Access Meets Identity

Just a few short years ago, physical access control was mainly about who could go through what doors, while logical access control focused on who got on the corporate network and into data.

Then, as more Internet protocol-based physical security devices, such as card readers and video cameras, became available, the convergence of physical and logical access control became possible. The classic example is of an employee unable to access the corporate network unless he swipes his ID card at the entrance.

Now access control, converged or not, is poised to become a key cog in a broader corporate strategy known as identity and access management. IAM, which is a largely software-oriented domain, encompasses identity lifecycle management.

That means enrolling employees, provisioning their rights to the enterprise network, applications, data and, potentially, facilities, then managing those rights as they change and terminating them when employment ends.

It’s in this IAM space that even more opportunity for convergence is possible: that of physical and logical access control along with identity. It’s a discussion occurring in companies of all sizes and across industries, though medium and larger enterprises are more likely to put money behind the concept, vendors say.

“More companies want to integrate at the identity level with building and remote access,” said Geoff Hogan, senior vice president, business development and product management/marketing, at Imprivata in Lexington, Mass.

“Companies are looking to link all the component parts and identify a person in a secure, convenient manner,” said Anthony Ball, global vice president of sales and marketing for IAM at HID Global in Irvine, Calif.

Compliance is a strong force behind IAM, as is a growing understanding that insider malfeasance can be more costly than external attacks. To pass audits and protect themselves, enterprises now must monitor their employees’ physical and logical movements.“Companies want more security inside their firewalls,” Hogan said.

Yet enterprises want IAM to be relatively transparent to their users and ensure IAM tools and strategies don’t create obstacles to efficiency. “In the modern arena, you’ve got to make that easier for people to navigate,” Ball said.

Controlled Convenience

Converged physical and logical access control can offer that convenience, enabling employees to use one device to enter a facility as well as the network and applications.

Such systems can be flexible, with access rules based on context. Low-risk areas or less sensitive data files might require one authentication factor, while two or more factors could be required to enter data centers or certain financial files.

Yet granting access based on a person’s physical presence, denoted by a card swipe or fingerprint read, and a second factor, such as a password, is all for naught if the system doesn’t know the person should no longer have access to certain facilities or files.

That’s where forward-thinking companies want IAM and traditional access control to meet, vendors say. Managing physical and logical access rights throughout the identity lifecycle is critical to security. As job titles and responsibilities change, people may need access to new applications or data, while access to other file servers, databases or facilities is restricted.

“This is an area where you see a lot of security risks if rule changes don’t happen cleanly,” said Jackson Shaw, senior director, product management, at Quest Software in Alieso Viejo, Calif.

Further, correlating access data across various software and physical domains can give a complete view of individual actions as well as patterns of behavior to help companies identify potential problems, says Joe Anthony, the Austin, Texas-based program director of security and compliance management for IBM Tivoli Software, Armonk, N.Y.

That correlation is nearly impossible to achieve if logical and physical systems are not integrated with each other or to IAM. “If you can’t take the data back to the individual user, you lose a lot of context,” Anthony said.

Silos Of Identity

However, identifying an individual user in an enterprise is not as easy as it sounds. Users almost always are known to various systems, applications and even doors by different IDs and passwords, all stored in separate databases ranging from the payroll system to physical security system to the company cafeteria’s stored value payment system.

When Pelco, a video management firm based in Clovis, Calif., was implementing its internal access control solution, the company realized it had key identifying data about employees in eight different databases. “It definitely would have easier to have one source,” said Dan O’Malley, senior product manager at the firm.

That single source idea will probably remain as elusive as the Holy Grail, however.

“We haven’t run into a single company with one authoritative source of identity data,” IBM’s Anthony said.

Map Making

Yet correlating all the important permutations, or metadata, related to a single person’s identity is critical to effective IAM. Instead of trying to create a single, centralized database of all relevant ID and access information, vendors and clients turn to data mapping.

Mapping correlates scattered ID and access metadata about an individual without requiring changes in underlying databases.

“You need to link the databases to create one view of the person,” Ball said. Security solutions then must then be able to recognize and authenticate that view.

Ensuring that access right changes made to one or more authoritative data sources propagate to other key access control points, logical or physical, also is critical.

“A lot of data resides in the physical access system,” said Tom Hartman, global partner executive at Novell in Waltham, Mass. This includes information about vendors, auditors, contractors and visitors that might not be found in any other enterprise system. “Data needs to flow in both directions.”

“You can start to link all those disparate silos of identity for security, audits and convenience,” Hogan said. “We can then put a converged access policy around that to bring in the value of physical access and network access control systems.”

Slow Progress

Despite its apparent benefits, integration of physical and logical control has been slower than expected, let alone that with IAM, say some vendors.

Integration costs and complexity are two key reasons why, says Sean Kline, director of the identity and access assurance group for RSA, the security division of EMC.

He cites putting digital certificates onto smart cards and then verifying them as one integration task that’s turned out to be more complicated and expensive than generally anticipated.

He and other sources also say physical and logical access security often are still handled by different internal organizations, making it hard to achieve an overarching integration strategy.

IBM has been able to integrate provisioning at application, network and card management levels for about four years but has seen very few deployments, Anthony said.

Lack of convergent thinking outside of the CIO’s office is the obstacle he’s identified. “

There needs to be a lot more pushing from the top down,” he said, noting that departments below the CIO level are not sharing technology, infrastructure or ideas.

For example, physical and logical access control systems that should draw data from human resources systems often don’t, Shaw of Quest said. “That’s partly because physical security teams haven’t thought of interoperability on the data level as important,” he said.

Physical security teams aren’t always comfortable sharing the information within their access databases with other departments and databases, said Steve Van Till, president and CEO of Brivo Systems, Bethesda, Md. Yet IT departments increasingly see security databases as just one more source of ID information to be managed by the standards the IT shop adopts.

“It needs its set of identities managed just like any other database,” Van Till said.

IT also needs to be comfortable sharing network resources with security applications.

“For our product to perform well, the IT director has to buy in,” said Mohsen Hekmatyar for Digital Horizon Solutions in Frisco, Texas, which offers .NET-based access control solutions built on converged logical and physical security capabilities.

Some vendors say the bigger obstacle to converged IAM and access control is less about IT and physical security domains and more about the need to break down traditional walls among departments and business units to create comprehensive IAM solutions. Compliance requirements are accelerating these efforts, vendors say.

“Companies can be aggressive in their thinking” about how convergence can improve compliance while driving down administration and operations costs, Anthony said. “They will be pioneers in deployment, but the technology is not that hard to link.”

About the Author

Sharon J. Watson is a freelance journalist based in Sugar Land, Texas.

Featured

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • The Future is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reason. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. But as the number of cameras grows and resolutions push from HD to 4K and beyond, the cloud’s limits are becoming unavoidable. Bandwidth bottlenecks. Latency lags. Rising storage costs. These are not abstract concerns. Read Now

  • Right-Wing Activist Charlie Kirk Dies After Utah Valley University Shooting

    Charlie Kirk, a popular conservative activist and founder of Turning Point USA, died Wednesday after being shot during an on-campus event at Utah Valley University in Orem, Utah Read Now

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.