Skip Navigation

Industry Insight: Developing a United Front

Physical and IT security strategies have functioned independently of each other for a long time, but pressure to unify them is mounting. While both security strategies are critical to the overall safety of a business, the gap generated between the two security disciplines makes enterprises vulnerable to attack. Anxious to fill the breach, managers and organizational leaders are working to correct this problem and they are looking to the security industry for a remedy that makes sense.

The importance of bridging the physical and IT security chasm presents the security industry with an opportunity to learn and adopt integrated practices that will grow business and add value to their customer base. Manufacturers, consultants and integrators must address today's need for convergence if they expect to compete in tomorrow's broader security industry.

How Does Access Control Fit In?

The convergence initiative to date has focused on using a single credential for authentication to the physical and network security systems. A token issued with the security credentials for the access control system to validate building entry can double as the IT credential. A token certificate supplies the authentication data that the IT security systems use for the network.

One such group, the Open Security Exchange, has formed a consortium of companies and is developing a generic set of standards to alleviate the burdens of the two security disciplines.

The best vendors and integrators will enable organizations to adopt this dual approach to authentication technology while building on the investments already made in the physical security infrastructure. As a result, organizations can:

  • Adopt convenient and secure dual-purpose credentials to access facilities and IT systems.
  • Maximize security by ending casual access to sensitive locations and resources.
  • Enable legacy IT applications to accept a new authentication method.
  • Reduce help desk costs and work hours lost resulting from missing or forgotten passwords.

The single-credential approach can be time- and cost-effective within the IT area of an organization. It can eliminate the need for employees with redundant jobs, such as maintaining the same data for different applications. Moreover, it can physically authenticate access to network applications and increase an organization's ability to monitor employee activity. Businesses will have the ability to tie operational processes to security by using the same credential for application and network authentication.

Another advantage of the single credentialing system is the physical validation of the end user for IT security purposes. In the physical security world, there is a security staff member on hand to issue that first credential and validate that the employee is real and present. With IT credentials, often created by other programs, users may not always be "real." The obvious problem is that there is no one to validate whether the issued credential is being given to an authorized user. Requiring credentials to be issued physically rather than virtually strengthens network security and provides the IT community with a simple solution to one of its chief security issues.

Provisioning: Who's in Charge?

Provisioning is the practice of automatically issuing a user all the credentials, rights and roles on all or many of the company's servers and systems. Managing this process is one of the biggest challenges organizations face. Product vendors and dealers familiar with this architecture can add a great deal of value to a business when helping validate these credentials.

Typically, provisioning begins with the HR server or employee database. An effective process enables bi-directional communications between the HR system and the security system. When a new employee is created in the system, the credential information passes from one system to the other. The privileges and roles of these credentials can have a significant impact on a business' security. Having a security staff member at the end of the process to validate the cardholder as a real and authorized person is much more powerful than any electronic process with no human intervention. Yet this kind of collaboration between IT, physical security and HR can cause conflict within the organization.

Physical security personnel have a duty as a part of the overall security force to know the IT technologies that extend beyond their standard systems. Expanding their understanding steps up the level of security throughout the enterprise and is one of the strongest reasons for integrating physical and IT security.

Enterprise Security Management

Security event management platforms pose another issue that concerns many enterprise customers. Many access control systems offer the ability to construct events from multiple vantage points in the security infrastructure. Monitoring intrusion and fire events, video, asset activity, paging and phone systems are all part and parcel of a state-of-the-art security system. Simply having such a platform at this time is an achievement. And still, the market often wants more.

A similar paradigm exists in the IT world. A security management system for IT gathers information from firewalls, anti-virus and intrusion detection applications, and a variety of non-security-related hardware and software on the network. This infrastructure is fast-moving and has many data points, as does the physical security infrastructure. However, the volume of event data that needs to be managed on the IT side is exponentially larger. Thousands of invalid access attempts for a single program can occur in nanoseconds.

Because of this volume, the IT industry has created tools such as IBM's Tivoli, Hewlett Packard's OpenView and Computer Associate's eTrust Security Command Center. These tools serve both management and security purposes and, as such, are key to integrating physical and IT security. Integration tends to hit a snag, however, when event data is transferred from physical security into the IT security management system. The answer is to normalize and create a common protocol for this event data to be shared among all security systems.

Wanted: Commitment to Interoperability

Sooner, rather than later, decision-making executives will adopt a policy of convergence as they continue to face the following trials and pain points:

  • Inability to centrally manage physical access control systems from different vendors
  • Incompatibilities between building access hardware tokens and IT access tokens
  • Inability during forensic investigation to relate building access logs to IT logs
  • Limited situational awareness because no monitoring system can provide a coordinated view of physical and IT attacks
  • Inability to apply business logic to security event data when it comes from multiple sources (physical and IT)
  • Inability to fully coordinate cardholder lifecycle management for cardholders across multiple credentialing systems

As enterprise security executives continue to see these problems, they will seek solutions and services provided by integrators and technology providers who are committed to interoperability. There will quickly be a dramatic shift to the vendors and integrators whose solutions promote organizational and technical integration between the physical and IT worlds in order to maximize security while cutting operating costs. Solutions that meet these needs will improve security for businesses, but also will enhance the security of our nation and our world.

Customers will seek systems integrators offering technologies that convey an integrated security approach. The established manufacturers, consultants and integrators who have demonstrated proven product reliability and first-class customer service over the years will be the first choice. The security industry at all levels must develop products and adopt practices that promote an integrated approach to security in order fill immediate customer needs.

Looking Forward

We've witnessed the inauguration of several groups dedicated to standardizing processes and applications and thereby ensuring the products, policies and procedures needed for complete and successful security are available to any company, vendor or customer who requires them. One such group, the Open Security Exchange, has formed a consortium of companies and is developing a generic set of standards to alleviate the burdens of the two security disciplines.

In the next few months, the OSE will publish documents to raise awareness about the needs of the physical and IT security industries. While not the final answer to those needs, these documents will help create better security offerings and fill the gaps left by current practice. New members have joined the OSE over the past few months, and many more are expected, establishing an organization governed by the needs of those who use and rely on security technology, as well as those who provide it.

Originally Published:
January 2005, Security Products