cost savings of almost $4.4 million (USD) over the next three years.

Using equipment that connects to and communicates over the existing IP network infrastructure greatly reduces the expense involved with deploying equipment or establishing entirely new sites. In addition, the automation and efficiency provided by IT enables Microsoft to monitor the infrastructure for physical security around the world from the three regional GSOCs, eliminating much of the need for costly outsourced, third-party personnel. By implementing and monitoring its own UL-compliant fire alarm system, Microsoft also saves a significant amount of money over the cost of contracting that function out.

Improved Security

Using IT tools and technologies, particularly off-the-shelf software applications, enables Microsoft to deliver physical security more effectively than it could with traditional methods. The integration of physical security and information technology systems also provides a more direct and immediate link between the role and status of an individual within the organization and his or her ability to access specific sites or locations.

Using the enterprise network and IP-based camera systems enables more sites to be monitored with fewer on-site personnel. Storing the recorded video data on DVRs allows for more efficient review of video feeds and helps the Global Security team operate more efficiently.

Scalability and Extensibility

Microsoft can quickly and cost-effectively scale its security needs as growth demands. With the core infrastructure in place, bringing additional sites online is relatively simple.

Traditionally, Microsoft had to procure and implement new or separate systems for building alarms, physical access control, fire monitoring and alarms, closed-circuit cameras and recorders, and other systems, as well as having to hire or contract personnel to guard and manage the new site. Although some additional access control, alarm, and camera equipment is still necessary, the convergence of physical security with IT—along with the central monitoring and response that the GSOCs provide—means that Microsoft does not need to start from scratch at each new site. The incremental increase to the existing infrastructure today is significantly less than with the old approach to physical security.

Additional personnel may be required to handle the monitoring and response for the increased signal load that adding more sites creates. Managing the monitoring from centralized security operations centers enables the organization to better balance scheduling needs and training and ensures that additional resources can be added as necessary.

Continuity of Service

With regional security operations centers that are each capable of receiving and monitoring signals from the entire enterprise, the Global Security team can provide consistent service levels—even if a significant event causes a temporary spike in security events, or if an entire operations center goes offline.

By using centralized policies and procedures, in addition to consistent training materials, the Global Security team can also ensure that the organization will receive the same service, delivered in the same manner, regardless of which regional operations center is monitoring and responding to the security events.

Conclusion

Microsoft is a large enterprise with sites that span the globe. The processes of providing and monitoring access to physical sites and responding to events were cumbersome and costly in the past. Seeking to improve its global physical security operations, Microsoft has incorporated information technology into its strategy for physical security with compelling results.

To produce the strategic convergence of information technology with physical security, Microsoft used nine essential principles to ensure that the result was comprehensive and effective. The strategy for physical security also considers the needs of the business and supports or complements business processes rather than hindering them.

The Microsoft approach uses off-the-shelf applications, and uses Microsoft products wherever possible, to facilitate global security monitoring and communications. The resulting infrastructure for physical security can efficiently monitor and respond to events throughout the Microsoft global enterprise from three regional operations centers. The solution that Microsoft developed has improved security while reducing costs, and it can serve as an example for other organizations that want to develop their own security solutions.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:

http://www.microsoft.com

http://www.microsoft.com/technet/itshowcase

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, InfoPath, MapPoint, Microsoft Dynamics, Outlook, SharePoint, and SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.