EXECUTIVE SUMMARY. Situation

Transcription

1 Mi c r os of tgl obalsec ur i t y Mi cr osof tgl obalsecur i t yshowcase Physi calsecur i t yatmi cr osof t Taki ngadvant ageofst r at egi ci TConver gence Techni calwhi t epaper Publ i shed:apr i l2009

2

3 Situation Implementing and monitoring physical security for an enterprise the size of Microsoft can be cumbersome and expensive. Traditional approaches to physical security are inefficient and difficult to manage effectively on a global scale. Solution By building a strategy for physical security that relies on standard offthe-shelf products and the existing IP networking infrastructure, Microsoft has been able to realize substantial cost savings, improved security, and other significant benefits. Benefits Cost savings Improved security Scalability and extensibility Continuity of service Products & Technologies Office SharePoint Server 2007 (Portal) Office InfoPath 2007 (Electronic Forms) Office Communicator 2007 (Enterprise Communications) Office Groove 2007 (Offline Sync / Remote Collaboration) Virtual Earth (Geospatial Mapping) Office System 2007 (Productivity) SQL Server 2005 (Database) Identity Integration Server (Identity Integration) Remote Desktop and Terminal Services(Remote Access) EXECUTIVE SUMMARY A comprehensive security program for an organization includes both the physical security of facilities, such as restricting access to buildings and monitoring alarm systems for fire or break-ins, and the logical security of IT resources, such as restricting access to sensitive data and monitoring network traffic for signs of suspicious or malicious activity. At Microsoft, the strategy for developing the processes and solutions that help provide physical security includes a partnership between the internal Global Security and Microsoft Information Technology (Microsoft IT) teams. This partnership takes advantage of the available technology and technical resources to provide a scalable system for life safety and facility monitoring that can be managed from virtually anywhere in the world. Through the establishment of three regional Global Security Operations Centers (GSOCs) and the strategic deployment of security systems, the Global Security team is improving the way it protects Microsoft assets, information, and employees. By aligning physical security drivers and IT delivery mechanisms, the team can produce an environment where physical security and IT complement each other rather than compete with each other. Microsoft encompasses more than 700 sites globally. The Global Security team must protect resources at those sites. This task includes monitoring more than 27,000 pieces of hardware: card readers for physical access, cameras, fire panels, environmental alarms, biometric security systems, duress alarms, and additional devices and sensors. Global Security must also manage more than 185,000 active holders of access cards and more than 30 million system events each month (for example, users who have misplaced their access cards, maintenance alarms, unauthorized access, building fires, or natural disasters). With an enterprise as large as Microsoft, monitoring and protecting assets around the world is a challenge. The traditional security strategies were too cumbersome and costly to be effective. Microsoft developed the convergence of physical security infrastructure with IT practices by using off-the-shelf software applications wherever possible, to create a more streamlined, efficient, and cost-effective security solution. This paper is for business and technical decision makers who are interested in learning how Microsoft uses the IT organization, Microsoft technology and products, and third-party resources to provide physical security services to Microsoft personnel and locations worldwide. Many of the principles and techniques that this paper describes can be employed to manage physical security within any organization. However, this paper is based on Microsoft experience and recommendations, and it is not intended to serve as a procedural guide. Each enterprise environment has unique circumstances; therefore, each organization should adapt the plans and lessons learned described in this paper to meet its specific needs. Note: For security reasons, the sample names of internal resources and organizations used in this paper do not represent real names used within Microsoft and are for illustration purposes only. Physical Security at Microsoft Page 3

4 KEY CHALLENGES IN MICROSOFT PHYSICAL SECURITY OPERATIONS Physical Security Operations are very important to Microsoft. Responsible for a large global organization with 700 sites and more than 180,000 employees and other personnel, the key challenge for Microsoft Global Security is to provide a safe and secure environment at a reduced cost and improving productivity by using a solution that is scalable and extensible The Physical security operations at Microsoft had historically been built on traditional physical security strategies. Closed circuit television (CCTV) cameras existed at each location and fed to traditional video recording equipment. The tapes in these video recorders had to be constantly changed as they filled up, and they had to be securely archived. Attempting to access the video data required sorting through hundreds or thousands of tapes, and then scanning them in a linear fashion to find a specific point in time. Without centralized monitoring facilities and the IT infrastructure to support the security model, each site required more personnel on site to monitor and respond to alarms. In addition, contracting the monitoring and response of the fire alarm system also represented a substantial ongoing expense. Finally, the 60 different proprietary hardware and software products used were not scalable, extensible nor easily supported by the existing IT organization. Physical Security at Microsoft Page 4

5 MICROSOFT SOLUTION FOR PHYSICAL SECURITY Microsoft built its converged approach to physical security on a foundation of information technology. Using standard, off-the-shelf software applications and the existing global IP networking infrastructure provides the keystone for the success of the solution. Taking advantage of the IT infrastructure within the Microsoft environment enables Microsoft to monitor its entire enterprise from centralized locations, and still respond or dispatch personnel wherever they are needed throughout the world. Approaching security as a unified initiative enables Microsoft to monitor and protect more assets by using fewer resources. Global centers for security monitoring can deliver total interoperability, including failover capabilities as necessary. To effectively monitor and protect its resources, Microsoft built its solution on ten essential design principles to provide a layered security model. The design principles, which are discussed in detail in the "Developing a Convergence Strategy" section later in this document, helped the architects of the strategy for physical security to find a balance between providing security for the infrastructure and enabling business functions. Ultimately, the goal of the system of monitoring physical security is to extend human senses to the extent possible via technology, in order to simulate or predict a ubiquitous presence and allow for timely mitigation. IP, low-light, and infrared cameras simulate sight. Motion sensors and proximity/barrier sensor alarms simulate touch. Audio sensors that detect anomalous noises or spikes in background volume simulate hearing. Using IT mechanisms to extend these senses around the world helps satisfy the mandate of physical security without necessitating the deployment of a static physical presence at every location. By using a variety of Microsoft technologies and some third-party technologies, the Global Security team can monitor sites around the world and direct a precision response that is appropriate to the event. The sensor data and information at the team's disposal enables it to quickly analyze and understand the impact of an event, and to engage the appropriate onsite resources when necessary. Physical Security at Microsoft Page 5

6 CONVERGENCE STRATEGY Microsoft based its initiative of converged physical security on a design philosophy that included a strategy for managing physical access to Microsoft resources and the Weighted Business Model. The Weighted Business Model (illustrated in Figure 1) incorporates the balance between technology, monitoring, and response, and the administration of all three. Figure 1. Graphic depiction of the components of the Weighted Business Model The Weighted Business Model helped Global Security understand and define the key components of physical security and their relationship with each other. This understanding enabled the team to implement an effective and efficient strategy. Another key component of the success of the initiative for converged physical security is the cooperation of different departments and teams within Microsoft. A fundamental part of this cooperation is establishing relationships and expectations between the various entities. The Global Security team understands that the success of any project in a corporate environment depends on support from senior and executive management. Global Security has worked diligently to ensure that senior management understands and supports the goals of the strategy for physical security. Analyzing the functions of the organization, and understanding the benefits and pitfalls of different approaches, assisted Global Security in developing physical security objectives to meet the unique needs of the business across all regions. To produce its physical security design, Microsoft managers agreed to a basic set of design principles and continually used them as the touchstone for new decisions. This enabled them to maintain the integrity of their design and not be distracted by the latest state-of-the-art of technology. The following design principles represent the business parameters and functional design elements that Microsoft focused on: Deterrence value Security measures must strike a balance between security and functionality. Part of the strength of that balance is in creating the awareness that physical security exists, so the attempt is to place the security measures strategically and make them conspicuous. By simply making people aware of monitoring devices and other physical security measures helps to deter theft or trespass. Remote monitoring Monitoring security systems from a remote location provides the ability to centralize the administration and response. One of the benefits of integrating physical security with Physical Security at Microsoft Page 6

7 information technology is the ability to use a smaller, centralized team of individuals to monitor and respond to events throughout an entire region. Event-based response and signal prioritization ensure that the most important events receive immediate attention, and they help facilitate continuity of response throughout the enterprise. Microsoft also takes advantage of remote functionality to maintain and troubleshoot the physical security equipment over the network. Precision response Closely related to remote monitoring, the solution must provide for precision response. If the design philosophy calls for remote monitoring from a central location, it also must ensure that the proper resources can be dispatched on site in a timely manner when an event is detected. By using the tilt and pan functionality of the IP cameras, and correlating information by using other technologies, Microsoft can remotely assess incidents and dispatch an appropriate response. Off-the-shelf infrastructure By using standard off-the-shelf hardware and software, the Global Security team made a conscious decision to adapt its processes to the infrastructure and not the other way around. The use of off-the-shelf products reduces the costs of both implementation and maintenance while increasing continuity and efficiency in delivery because Microsoft can apply standard training and support services. By establishing long-term relationships with key vendors to build into their products new, standard features and functions according to business priority, Global Security improves longevity of the product life cycle while still acquiring must-have requirements over time. Use of Microsoft and partner products Wherever possible, the design of physical security relies on Microsoft products. Microsoft analyzed its different tools and applications and used them to deliver much of the core technology of the solution for physical security. As new Microsoft products are developed, they are evaluated to determine what role or impact they might have within the strategy for physical security. The third-party products that Microsoft uses in its strategy for physical security are built on Microsoft technologies such as Microsoft SQL Server database software, Microsoft.NET, and Microsoft SharePoint Products and Technologies. Remotely managed IP devices Microsoft uses the existing global IP network to handle rapid changes in hardware and to achieve faster and more cost-effective scalability. Microsoft can deploy security devices, like IP cameras and card readers for physical access, more efficiently because installation is less likely to require additional proprietary components or a separate cabling or communications network. Using IP-based edge devices also enhances the ability to monitor and maintain the equipment at Microsoft. Defense in depth Defense in depth provides for multiple layers of security at a facility that is appropriate to asset risk. The foundation of the concept is that requiring additional security controls, or layers, along with an approach to protect critical assets, develops a mechanism to systematically delay, effectively intervene, and mitigate against risks. A threat that infiltrates one layer is detected at another layer, giving Microsoft multiple opportunities to detect and respond to an event. Defense in depth for physical security begins with designing facilities with the strategy for physical security in mind, and it considers property boundaries, building approach, parking areas, ingress and egress points of a building, and flow of human traffic through the building. It also includes the physical Physical Security at Microsoft Page 7

8 security devices, like access card readers that grant or prevent access and log activity at facility entry points, biometric authentication, camera systems, hardened construction, and other discreet sensors that monitor specific areas. All of these functions combined provide a layered defense strategy in protection of Microsoft resources. Forensics/investigative model A critical component of the design philosophy is to ensure that video data, access logs, and other pertinent information are properly captured and stored for investigation if a physical security incident occurs. The Global Security team must be able to retrieve and analyze monitoring data and log information in order to determine when and how an event occurred, or the identify of relevant persons if necessary. Reliability An infrastructure must be reliable and work when needed. Leading edge technologies may promise additional functionality but can be a hindrance if they do not have a consistent expectation of availability. Microsoft evaluates all new technologies against this core ability to provide a consistent level of expected uptime. Sustainability Sustainability is the ease of which a new infrastructure or device can be maintained and supported. As the environment increase in size and complexity this element is crucial to keep support costs low. Physical Security at Microsoft Page 8

9 BUSINESS BENEFITS Microsoft has experienced a variety of benefits from merging physical security with IT, including the ability to automate many functions and increased ability to use monitoring technologies in forensic investigations. However, four benefits have affected Microsoft the most: cost savings, improved security, scalability & extensibility, and business continuity which help provide more consistent and reliable delivery of security throughout the organization. Reduced Costs Centralized monitoring and management of physical security results in less need for on-site personnel, reducing licensing costs for hardware and software. Taking advantage of off-theshelf Microsoft applications provides added value through product familiarity and integration, and centralized training enables Microsoft to deliver consistent training efficiently around the world. The net result has been compelling. In Europe alone, Microsoft estimates a cost savings of almost $4.4 million (USD) over the next three years. Using equipment that connects to and communicates over the existing IP network infrastructure greatly reduces the expense involved with deploying equipment or establishing entirely new sites. In addition, the automation and efficiency provided by IT enables Microsoft to monitor the infrastructure for physical security around the world from the three regional GSOCs, eliminating much of the need for costly outsourced, third-party personnel. By implementing and monitoring its own UL-compliant fire alarm system, Microsoft also saves a significant amount of money over the cost of contracting that function out. Improved Security Using IT tools and technologies, particularly off-the-shelf software applications, enables Microsoft to deliver physical security more effectively than it could with traditional methods. The integration of physical security and information technology systems also provides a more direct and immediate link between the role and status of an individual within the organization and his or her ability to access specific sites or locations. Using the enterprise network and IP-based camera systems enables more sites to be monitored with fewer on-site personnel. Storing the recorded video data on DVRs allows for more efficient review of video feeds and helps the Global Security team operate more efficiently. Scalability & Extensibility Microsoft can quickly and cost-effectively scale its security needs as growth demands. With the core infrastructure in place, bringing additional sites online is relatively simple. Traditionally, Microsoft had to procure and implement new or separate systems for building alarms, physical access control, fire monitoring and alarms, closed-circuit cameras and recorders, and other systems, as well as having to hire or contract personnel to guard and manage the new site. Although some additional access control, alarm, and camera equipment is still necessary, the convergence of physical security with IT along with the central monitoring and response that the GSOCs provide means that Microsoft does not need to start from scratch at each new site. The incremental increase to the existing infrastructure today is significantly less than with the old approach to physical security. Additional personnel may be required to handle the monitoring and response for the increased signal load that adding more sites creates. Managing the monitoring from Physical Security at Microsoft Page 9

10 centralized security operations centers enables the organization to better balance scheduling needs and training and ensures that additional resources can be added as necessary. Business Continuity With regional security operations centers that are each capable of receiving and monitoring signals from the entire enterprise, the Global Security team can provide consistent service levels even if a significant event causes a temporary spike in security events, or if an entire operations center goes offline. By using centralized policies and procedures, in addition to consistent training materials, the Global Security team can also ensure that the organization will receive the same service, delivered in the same manner, regardless of which regional operations center is monitoring and responding to the security events. Physical Security at Microsoft Page 10

11 SECURITY OPERATIONS CENTERS Microsoft has three Global Security Operations Centers (GSOCs) that monitor security for all Microsoft assets on a regional basis. The primary GSOC is in Redmond, Washington. The Redmond GSOC establishes standard processes and procedures for the global infrastructure, so Microsoft classifies it as a Tier 1 facility. The other regional GSOCs the Tier 2 facilities are in Thames Valley Park (TVP), United Kingdom, and Hyderabad, India. Finally, 15 local Tier 3 facilities, called Campus Security Operations Centers, monitor their locations during business hours only and are monitored by Tier 1 or 2 operations centers after hours. All of the facilities share the same technical infrastructure, allowing management to make business decisions to cost effectively add or consolidate centers as needed. The GSOCs monitor more than 700 physical sites worldwide. These sites include approximately 185,000 active personal accounts, 10,250 access card readers, 8,500 IPnetworked video cameras, and 330 fire panels. In addition, the sites include more than 8,000 other devices, including duress alarms, biometric security systems, and environmental alarms. Each GSOC monitors and responds to signal data and event notifications within its region of the globe. Signal data includes incoming data from all of the equipment related to physical security access control, monitoring, and communications. The GSOCs also facilitate communications and dispatch on-site security in response to events. Figure 2 maps the GSOC monitoring coverage. Figure 2. Map of GSOC monitoring coverage Microsoft developed this security network with the intent of flexibly sharing the operational workload globally. If an event is large enough to require the attention of an entire GSOC or if a GSOC becomes inoperable because of a catastrophic event, the affected GSOC can transfer its operational and technical responsibilities to another GSOC, which will then assume the control over both regions. This process is completed through technical and operational load sharing. Physical Security at Microsoft Page 11

12 Technical Load Sharing Technical load sharing creates an environment in which every system can be accessed and operated from any of the GSOCs around the world. Through this universal system, Microsoft creates an interoperable network that enables the systematic and seamless transferring of alarm monitoring and integrated access, video monitoring, fire and life safety systems, Radio over IP (RoIP), emergency phone call (911) monitoring, and event notification and escalation. Alarm Monitoring and Integrated Access To monitor all of these sites around the world and provide an interoperable environment, Microsoft uses Lenel OnGuard. Lenel serves as the primary signal monitoring and integrated access backbone for the global security infrastructure. The application uses Microsoft SQL Server 2005 to store and maintain the data that it needs to manage and monitor the physical security devices throughout the Microsoft infrastructure. Lenel works seamlessly with more than 27,000 devices globally to give operators information about alarms and notification of events, from which the operators can determine a precision response to an event. The information is logic driven. In other words, the Lenel system can programmatically assess the severity of the information to automatically determine which information is most urgent. Figure 3 demonstrates how access control is integrated into other elements of the technical environment. This is a detailed depiction of the relationship between the systems for physical security card access, the data storage repositories, the applications and communications servers, and the end-user computers. Video Environment Figure 3. Technical overview of integrated access The security cameras are mapped to devices and access card readers in Lenel to enable one-click retrieval of live video as notification of events and alarms arrive from the Lenel system. The GSOC team can remotely tilt and pan many video cameras to get a panoramic view of the area. Relevant video captures are stored on 750 digital video recorders (DVRs) Physical Security at Microsoft Page 12

13 and network video recorders (NVRs) that are integrated into the global network infrastructure to provide Microsoft with viewable archive data. Microsoft is able to modify their retention practices on a country-by-country basis to support local regulations. Operators can also retrieve recorded video footage from the DVR to analyze the minutes leading up to the event to help them identify the cause of the alarm. This robust viewing environment enables users to view a prior event and forensically identify who may have been at the scene for later questioning. Fire and Life Safety Systems At Microsoft, fire and life safety systems extend to more than 330 panels and the monitoring solution is an Underwriter Laboratories (UL) listed central station. This certification enables Microsoft to self-monitor fire alarm signals within the United States and thereby reduce overall monitoring costs and quickly support business continuity. The U.S.-based GSOC monitors the fire sensors and alarms and dispatches local emergency response as needed for fire events. The system uses several types of hardware but is primarily based on Radionics panels mapped to Lenel and Simplex or Siemens, monitoring services. Radio over IP Microsoft security requirements call for each GSOC to monitor and manage security response over very large geographic areas where typical radio frequency (RF) communication is limited. Global Security extends the reach of RF communications by using RoIP over robust network services. This capability enables specific monitoring centers to communicate directly with responders at remote locations without relying on cellular phone technology. In the Microsoft environment, this functionally enables the regional center in India to speak directly to a field officer in the United States. Alternatively, a field officer in the United Kingdom can speak with a field officer at any RF-enabled facility worldwide. Microsoft uses a standard Motorola solution to deliver RoIP. 911 Monitoring In the event of a life safety emergency, personnel are directed to call 911, or their regional public safety number, as the first response. The Redmond GSOC is notified of all 911 calls occurring from locations on campus and can listen to the calls as the individuals speak with the 911 center. The GSOC can then validate the situation, collect valuable information about the event, and dispatch responders as needed. It also enables the Microsoft response teams to help route and escort the police or fire teams to the location and provide access to secure facilities. Event Notification and Escalation Event notification and escalation is critical to the deployment of a precision response throughout the Microsoft global environment. Microsoft uses AlertFind as an externally hosted application and notification service that delivers messaging to people through multiple devices by using user-specified escalation rules. This application has persistence in notification, may require acknowledgement, and can be configured for use over secondary communication lines. Operational Load Sharing Operational load sharing refers to the applications that enable all three of the GSOCs to access and operate any of the other regions at a tactical level. It includes areas such as consistent policies and procedures, management of critical incidents, geographic mapping, internal communications, and investigative case management. Physical Security at Microsoft Page 13

14 Consistent Policies and Procedures Whereas Lenel is the backbone of technical load sharing at Microsoft, Microsoft Office SharePoint Server 2007 gives the global organization an operational backbone. This application enables all of the GSOCs to pull data from the same sources, yet presents it in a way that is regionally based. Files such as policies and procedures, points of contact, and training all reside on a SharePoint site that can be accessed from anywhere. If a GSOC becomes inoperable, another GSOC can easily obtain the needed information to tactically respond to an event outside its region with little, if any, downtime. In addition, the SharePoint site is a hub for each operations environment to access administrative files such as evaluations and time-off requests. Users can also see their schedules online, even from home. Critical Incident and Data Management Microsoft Office InfoPath 2007 enhances the data management functionality of Office SharePoint Server Office InfoPath is an application that enables the primary party to create and deploy electronic form solutions to gather information efficiently and reliably. Microsoft uses the automation of Office InfoPath and Office SharePoint Server to manage contacts and associated escalations for over 700 sites. Office InfoPath enables users to enter instructions and help text directly on the form while completely automating the submission and database connection to Office SharePoint Server. The built-in management and automation of Office SharePoint Server ensures that the data goes to the appropriate teams and sends updates or follow-up instructions without requiring an investment in a large amount of administrative effort. Taking advantage of the synergies of these two applications has reduced administrative time from months to hours. All GSOCs currently use Office InfoPath forms for acquiring site-specific data such as headcount, total square footage, and whether a building is in fire hold or bypass. In addition, Office InfoPath has become the primary means by which GSOCs compile and present information related to critical incidents that directly affect Microsoft sites or staff. This capability gives key security personnel a single source for accurate, up-to-date information about incidents as they occur, eliminating time delays and miscommunications. Geographic Mapping Microsoft uses IDV which is a partner product leveraging Microsoft Virtual Earth mapping software to geographically display all site locations around the world. IDV also displays site specific data that the GSOCs collect through InfoPath and Office SharePoint Server as well as publically available GeoRSS feeds. This mapping helps determine what sites are within affected areas and other critical information needed when natural disasters, weather events, or political events occur. During high-priority incidents inside buildings, relevant video feeds and building maps with device overlays are displayed in the GSOC to enable GSOC personnel when tracking and monitoring an event. These maps are actionable and devices such as door readers and video cameras can be operated from the maps directly. Internal Communications Another tool that the GSOCs rely on to effectively manage the global security infrastructure is Microsoft Office Communicator Office Communicator is a unified communications tool that ties together instant messaging, voice, video, online collaboration, and more and ensures that the interactions between the GSOC personnel are accurate, self-documented Physical Security at Microsoft Page 14

15 and easily retrievable for case records. Office Communicator also dramatically increases the speed with which critical information is communicated. Office Communicator helps the GSOCs be more productive by enabling them to communicate with each other across different regions of the world and across time zones. By using Office Communicator, GSOC personnel can identify in real time who is available in a particular region and communicate instantly. They can also start a phone call, a video conference call, or a Microsoft Office Live Meeting session with the click of a mouse. When dealing with individuals who are not currently available, a GSOC staff member can use Office Communicator to alert them when they come online, schedule a meeting, or to send another user an message or a file attachment. Investigative Case Management Microsoft uses a third-party product, PPM 2000 Perspective, running on SQL Server 2005, to manage all of its investigations and cases around the world. Perspective is an incident reporting and investigation management application. It integrates with the Microsoft Office Outlook 2007 messaging and collaboration client, and it includes a browser tool. This application provides a common platform that anyone on the Microsoft network can use to file a report. The familiar and consistent interface enables Microsoft to maintain global reporting, while still managing regulatory compliance concerns through regional investigative teams. This tool takes advantage of the security of SQL Server to maintain the integrity of some of Global Security s most sensitive data. Note: More information about PPM 2000 Perspective is available at Physical Security at Microsoft Page 15

16 PHYSICAL SECURITY OPERATIONS USING GSOC SOLUTION Through a convergence of information technology and physical security, Microsoft can provide physical security operations on a global basis more effectively and efficiently. The following scenarios help to illustrate how the Global Security team uses technology to provide physical security services at Microsoft. Interoperability Through technical and operational load sharing, the network of Global Security Operations Centers creates an interoperable environment. This environment not only is flexible in terms of failover and redundancy capabilities, but at the same time can provide a precision response to any event occurring at any Microsoft location in the world. During a recent situation, the Redmond GSOC sustained a six-hour power failure in its entire building while it moved operations into the new building. Because of this outage, the Redmond GSOC was unable to monitor its systems and had to load share with the TVP GSOC. In this case, the load sharing of systems spanned the core technical and operational components mentioned earlier. Additionally, there have been several instances where due to inclimate weather or events happening on a campus one GSOC has had to load share with another GSOC. The Redmond GSOC initiated the transfer, but the TVP GSOC quickly acquired all of the regional responsibilities by following a checklist. As part of the systematic transfer, the TVP GSOC modified its monitoring zone to include the Americas area, transference of the monitoring of fire systems was validated, and all calls were automatically routed to the TVP GSOC. The TVP GSOC confirmed operational transfer by using RoIP connections. The TVP GSOC began monitoring the Redmond GSOC s region in addition to its own region both technically and operationally within minutes. Figure 4 illustrates Interoperability between Redmond and TVP GSOC. Figure 4. Interoperability between Redmond and TVP GSOC Microsoft has designed its solution to literally move from one production environment to another. The demonstration highlights the simplicity and effectiveness of the load sharing between GSOCs. Traditional failover systems for physical security typically include a Physical Security at Microsoft Page 16

17 significant delay because backup systems require startup sequences before they go online. However, at Microsoft, because each GSOC can receive all global signal data, and personnel are cross-trained to handle different roles, the only time required for failover in the event of a catastrophe is the time to assign personnel to monitor the data. In addition, the monitoring stations for physical security have been developed with mobility in mind. The personnel in a GSOC could as an alternative, move their operations simply by taking their laptops to another building that has access to the Microsoft corporate network if the two other GSOCs cannot acquire the region's responsibilities. Automated Event Monitoring by Priority The GSOC s are each staffed for 24/7 operation, but the team on duty at any given time is relatively small and not capable of acknowledging, assessing, communicating, and coordinating a response to thousands of simultaneous events sequentially as they occur. Microsoft implemented business rules to prioritize the monitoring feeds and ensure that the GSOC personnel see the most urgent event notifications, or the events that might have the greatest impact on Microsoft assets. Rather than relying on the GSOC team to monitor and analyze every signal in order to assess and prioritize feeds, the system automatically prioritizes and presents the feeds. For example, a duress or fire alarm will jump to the top of the queue. It will also instantly and automatically enable other aspects of the infrastructure for physical security, such as displaying the video feed and other relevant information (including maps and floor plans) from the site or area in question. The GSOC team can then understand the nature and extent of the threat and respond accordingly. In addition to the operational signal load (the volume of alerts, alarms, and other event notifications flowing into the GSOC), a significant amount of maintenance load is rerouted for later follow-up by the appropriate individuals when devices go offline. Although the highest-priority incidents receive the most urgent attention, the GSOCs receive and analyze other alerts and alarms as time permits to ensure that they address all issues, and not just the urgent incidents. Figure 5 illustrates Automated Event monitoring by Priority. Figure 5. Automated Event monitoring by Priority Physical Security at Microsoft Page 17

18 Alarm/Event Monitoring and Precision Response Monitoring alarms and events, and responding to them, is at the core of the GSOC operations. A GSOC receives alarms and events in five ways: Receives , phone calls, and walk-ins Monitors subscription news services Receives event notifications from the physical access control systems and fire alarm systems Hears 911 calls as they are made to the local 911 call center Receives information from security officers via radios and cellular phones The following example of a monitoring and response scenario highlights how Microsoft integrates its technologies for processing alarms and events to enable a precision response: A GSOC receives a call from an individual who is concerned about a stranger who is acting suspiciously. The GSOC Communications Center sends the information to monitoring personnel and the dispatcher in the GSOC via Office Communicator The monitoring personnel then examine building maps and video on any of the cameras near the event location. By using pan, tilt, and zoom functionality, the monitoring personnel can follow events instead of being limited to a traditional fixed view. In this case, the monitoring personnel determine that the threat is actually from a group of individuals rather than one person. While the monitoring personnel are making this assessment, they are sending instant messages to the dispatcher about the nature of the event. The dispatcher provides an appropriate response to the location based on the seriousness of the event and calls the local police department to inform it about the situation. After dispatch has occurred, the monitoring personnel continue to view the video feeds to provide the dispatcher and local law enforcement with accurate real-time data of the event. It should be noted that each workstation in the GSOC can perform all functions. Therefore, if needed, the monitoring personnel can take over dispatch functions, and vice versa enabling individuals to focus on an event and allow others to temporary cover other functions in the GSOC. Using Microsoft technologies like Office Communicator improves the efficiency of the GSOC and the accuracy of case management files. All information for case management summaries is pulled directly from the IM logs and represents actual communications that occurred. This capability eliminates the need to re-create or remember what happened during an event. Currently, most of the incoming traffic is handled through Office Outlook 2007 and Office Communicator Microsoft is always looking for ways to implement new Microsoft products as enablers for the business; to that end, Global Security plans to implement Microsoft Dynamics CRM to track incoming messages and requests in the future. Remote Monitoring and Event Management The environment of technical and operational load sharing also enables the three GSOCs to monitor other sites in their region and to remotely dispatch personnel. During business hours, local campuses monitor themselves. But during off-peak times, they transfer controls to the GSOC within their region saving on monitoring costs. This system not only provides a staffing savings to Microsoft, but also provides on-site security for locations with the greatest need during the day. Physical Security at Microsoft Page 18

19 In cases such as the example described earlier, the regional GSOC reacts as if the situation is happening on the local campus. By using the SharePoint site, the GSOC personnel can access local points of contact and escalation plans. The difference in this case is that they dispatch precision responses to suspicious people in a building through RoIP and through coordination with law enforcement agencies local to the event. Storage and Sharing of Personal Data One of the key aspects of physical security convergence with IT is that data is collected once about the individuals with access to Microsoft physical assets and used in multiple downstream systems as needed. A data warehouse maintains the integrity of the source security data. During the initial process of adding a new user to the Microsoft network, information to identify and contact users is retained, including photographs, access levels, and other contact information. This information can be shared with applications like Office SharePoint Server 2007 or the products in the 2007 Microsoft Office system, as well as other enterprise systems. The access control system also correlates access control accounts with cardholders and allows for their use in downstream systems, like Point of Sale (POS) for paying by card key (an emerging technology to enable employees to link their access card with their financial accounts and use it for purchases within Microsoft), time tracking, and attendance metrics for training and events. To use the personal data while protecting it from unauthorized or inappropriate use, Microsoft does not allow any party to directly access the source data. A subscription data warehouse acts as an intermediary between the security-enhanced repository for personal data and the external application or service that needs the data. The subscriber receives only the data that has been requested and that is allowed by Microsoft policy and regulatory compliance. This system allows external applications and groups to use a common platform of tools and processes to access, work with, and manipulate the personal data in a variety of ways while maintaining the integrity of the original personal data stored in the security-enhanced Real-Time Site Information and Global Event Notification The SharePoint portal and InfoPath infrastructure used for Critical Incident and Data Management allows real-time site information and Global Event notification. The InfoPath electronic forms allow the capture of site-specific info at the source. The POCs at each site update the information in InfoPath forms and submit the forms to the SharePoint portal, the SharePoint portal reflects site-specific information real-time, enabling a precise operational response to each event, In case of disaster, GSOC personnel fill in the global event notification InfoPath forms, the electronic forms notify and update key Global Security personnel of event status, site-related info, etc Physical Security at Microsoft Page 19

20 Figure 6 illustrates Real-Time Site Information and Global Event Notification Figure 6. Real-Time Site Information and Global Event Notification Enterprise Maintenance All of the security hardware used throughout the enterprise requires regular service and maintenance to help ensure that it remains functional. Microsoft recognized the need to establish a scalable process for maintaining the infrastructure for physical security throughout the global enterprise. It was also important to manage the readiness of all devices and to set downtime expectations for the GSOC personnel. The Security System Team (SST) at Microsoft manages the maintenance and repair of the remote peripheral devices that makes up the backbone of the infrastructure for physical security. As shown in Figure 7, the members of the SST can use their computers to remotely triage the peripheral security devices. After assessing and troubleshooting malfunctioning equipment, the SST either resolves the situation remotely, escalates to Microsoft IT if appropriate, or dispatches the issue to on-site personnel if necessary. Figure 7. Maintaining the physical security infrastructure Physical Security at Microsoft Page 20