Convergence/Integrated Solutions
From Padlocks to Passwords
Convergence of physical and logical security is quickly becoming a reality
- By Geoff Hogan
- Nov 01, 2006
ONE of the biggest buzzwords in the security market in the past few years has been convergence -- the tying together of physical access and logical access technologies which have existed in parallel worlds. Physical access technologies, such as building security systems and employee access cards, have traditionally been controlled by the corporate security department. Application passwords and firewalls have been the domain of the IT department. The networks, technology paths and user interfaces have been separate.
Physical access technologies, such as building security systems and employee access cards, have traditionally been controlled by the corporate security department. Application passwords and firewalls have been the domain of the IT department. The networks, technology paths and user interfaces have been separate.
In the past, the separation made sense. Since the need for physical access security predated the corporate use of information technology, corporate security departments focused exclusively on protecting physical assets through locks, surveillance and alarm systems, staffed mostly by people with backgrounds in crime prevention and law enforcement, not technology. Logical access security has been part of information technology almost since its inception and has always remained under the aegis of the IT organization. For the majority of these two disparate groups, the integration of physical and logical security technologies was neither an option nor a priority.
That situation is changing. As physical and logical security concerns mount, persistent issues, such as inadequate security policy and enforcement, continue. More and more organizations are asking why physical and logical security systems cannot work together to share data and strengthen each other. Now that the technology is catching up with the demand, it is becoming possible for companies to successfully merge the two culturally and technologically disparate worlds of building access and network access without massive investments.
With the convergence of physical and logical security technologies, organizations now have new opportunities to:
Why Convergence?
All organizations need to protect corporate assets -- whether it's preventing the theft of office equipment, providing a safe environment for employees and their belongings or keeping hackers, industrial saboteurs and terrorists from wreaking havoc on networks, applications and databases. Because physical and logical security traditionally have been handled by separate organizations and technologies, few companies realize the benefit of convergence.
As a practical definition, converged security refers to the integration of physical access technologies, such as magnetic cards and readers, with identity management and user authentication technologies such as tokens and proximity cards. The integration enables an organization to establish and manage a single, consolidated repository for all authentication credentials and to have a centralized means of setting access privileges for both physical and logical resources.
Identity-based convergence makes it possible for organizations to have one system for managing physical and logical access, a unified network policy for network and remote access that leverages location information from physical access systems, mutual exchange of events and alarms between physical and logical access systems, an identity-based reporting system for use in forensic investigations and a streamlined workflow for creating, deleting and modifying user identities.
Why Now?
The notion of converging physical and logical access security is not a new one. It has been around for some time, but historically, implementation has been a problem. Because physical and logical security systems have had little in common technologically, integrating them was a costly and complex proposition. The lack of interaction between the physical security experts and information technology providers also has hindered convergence.
However, an opportunity now exists for the worlds of physical and logical access security to come together at last. Here's why.
Widespread adoption of IP. In the past decade, IP has become the standard for corporate IT networking. Having a common protocol reduces wiring requirements, deployment time and cost, and enables convenient management and administration via Web browsers. These advantages have led more physical security device providers to make products IP-compatible. Today, many physical access devices are IP-capable, including cameras, card readers and access controllers.
Converging friendly solutions. More physical access security vendors are responding to customer demand and seeing the value in supporting convergence. Many are promoting standardized, application programming interfaces for integration with IT-based solutions. Converged solutions built around identity offer more comprehensive security protection and related benefits such as regulatory compliance and improved coordination when responding to emergencies or security threats.
Resources aren't secure by door locks and firewalls alone. As auditing for regulatory compliance becomes more widespread, more auditors are seeing the gaps in corporate security and alerting clients to take action.
Emerging standards. Standards, such as the Physical Security Bridge to IT Security, a vendor-neutral approach for enabling collaboration between physical and IT security to support overall enterprise risk management needs developed by the Open Security Exchange, a cross-industry forum created to address the lack of integration between various components of the security infrastructure, are being defined to enable easier physical/logical access security integration.
More cost-effective card token solutions. Recently, vendors have introduced a new generation of more affordable smart cards. Based on a contactless smart card chip, the widely-adopted cards offer a more secure token than the traditional 125 KHz Prox technology used with most access control systems, making the cards suitable for use in IT security.
The impact of single sign-on. As more organizations deploy SSO, which allows users to login from anywhere to all applications using a single, complex password, it is driving demand for strong user authentication and more comprehensive security policies for network and remote access. For instance, an employee cannot access the VPN if they have already badged into the office building.
New gateway technologies. A new generation of gateway technologies is targeting -- and fixing -- common convergence problems. These gateway products bridge the gap between the physical and logical systems to provide bi-directional exchange of identity information and real-time events.
As a result of these factors, converged physical/logical access security systems will no longer be too costly or complex to deploy.
Benefits of a Physical/Logical Solution
When logical and physical access security components work together, organizations can use the systems to complement and reinforce each other. A policy can be established that allows a user logical access to applications only if that user had first swiped their employee badge that day when entering a facility or restricted area. The synchronization leads not only to stronger, more integrated security, but also stronger overall security, as convergence allows organizations to manage all forms of security under a single umbrella for maximum control.
Convergence also provides companies with affordable, two-factor authentication, which is recommended by experts as the best protection against unauthorized application access. Convergence enables magnetic employee badges to be used as the second factor, sparing organizations the cost of additional smart cards, tokens or biometric scanning systems while at the same time strengthening IT security.
Converging physical and logical security offers organizations the ability to coordinate responses to problems and/or emergency situations. For example, when employees resign or are terminated, there is often a lag time of days or weeks between when their physical access rights and logical access rights are terminated. This situation often results in disgruntled former employees logging in remotely and stealing confidential data. Convergence prevents this problem by allowing organizations to terminate physical and logical access privileges simultaneously.
Another security concern that is solved with convergence is tailgating, a common problem in which a person without an ID badge gains access to a facility by following closely behind another person who has just swiped their badge. With convergence, logical access security can be set up to alert corporate security when employees who have not swiped their badges attempt to log onto PCs or to prevent a user from accessing to their PC until they swipe in, providing a means to better enforce badge-swiping compliance.
Convergence allows organizations to be compliant with emerging legislation and regulations. In 2004, the White House issued HSPD-12, which mandates a common identification standard for federal employees and contractors. Other governments and industry regulatory organizations are requiring similar standards. Converged logical/physical access technologies provide two-factor authentication that ensures compliance with the regulations.
All of these benefits -- plus the better protection, cost savings, risk reduction and increased compliance associated with them -- make converged logical/physical security a worthwhile goal for any security-minded organization.
Implications of a Converged Solution
What will it mean to corporate security when the worlds of padlocks and passwords finally converge? A number of converged physical/logical access security systems are expected to come to market within the next year. The organizations that deploy the solutions will be among the first to benefit from the enhanced capabilities offered.
For starters, organizations will gain a greater ROI from their existing infrastructure. By linking the two access security systems, companies can extract more value from the badges and proximity cards already deployed and fully leverage the existing infrastructure of readers and doors controlled by physical access control systems. Additionally, by incorporating data available on user location, time of badge in and badge status within the organization's network/remote access policy, companies are able to enhance perimeter security. Since the verification of badge status is necessary prior to granting access to the network, whether locally or remotely, the occurrence of security concerns, such as tailgating, is reduced.
Another benefit is improved user management, which enables the procedures for adding and removing users from physical and logical security systems to be streamlined and provides improved consistency of user demographics across all systems.
Also, with the physical and logical systems fully integrated, real-time response to network alarms is now possible, and companies have a more accurate emergency roster list. This, combined with the consolidated logging of entry and access records by true user identity, allows companies to experience overall improved risk management. A converged solution enables organizations to comply with various regulations, including HIPAA, the Gramm-Leach-Bliley Act, Sarbanes-Oxley, HSPD-12 and FIPS 201.
Bridge to a More Secure Future
With the momentum building behind the development of converged physical/logical access security systems, it is not too soon for companies to begin thinking about how the organization can benefit from the enhanced security and compliance the solutions will deliver. In fact, the best approach is for companies to begin formulating convergence solution plans now in order to ensure a sensible, affordable, smooth and incremental implementation.
This article originally appeared in the November 2006 issue of Security Products, pgs. 92-94.