Access Meets Identity

• By Sharon J. Watson
• Dec 23, 2008

Just a few short years ago, physical access control was mainly about who could go through what doors, while logical access control focused on who got on the corporate network and into data.

Then, as more Internet protocol-based physical security devices, such as card readers and video cameras, became available, the convergence of physical and logical access control became possible. The classic example is of an employee unable to access the corporate network unless he swipes his ID card at the entrance.

Now access control, converged or not, is poised to become a key cog in a broader corporate strategy known as identity and access management. IAM, which is a largely software-oriented domain, encompasses identity lifecycle management.

That means enrolling employees, provisioning their rights to the enterprise network, applications, data and, potentially, facilities, then managing those rights as they change and terminating them when employment ends.

It’s in this IAM space that even more opportunity for convergence is possible: that of physical and logical access control along with identity. It’s a discussion occurring in companies of all sizes and across industries, though medium and larger enterprises are more likely to put money behind the concept, vendors say.

“More companies want to integrate at the identity level with building and remote access,” said Geoff Hogan, senior vice president, business development and product management/marketing, at Imprivata in Lexington, Mass.

“Companies are looking to link all the component parts and identify a person in a secure, convenient manner,” said Anthony Ball, global vice president of sales and marketing for IAM at HID Global in Irvine, Calif.

Compliance is a strong force behind IAM, as is a growing understanding that insider malfeasance can be more costly than external attacks. To pass audits and protect themselves, enterprises now must monitor their employees’ physical and logical movements.“Companies want more security inside their firewalls,” Hogan said.

Yet enterprises want IAM to be relatively transparent to their users and ensure IAM tools and strategies don’t create obstacles to efficiency. “In the modern arena, you’ve got to make that easier for people to navigate,” Ball said.

Controlled Convenience

Converged physical and logical access control can offer that convenience, enabling employees to use one device to enter a facility as well as the network and applications.

Such systems can be flexible, with access rules based on context. Low-risk areas or less sensitive data files might require one authentication factor, while two or more factors could be required to enter data centers or certain financial files.

Yet granting access based on a person’s physical presence, denoted by a card swipe or fingerprint read, and a second factor, such as a password, is all for naught if the system doesn’t know the person should no longer have access to certain facilities or files.

That’s where forward-thinking companies want IAM and traditional access control to meet, vendors say. Managing physical and logical access rights throughout the identity lifecycle is critical to security. As job titles and responsibilities change, people may need access to new applications or data, while access to other file servers, databases or facilities is restricted.

“This is an area where you see a lot of security risks if rule changes don’t happen cleanly,” said Jackson Shaw, senior director, product management, at Quest Software in Alieso Viejo, Calif.

Further, correlating access data across various software and physical domains can give a complete view of individual actions as well as patterns of behavior to help companies identify potential problems, says Joe Anthony, the Austin, Texas-based program director of security and compliance management for IBM Tivoli Software, Armonk, N.Y.

That correlation is nearly impossible to achieve if logical and physical systems are not integrated with each other or to IAM. “If you can’t take the data back to the individual user, you lose a lot of context,” Anthony said.

Silos Of Identity

However, identifying an individual user in an enterprise is not as easy as it sounds. Users almost always are known to various systems, applications and even doors by different IDs and passwords, all stored in separate databases ranging from the payroll system to physical security system to the company cafeteria’s stored value payment system.

When Pelco, a video management firm based in Clovis, Calif., was implementing its internal access control solution, the company realized it had key identifying data about employees in eight different databases. “It definitely would have easier to have one source,” said Dan O’Malley, senior product manager at the firm.

That single source idea will probably remain as elusive as the Holy Grail, however.

“We haven’t run into a single company with one authoritative source of identity data,” IBM’s Anthony said.

Map Making

Yet correlating all the important permutations, or metadata, related to a single person’s identity is critical to effective IAM. Instead of trying to create a single, centralized database of all relevant ID and access information, vendors and clients turn to data mapping.

Mapping correlates scattered ID and access metadata about an individual without requiring changes in underlying databases.

“You need to link the databases to create one view of the person,” Ball said. Security solutions then must then be able to recognize and authenticate that view.

Ensuring that access right changes made to one or more authoritative data sources propagate to other key access control points, logical or physical, also is critical.

“A lot of data resides in the physical access system,” said Tom Hartman, global partner executive at Novell in Waltham, Mass. This includes information about vendors, auditors, contractors and visitors that might not be found in any other enterprise system. “Data needs to flow in both directions.”

“You can start to link all those disparate silos of identity for security, audits and convenience,” Hogan said. “We can then put a converged access policy around that to bring in the value of physical access and network access control systems.”

Slow Progress

Despite its apparent benefits, integration of physical and logical control has been slower than expected, let alone that with IAM, say some vendors.

Integration costs and complexity are two key reasons why, says Sean Kline, director of the identity and access assurance group for RSA, the security division of EMC.

He cites putting digital certificates onto smart cards and then verifying them as one integration task that’s turned out to be more complicated and expensive than generally anticipated.

He and other sources also say physical and logical access security often are still handled by different internal organizations, making it hard to achieve an overarching integration strategy.

IBM has been able to integrate provisioning at application, network and card management levels for about four years but has seen very few deployments, Anthony said.

Lack of convergent thinking outside of the CIO’s office is the obstacle he’s identified. “

There needs to be a lot more pushing from the top down,” he said, noting that departments below the CIO level are not sharing technology, infrastructure or ideas.

For example, physical and logical access control systems that should draw data from human resources systems often don’t, Shaw of Quest said. “That’s partly because physical security teams haven’t thought of interoperability on the data level as important,” he said.

Physical security teams aren’t always comfortable sharing the information within their access databases with other departments and databases, said Steve Van Till, president and CEO of Brivo Systems, Bethesda, Md. Yet IT departments increasingly see security databases as just one more source of ID information to be managed by the standards the IT shop adopts.

“It needs its set of identities managed just like any other database,” Van Till said.

IT also needs to be comfortable sharing network resources with security applications.

“For our product to perform well, the IT director has to buy in,” said Mohsen Hekmatyar for Digital Horizon Solutions in Frisco, Texas, which offers .NET-based access control solutions built on converged logical and physical security capabilities.

Some vendors say the bigger obstacle to converged IAM and access control is less about IT and physical security domains and more about the need to break down traditional walls among departments and business units to create comprehensive IAM solutions. Compliance requirements are accelerating these efforts, vendors say.

“Companies can be aggressive in their thinking” about how convergence can improve compliance while driving down administration and operations costs, Anthony said. “They will be pioneers in deployment, but the technology is not that hard to link.”