Extending Trust And Security

Today, most organization officials understand they can use their IP network to connect physical security devices together. In some cases, the capital and operational cost savings from using a single communications infrastructure is enough to motivate them. But for others, further justification and additional benefits may be needed to drive convergence between the physical and the cyber worlds. And, most security and IT groups will also want to ensure the integrity of their respective systems and all data that may be shared between them.

The good news is there is a set of existing standards, created by the Trusted Computing Group (TCG), which has more than 100 members, which will secure both data and networked devices, as well as provide value by solving two common problems that virtually all organizations have:

  • Do you know who followed your employees through the door today?
  • Are your employees at their computers or have they left them unattended, exposing your network and other assets to a potential security breach?

A True Convergence
Most groups will acknowledge that these two common problems can lead to big headaches, such as theft of physical and logical (intellectual property, financial and customer data) assets, as well as corporate and/or regulatory compliance lapses. Unfortunately, most organizations have disparate policies and approaches to physical and cyber security, and with no employee incentive, organizations are simply hoping employees will police themselves and others.

Using TCG’s open Trusted Network Connect architecture and standards-based IF-MAP (which refers to Interface Metadata Access Protocol) suite can help solve these very real problems. Hirsch Electronics, Juniper Networks and Infoblox have teamed up to show how to close this gap in organizational security and to incentivize employees to follow applicable policies.

The result is a true convergence of physical access control security and network access control security where physical presence in a given location becomes a policy for granting or denying network access.

Here is how this works: an employee must “badge-in” at the door in order to get network access. Otherwise, the employee will be denied network access and will be required to make a trip back to a physical security credential reader before they will be granted network access. The same goes for exiting a building, if the employee requires network access via a Virtual Private Network connection, they must “badge out”.

In more technical terms, Hirsch’s Velocity PAC system uses IF-MAP to encrypt and transmit relevant access control event information (such as an authenticated user admitted to, or exited from, a building or particular zone) to a network-based clearinghouse for “metadata”. In turn, this clearinghouse uses IF-MAP to provide other trusted network devices, on a subscription-basis, with requested data about network events or, now, physical security events. These trusted devices then use this event data to make policy-based decisions as to what network resources a user can access based upon their physical location.

The whole concept is similar to social networking (like Twitter) for networked devices. Some devices “tweet” and other devices are listening for those “tweets.”

Figure 1: The Metadata Clearinghouse and Policy Decision-making Functions Can be Either Collapsed as Above or Discretely Implemented as Two Scalable Network Devices.

Trust-Based Architecture
By deploying this capability in their own physical and network security systems, organizations can safely share information between these two worlds and take comfort in knowing that these network devices are part of a trust-based architecture supported by leading IT and physical security companies. Furthermore, a wide range of additional policy-based network actions could be implemented in response to a physical or building system event.

For instance, since other building systems are interconnected to the access control system, such as the Hirsch Velocity server, those events can also be passed along to the network metadata clearinghouse supported by both Juniper and Infoblox. Such events can alert the network to a fire in the datacenter. In turn, the network, using the Juniper policy server, could respond by re-routing network traffic to a back-up datacenter.

The benefits for this type of convergence are multi-fold. At a minimum, by requiring employees to badge-in prior to gaining network access, organizations should see a significant reduction in “tailgating.” As a result, organizations will have more confidence in exactly who is inside their buildings at any given time; this is particularly important in the event of an emergency.

From a network security perspective, this solution adds yet another layer of protection to the network and its resources. Data theft and leakage from unattended PCs can be reduced. Fraudulent toll or fee-based charges from unauthorized IP phone usage can be decreased. And the illegitimate use of an employee’s username and password can be more easily detected and mitigated. For example, if the employee is in the building, but someone attempts to use his log-on information from somewhere else, the network will immediately recognize and respond to the policy violation with a network access denial, email notification, and even require a new password to be created.

And finally, organizations will not only have plugged a gap that has existed in their security policies, they will have the tool to better correlate physical and logical actions and flag possible “out of policy” events that can be an indicator of a compliance lapse. Thus, they will be able to demonstrate better control and policy enforcement during compliance audits including those for financial, corporate governance or healthcare/identity protection.

The Trusted Computing Group’s IF-MAP delivers on the real promise of network convergence. Not by simply sharing a network infrastructure, but by sharing information in new ways to enhance both physical and cyber security.

This open, standards-based protocol enables all adopting vendors to enable secure, trust-based communications among any sort of devices on the network. As a result, administrators can implement new policies which enhance both physical and network security and compliance, as well as track activity and set policies to monitor and quarantine such devices -- or take other action. Additionally, this capability helps to maximize every organization’s physical security and network infrastructure return on investment, which is particularly important in these challenging times.

About the Author

Bob Beliles is the senior manager for physical security market management at Cisco.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3