Access Meets Identity

Just a few short years ago, physical access control was mainly about who could go through what doors, while logical access control focused on who got on the corporate network and into data.

Then, as more Internet protocol-based physical security devices, such as card readers and video cameras, became available, the convergence of physical and logical access control became possible. The classic example is of an employee unable to access the corporate network unless he swipes his ID card at the entrance.

Now access control, converged or not, is poised to become a key cog in a broader corporate strategy known as identity and access management. IAM, which is a largely software-oriented domain, encompasses identity lifecycle management.

That means enrolling employees, provisioning their rights to the enterprise network, applications, data and, potentially, facilities, then managing those rights as they change and terminating them when employment ends.

It’s in this IAM space that even more opportunity for convergence is possible: that of physical and logical access control along with identity. It’s a discussion occurring in companies of all sizes and across industries, though medium and larger enterprises are more likely to put money behind the concept, vendors say.

“More companies want to integrate at the identity level with building and remote access,” said Geoff Hogan, senior vice president, business development and product management/marketing, at Imprivata in Lexington, Mass.

“Companies are looking to link all the component parts and identify a person in a secure, convenient manner,” said Anthony Ball, global vice president of sales and marketing for IAM at HID Global in Irvine, Calif.

Compliance is a strong force behind IAM, as is a growing understanding that insider malfeasance can be more costly than external attacks. To pass audits and protect themselves, enterprises now must monitor their employees’ physical and logical movements.“Companies want more security inside their firewalls,” Hogan said.

Yet enterprises want IAM to be relatively transparent to their users and ensure IAM tools and strategies don’t create obstacles to efficiency. “In the modern arena, you’ve got to make that easier for people to navigate,” Ball said.

Controlled Convenience

Converged physical and logical access control can offer that convenience, enabling employees to use one device to enter a facility as well as the network and applications.

Such systems can be flexible, with access rules based on context. Low-risk areas or less sensitive data files might require one authentication factor, while two or more factors could be required to enter data centers or certain financial files.

Yet granting access based on a person’s physical presence, denoted by a card swipe or fingerprint read, and a second factor, such as a password, is all for naught if the system doesn’t know the person should no longer have access to certain facilities or files.

That’s where forward-thinking companies want IAM and traditional access control to meet, vendors say. Managing physical and logical access rights throughout the identity lifecycle is critical to security. As job titles and responsibilities change, people may need access to new applications or data, while access to other file servers, databases or facilities is restricted.

“This is an area where you see a lot of security risks if rule changes don’t happen cleanly,” said Jackson Shaw, senior director, product management, at Quest Software in Alieso Viejo, Calif.

Further, correlating access data across various software and physical domains can give a complete view of individual actions as well as patterns of behavior to help companies identify potential problems, says Joe Anthony, the Austin, Texas-based program director of security and compliance management for IBM Tivoli Software, Armonk, N.Y.

That correlation is nearly impossible to achieve if logical and physical systems are not integrated with each other or to IAM. “If you can’t take the data back to the individual user, you lose a lot of context,” Anthony said.

Silos Of Identity

However, identifying an individual user in an enterprise is not as easy as it sounds. Users almost always are known to various systems, applications and even doors by different IDs and passwords, all stored in separate databases ranging from the payroll system to physical security system to the company cafeteria’s stored value payment system.

When Pelco, a video management firm based in Clovis, Calif., was implementing its internal access control solution, the company realized it had key identifying data about employees in eight different databases. “It definitely would have easier to have one source,” said Dan O’Malley, senior product manager at the firm.

That single source idea will probably remain as elusive as the Holy Grail, however.

“We haven’t run into a single company with one authoritative source of identity data,” IBM’s Anthony said.

Map Making

Yet correlating all the important permutations, or metadata, related to a single person’s identity is critical to effective IAM. Instead of trying to create a single, centralized database of all relevant ID and access information, vendors and clients turn to data mapping.

Mapping correlates scattered ID and access metadata about an individual without requiring changes in underlying databases.

“You need to link the databases to create one view of the person,” Ball said. Security solutions then must then be able to recognize and authenticate that view.

Ensuring that access right changes made to one or more authoritative data sources propagate to other key access control points, logical or physical, also is critical.

“A lot of data resides in the physical access system,” said Tom Hartman, global partner executive at Novell in Waltham, Mass. This includes information about vendors, auditors, contractors and visitors that might not be found in any other enterprise system. “Data needs to flow in both directions.”

“You can start to link all those disparate silos of identity for security, audits and convenience,” Hogan said. “We can then put a converged access policy around that to bring in the value of physical access and network access control systems.”

Slow Progress

Despite its apparent benefits, integration of physical and logical control has been slower than expected, let alone that with IAM, say some vendors.

Integration costs and complexity are two key reasons why, says Sean Kline, director of the identity and access assurance group for RSA, the security division of EMC.

He cites putting digital certificates onto smart cards and then verifying them as one integration task that’s turned out to be more complicated and expensive than generally anticipated.

He and other sources also say physical and logical access security often are still handled by different internal organizations, making it hard to achieve an overarching integration strategy.

IBM has been able to integrate provisioning at application, network and card management levels for about four years but has seen very few deployments, Anthony said.

Lack of convergent thinking outside of the CIO’s office is the obstacle he’s identified. “

There needs to be a lot more pushing from the top down,” he said, noting that departments below the CIO level are not sharing technology, infrastructure or ideas.

For example, physical and logical access control systems that should draw data from human resources systems often don’t, Shaw of Quest said. “That’s partly because physical security teams haven’t thought of interoperability on the data level as important,” he said.

Physical security teams aren’t always comfortable sharing the information within their access databases with other departments and databases, said Steve Van Till, president and CEO of Brivo Systems, Bethesda, Md. Yet IT departments increasingly see security databases as just one more source of ID information to be managed by the standards the IT shop adopts.

“It needs its set of identities managed just like any other database,” Van Till said.

IT also needs to be comfortable sharing network resources with security applications.

“For our product to perform well, the IT director has to buy in,” said Mohsen Hekmatyar for Digital Horizon Solutions in Frisco, Texas, which offers .NET-based access control solutions built on converged logical and physical security capabilities.

Some vendors say the bigger obstacle to converged IAM and access control is less about IT and physical security domains and more about the need to break down traditional walls among departments and business units to create comprehensive IAM solutions. Compliance requirements are accelerating these efforts, vendors say.

“Companies can be aggressive in their thinking” about how convergence can improve compliance while driving down administration and operations costs, Anthony said. “They will be pioneers in deployment, but the technology is not that hard to link.”

About the Author

Sharon J. Watson is a freelance journalist based in Sugar Land, Texas.

Featured

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

Featured Cybersecurity

Webinars

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3