An Automated RFID Solution for Physical IT Asset Management and Protection

Transcription

1 An Automated RFID Solution for Physical IT Asset Management and Protection A Best Practice for Real Time Inventory, Accountability, and Security for Protecting Intellectual Property and Privacy Information in Compliance with Federal and State Laws AXCESS International Inc Commander Drive Carrollton, TX OTC Stock Symbol-AXSI AXCESS International Inc All Rights Reserved

2 Introduction Losses from the theft of proprietary data from corporations and other institutions more than doubled last year to a total of $356,000 per incident. Ten percent of all companies, government agencies, and educational institutions suffered those losses. Eighty three million confidential records were lost or stolen last year. Over 10 million US citizens were affected by identity theft last year. Only 43 percent of organizations who experienced those losses reported them citing a fear of the potential impact on their institution s stock price or image. The Federal Government stipulates criminal penalties in The Sarbanes Oxley Act of 2002 to force the development of best practices for asset and data management. Twenty three states now require companies notify individuals if the company loses their privacy data even if it s uncertain the data will lead to credit-related loses for the individual. Legal mandates and the foreseeability of these events now creates a liability for executives and necessitates the development of an IT best practice in the organization for managing computer assets. Such a practice is now being provided by the wireless tagging of computer assets in a comprehensive RFID system which provides an automated, economical, real time, and labor-free control solution for the management of assets and data residing on them. The unique ActiveTag TM RFID solution is applicable to data centers, record departments and enterprise IT operations. The AXCESS solution has been successfully installed in a number of data centers and enterprise offices where it has been seamlessly interfaced into the existing security system to prevent unauthorized removal of computer assets while providing the necessary visibility, inventory and accountability. The Problem The 2005 Computer Security Institute/FBI Annual Computer Crime and Security Survey was responded to by over 900 IT practitioners who divulged the cost to organizations related to the loss or theft of proprietary data doubled over the last year to $356,000 per incident. 83 million personal confidential records were compromised last year from lost data tapes and stolen computers among other losses, according to Privacy Rights Clearinghouse. The Federal Trade Commission reported over 10 million US citizens were affected by identity theft in Events in early 2006 include the Veterans Administration losing control of 26 million records, The American AXCESS International Inc All Rights Reserved 1

3 Institute of CPAs who lost 330,000 names and the Texas Guaranteed Student Loan Corp. which lost 1.3 million personal records. Significant business losses are also attributable to information theft and unauthorized data access. Each name lost causes over $40,000 in fraud-related charges, according to a 2003 study by the nonprofit Identity Theft Resource Center. The CSI/FBI survey found that only 43 percent of organizations who experienced the loss or theft of proprietary information reported the incidents citing a fear of the potential impact on their institution s stock price or image. Institutions, Federal and State governments have now moved in to further force the need to have best practices developed for the management of computer assets. Legal Mandates Concerns regarding the security of citizen privacy data were first manifested in the Fair Credit Reporting Act of 1970 and the Federal Privacy Act of The threats foreseen in the 1970 s are quite different than those found today. More recent regulations include: the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Fair and Accurate Credit Transaction Act of 2003 (FACTA), and the Financial Services Act of The New York Stock Exchange has now instituted a rule that all NYSE-listed companys employees, officers and directors should maintain the confidentiality of information entrusted to them by the company or its customers (reference section 303A, paragraph 10). As reported in the May 23, 2005 issue of the National Law Journal (Confidential Data, Mandatory Protection), the code requires compliance standards and procedures that will facilitate the effective operation of the code. The rule goes beyond officers and directors and requires employees to comply. It goes on to say, rather than companies simply reacting to the theft of their confidential information, the NYSE governance rules require listed companies, prior to being victimized by a single theft, to take aggressive and proactive steps to protect their confidential information. The trend toward more mandates is clear. Under the Sarbanes-Oxley Act in section 404 and 302, the protection of corporate assets is the responsibility of the executive office where management is to establish and maintain an adequate internal control structure and procedures for financial reporting. Regulations covering information security are now at both the State and Federal Level. The California Security Breach Information Act (CA SB 1386), is a typical example specifically addressing circumstances were residents are affected by an incident. The law mandates notification if personal information is compromised. Twenty-three states now have similar laws. Information compromise does not AXCESS International Inc All Rights Reserved 2

4 always mean loss to the individual. However, organizations are still required to notify each person and suffer the public embarrassment. Foreseeability Means Responsibility According to the CSI/FBI 2005 Survey, 55% of organizations experienced at least one incident of unauthorized use of a computer. The average number of insider computer crimes of all types including: unauthorized access to information; laptop or mobile theft; and theft of proprietary information was six per organization in the year Current security methods used (again according to the CSI/FBI Study) have focused on network intrusion solutions such as firewalls, anti-virus software, intrusion detection systems, access control lists, and encryption for data in transit. Using only these security methods, losses are clearly expected and foreseeable. Foreseeability is a frequently used security industry term measuring when management should have known enough to act to protect an asset from theft. It characterizes a condition of prospective liability. If a crime is foreseeable and no action is taken then executives are often held responsible for their failure to act. Until recently, few acceptable alternatives for the physical security of computers, peripherals, etc. existed. With the introduction of active RFID systems which can automatically account for and identify computer assets, an acceptable solution now exists which is comprehensive, reliable, and economic. The Active RFID Solution The AXCESS system provides real-time visibility into asset locations and counts. It also deters and prevents the theft of physical assets which hold confidential information and personal records. Should a theft occur, the system records the evidence including the record of the asset s departure and as an option have a digital video clip of the incident linked to the asset transaction data. The active (battery powered) RFID solution uses wireless tags attached to the assets which report via a short wireless message their ID, location, and if needed, their condition. Asset tags can be linked to other tags such as custodian personnel tags to strengthen the security practice. The system is also easily linked into enterprise systems and the existing security system to provide door (access) control. AXCESS International Inc All Rights Reserved 3

5 In a comprehensive solution, the system provides individual asset tracking and protection, dynamic wireless custodian assignments to assets, complete reports, and wireless alerting to exception-based security events. One key to the reliability of the solution is AXCESS RFID tags which generate strong signals, on-command to enable metal encased computers to be identified even when hidden. When AXCESS RFID asset tags are placed on fixed desktops, servers, and storage devices as well as on mobile assets such as laptops, the tags are activated on-command to transmit their ID at key control points such as doorways. Key to the system s accuracy is the localized tag activation field which uses the Company s new Dual Activator tag activation product which precisely identifies assets at specific points in and around the enterprise. The Dual Activator is unique within RFID technology in being able activate the tags on-command or in a semi-active system operating mode. This enables the system to determine where the asset is at certain strategically positioned control or choke points. It also enables the system to determine with certainty whether an asset is in or out of a secured area, which delivers actionable intelligence through which a reliable security response can be determined and initiated. The tags transmit to low cost network-based receivers which pass the tag IDs to the AXCESS software and database to record their location, who moved it, and whether their movement is authorized. Individual custodians such as computer administrators and authorized employees can also be tagged and linked to the asset to provide an automatic, electronic custodial assignment for accountability and to freely move assets around the facility as needed without triggering an alarm. This process of Functional Linkage TM can be dynamically changed to further facilitate the movement of assets without adversely impacting productivity. Assets can also be regularly inventoried using beaconing transmissions. Alarms are automatically triggered if an asset leaves a controlled area without authorization. Doors can then be automatically locked, and typically wireless alerts are sent to security and responders to recover the asset before it leaves the premises. The system also provides by a full complement of customizable management reports. Software Platform Stands Alone and Interfaces with Legacy Enterprise and Security Systems OnlineSupervisor TM software running on a host Microsoft OS computer provides real-time management solutions via powerful data collection, display, reporting, alerting, and decision and control functions. The robust middleware offers the AXCESS International Inc All Rights Reserved 4

6 ability to collect data from multiple sources into a Sequel database including tags and sensors of various types. Users are offered a password protected, customizable, browser-based dashboard display. Easily viewable are real time transactions, alert summaries, summary inventory gauges, and individual dwell time statistics. A real time map location function locates items on-demand. A real time alert function provides instant alarming. Investigations are facilitated by simple transaction queries offering integrated video evidence to enable rapid response. Flexible logic definitions allow for linking of tags, sensors, and other data to combine the inputs to provide intelligent monitoring. For the administrator, individual security sign-ons for three different functional levels exist. For users, the system can be accessed across multiple locations enabling a true enterprise solution. Standard personnel/asset/vehicle tags Bar Flex Road Loop Frame Ceiling Patented Control Point Activation Key FOB size tag Integrated streaming video Beaconing tag Wireless Outboard sensor tag Harsh environment/vehicle tag Network Receiver Alerts Onlinesupervisor Custom Dashboard Display Technical Overview The ActiveTag TM RFID system is unique in automatic identification for having low cost, long-range tags, which have a small form factor, long-term battery life, and also a platform for adding sensor capabilities. The activation of tags occurs at a separate low frequency, a patented approach that makes AXCESS unique among active RFID companies in the ability to establish physical control points (e.g. doorways) and virtual control points (e.g. hallways). AXCESS International Inc All Rights Reserved 5

7 The receiver system is designed as a low cost infrastructure that can be directly connected to legacy security access control panels and simultaneously run on a standard TCP/IP network backbone. The system is flexible enough to support multiple applications for people, physical assets, and vehicles. Finally, the tag data is integrated with live and recorded streaming video on a multi-user browser display platform for both casual viewing and industrial requirements. The flexibility comes from the use of dual frequencies for wake-up and transmission; low frequency on wake-up (128 khz) and UHF for transmission (315/433 mhz). Tag transmission at UHF encounters minimal interference and penetrates all materials except metal, enabling reliable tag transmission. This also enables long range tag reads using omni-directional antennas (hence, no line of sight required). A simple transmission protocol allows multiple tags to be read simultaneously. The unique battery management design, which is patented, provides battery life of 3 to 5 years under normal operating conditions, 5 to 7 years with an enhanced battery. Semi-Active RFID Architecture - Granular Control Points - Flexible Location Zones - Precision Perimeter Mgmt Networked Receiver On-Demand Activators Reception Computer Room Cafeteria Mail Room Control point activation (also patented), combined with the ability for tags to beacon on set time intervals or be queried individually enables the ActiveTag line to be the only solution to meet all five desired user requirements including: dynamic tracking, static tracking, multiple simultaneous tag reads; easy authorized movement of tagged assets, and a long read range for tag transmission. AXCESS International Inc All Rights Reserved 6

8 It outperforms triangulation and signal strength-based location positioning systems. And, it outperforms infrared and combo infrared/rfid systems. Other systems using 2.5 gigahertz and 900 megahertz frequencies suffer from interference and materials attenuation and can t provide many of the required applications such as asset and personnel tracking. Basic Economics Basic asset tags are priced at $15 each. A combined Activator and Receiver set will cost the end user approximately $1,500. While many Activators can share a common Receiver for efficiency, at entry and exit points it is common to have both. Tag lives are typically three to five years based on battery performance. If we assume a three year life and therefore a three year amortization, the basic tag will have an allocated cost per month of around $.42 each. The variable number of tags can be allocated across the fixed infrastructure costs to get an overall average cost per tag per month for the entire system. For example, take a company with 250 mobile IT assets to be controlled and two entranceways/exits. The average number of assets per exit is 125. With the exit priced at $1,500 and $1,000 allocated for desktop software, the total can be allocated across the tag population. 125 assets priced at $15 each with their allocation of infrastructure costs $1.00 per asset per month over 36 months. Customer Case Study I - ROI Analysis AXCESS installed an IT asset management system at a specific location in a Department of Defense. A savings analysis was executed that determined the amount of labor savings and specific assets that could be saved from loss or unwarranted purchase. A semi-active RFID solution from AXCESS International Inc. was chosen over other forms of RFID (including passive, semi-passive, and active-only) because AXCESS semi-active RFID tags transmitted their ID at regular intervals and/or are awakened on-demand. These features provided fully automatic counting, location and protection of assets within a facility without any human intervention. The study included a successful technical pilot analyzed over a three month period for more than 1300 assets at 15 lab rooms, and the AXCESS ActiveTag TM Asset Activator TM system in operation. The time and costs associated with the regular inventory were measured and calculated, amounting to an unburdened $17,000 per year of displaceable labor cost, averaging approximately 12 minutes per asset per year or more than 6 total annual work weeks of manual inventorying, locating and protecting time. AXCESS International Inc All Rights Reserved 7

9 The pricing of the system in the base case analysis included a total infrastructure cost of $19,000 (or $1,350 average per control zone ). Individual RFID asset tags were priced at $15.00 each. The amortized average cost per asset per month for RFID tagging came out to be $1.00 per month per asset over an assumed 36 months. The total capital cost of the entire system including installation and software on a per tag basis came to $36.35 each. The ROI analysis showed a positive business case for the capital purchase of a system capable of delivering accurate and automatic asset inventory, location determination and protection. The case sensitivities included assets being lost per year at values of $5,000 as a replacement cost (not including software, reprocurement time, lost productivity or lost intellectual property) and $28,000 based on the industry statistics. The sensitivity (see table below) showed the dramatic effect a threat of loss, the actual loss or misplacement of assets has on the business case, which could only be provided by the semi-active operation of the system. Assuming only 1% of the asset base (or 13 of 1300 assets) were lost or risked loss per year, the payback was less than 2 months. The industry average for lost assets is 3-4 percent per year. Historically, assets don t have to actually be lost to be considered. The analysis just needs to recognize the potential effect based on the foreseeability they likely will be. # at Risk of Loss Value Payback Period (yrs) Each $5k $28k (1%) $5k.2 13 (1%) $28k.1 Here, the ROI analysis took into account the ability of the semi-active architecture to eliminate certain labor tasks and to provide security protection from loss or theft. Customer Case Study II - Best Practices Profile Axcess installed an ActiveTag solution for a financial services firm specializing in software, back-office and retail banking platform solutions for financial institutions. The firm services over 1,000 financial institutions. The services support payment processing including digital, image based (computer intense) solutions as well as web hosting for remote banking. AXCESS International Inc All Rights Reserved 8

10 The firm chose AXCESS ActiveTag solution because it wanted an automated way to provide visibility, accountability, and increased security for its computer intensive business operations require managing data private to institutional and retail banking customers. The high security implementation was based on the establishment of five best practices related to its computer hardware and media: 1) Vehicle access control for the premises was established using active RFID vehicle tags which provide automatic hands-free entry through the parking control gate as well as detailed reports on which cars entered and for how long. 2) Personnel access control for the premises includes active RFID personnel badges which control doorways and provide internal security area checks. One check includes the determination of authorized entry into different areas of the facility which can be individually programmed by person by area. Individual tags must be successfully correlated to door sensor RFID tag reads. 3) Asset tags placed on computers provide instant real time location visibility and security. Personnel badges are linked to the computers so only authorized custodians can move the equipment 4) Archive media data tapes are placed in pouches and secured with active FOB tags for transport to internal and off-site secure storage. Individual personnel badges are electronically linked to the pouches and doorways (with tags) to ensure the proper personnel are in the room and managing the tapes 5) The off-site tape storage facility has a two-man rule, which uses RFID personnel badges to verify authorized personnel performing data backups. Overall, the five distinctive best practices combine into one comprehensive solution providing management, control, security, and accountability. That solution is managed via a common software platform which provides the real time, labor free information, automated control, and security. In Closing The evolution of institutions into the current data centric business environment necessitates the evolution of IT security solutions in concert. Today s network firewall and virus focus now must be upgraded to include the management and control of physical IT assets. Those include computers, peripherals, media, and documents. Active RFID provides an automated, real time, labor free solutions supported enabling detailed best practices which provide IT management and security without impacting productivity. In fact, the system improves productivity while providing the added value of security. AXCESS International Inc All Rights Reserved 9

11 Economics and legal compliance requirements have now solidified the call to action to implement active RFID-based physical asset management and protection solutions. But, we are also seeing the use of these systems for institutions to provide a better quality of service and a competitive advantage. About the Author About the author: Allan Griebenow is President and CEO of AXCESS International Inc. AXCESS International Inc. (OTCBB:AXS I), headquartered in greater Dallas, TX, provides Active and Semi-Active RFID (radio frequency identification) and Real Time Location Systems (RTLS) for asset managemen t, physical security and supply chain efficiencies. The battery-powered (active) RFID tags locate, identify, track, monitor, count, and protect people, assets, invent ory, and vehicles. AXCESS RFID solutions are supported by its integrated network-based, streaming digital video (or IPTV) technology. Both patented technologies enable applications including: automatic hands-free personnel access control, automatic vehicle access control and logistics management, automatic asset management, and sensor managemen t. AXCESS is a portfolio company of Amphion Innovations plc. Allan can be reached at or at agriebenow@axcessinc.com. AXCESS International Inc All Rights Reserved 10