Access Control
& Security Systems

“There are lots of attempts to standardize technology today. The goal is to open up the architecture. This is very important to end-users, especially those with out-of-date technology. They are looking for plug-and-play solutions.”
— ROBERT CIZMADIA,vice president, global security services,Gage-Babcock and Associates.

If someone can't steal information by hacking into a computer system, maybe that person can steal the computers.

Last August, two men with hand-trucks appeared at the security desk in the lobby of the data center at Sydney Airport in Australia. They signed in as representatives of the airport's outsourced computer company, rode the elevator to the third floor and entered the customs division's mainframe computer room. Over the next two hours, they disconnected two hefty computers and unbolted them from the floor. Then they dragged the computers onto the hand-trucks, wheeled into the elevator, returned to the first floor, and rolled out of the building.

Assuming that some kind of major repair was in progress, the airport's security officers watched a brazen daylight theft of stunning proportions. The computers contained high-security files assembled by customs investigators, the federal police and Australia's domestic spy agency.

“This was the most significant theft of crucial information that has ever taken place on the planet,” says Sal D'Agostino, vice president of CoreStreet Ltd., Cambridge, Mass. “It wasn't because the airport's logical security wasn't world class, it was because physical security wasn't on par. You cannot have a weak link or lowest common denominator in enterprise security. You have to have equilibrium.”

The incident in Sydney illustrates the critical interdependence of physical and logical security systems, systems that have evolved separately over the years, often to the frustration of end-users like the Sydney Airport.

In recent years, the security industry has begun to awaken to the problem of uncoordinated physical and IT security.

Consultants are studying the problematic connection between physical and logical security. “You have IT security people and physical security people pursuing different goals — this is not something we can continue to ignore,” says Christopher Grniet, AIA, an associate vice president with New York-based Kroll Inc.'s security services practice.

Individual companies have taken up the cause. Lenel Systems International Inc. of Rochester, N.Y., has linked physical and IT security with OnGuard OpenIT, a product that enables system administrators to develop scripts and applications that allow security events to trigger appropriate actions within the IT domain and vice versa.

“There are lots of attempts to standardize technology today,” says Robert Cizmadia, vice president of global security services with Gage-Babcock and Associates, Chantilly, Va. “The goal is to open up the architecture. This is very important to end-users, especially those with out-of-date technology. They are looking for plug-and-play solutions.”

In one of the most comprehensive industry initiatives, four security technology providers joined forces last year to create the Open Security Exchange (OSE), a physical and logical security management think tank. OSE develops white papers that recommend technical interoperability and other specifications to standards groups such as IEEE-ISTO. The organization also develops white papers that promote best practices for security professionals.

The four founding members of OSE are Computer Associates International Inc. of Islandia, N.Y.; Luxembourg-based Gemplus International, SA; HID Corp. of Irvine, Calif.; and Software House of Lexington, Mass.

In the year since OSE's founding, the organization has attracted seven contributing members and created an advisory board representing users of physical and logical security technology.

“We're interested in OSE because it is serious about letting end-users know that the convergence of physical and logical security is a real option today,” D'Agostino says.

The term convergence has come to mean the physical and logical security contributions to the solution of a single security problem, says Laurie Aaron, director of strategic sales with Software House.

OSE's first white paper, issued last April, took aim at the convergence issue. Produced through collaboration among OSE's four founding members, “Physical Security Bridge to IT Security: PHYSBITS” proposes a framework for enabling physical and logical security technologies to interoperate, no matter whose logo is on the various pieces of the systems.

Conceived as the first of a series of papers on the technical details of convergence, PHYSBITS describes the broad outlines of how separate technical systems can exchange data without compromising security.

If vendors can hammer out the technical details necessary to move relevant data from, say, human resource systems to physical and logical access control systems, end-users will save both time and money, says Debra Spitler, a vice president with ASSA ABLOY's Identification Technology Group, the parent company of HID.

When a new employee is hired, for example, a human resource manager enters that person's name into an enterprise database. Next, the person must visit the physical security department, have a picture taken, get an access card and establish access privileges. Then it's off to the IT department, which sets the person up with a password and determines where on the network he or she can go. When the employee quits, the registration process repeats itself, but in reverse. In between being hired and quitting, the employee will occasionally arrive at work having forgotten his or her physical access card and password. Security has to issue a temporary pass. The help desk has to look up the person's password. And the employee has to waste time doing all of this.

Converged physical and IT security systems aim to reduce the time spent carrying out such administrative tasks. “I get hired by HR, and HR populates a database that can now automatically populate the access control and IT databases,” Spitler says. “When a person quits, HR stops paychecks and turns off access privileges to the company's doors and computer network.”

“It's easier, faster, cheaper,” Aaron of Software House adds.

Some OSE critics have argued that converging all of these systems will compromise intellectual property — the proprietary nature of the hardware and software applications being connected. “That's not true,” says David Hawkins, a product manager with Software House, who worked on PHYSBITS. “The idea is to communicate the data that comes out of a system, making it possible to pass the relevant output of one system to another. We are not giving up proprietary business logic or practices.”

Currently, several OSE work groups are developing specifications and best practices related to pieces of the broad framework described in PHYSBITS.

One group, for example, is developing event data protocols or specific data communication standards that will allow event data to move between physical and logical systems. The ability to exchange data means that if someone gets into a computer room and fiddles with a device, data describing the event will be made to flow into an alarm system monitored by physical security. “Right now, a physical security network won't have a clue if something like that happens,” Hawkins says. “This is one of the biggest reasons for making security systems interoperable: to extend physical security's capabilities into the IT world.”

When the work groups responsible for crafting the PHYSBIT framework complete their tasks, OSE plans to combine the documents into a PHYSBIT II publication that will propose specific performance standards. “We'll submit PHYSBITS II to the Security Industry Association,” Hawkins says.

With the PHYSBITS effort under way, OSE has begun to ponder other issues. Eric Maurice, director of product management for Computer Associates' Security Solutions Unit, contends, for example, that the OSE playing field is much larger than issues raised by convergence. “OSE is really about security management in general,” he says. According to Maurice, OSE working groups might develop open specifications designed to integrate different components of physical security systems. At the same time, another working group might look into specifications related only to IT security. “Take storage management, for example,” he says. “If I want to make sure people back up data, I have to provide easy access to back-up devices. But if I make access easy, then I have created a security issue that OSE might address with a white paper.”

The information age has transformed security, both physical and logical, into a moving target. For example, access cards for doors have been around for decades, evolving relatively smoothly from magnetic stripe technology to proximity technology. But when access cards for computers arrived on the scene, they created problems. Users had to carry two cards, raising security costs and creating inconveniences for employees. Single-card access to both physical and logical security barriers is resolving the problem.

Today, single cards have evolved into smart cards with chips, and created another set of security issues, large and small. Among these is smart card printing. How can a card with peaks and valleys created by microchips and antennas be printed? Conventional printing processes leave gaps in the printed information. What good is an incomplete barcode? What's the best way to print a smart card? “Today, we use a retransfer process to print on technology cards,” says Kathleen Phillips, vice president of sales and marketing at Minneapolis-based Fargo Electronics Inc., an OSE contributing member.

According to Phillips, Fargo views OSE as an opportunity to plug printing hardware into end-user security system specification processes — before printing becomes a problem. “Printers are a small part of a security system, and often last in line during design,” Phillips says. “But the printing equipment has to interlace back into the card management system. All too often a card system will be incompatible with a cost-efficient printing system. Will the card they have chosen work with the kind of printer they are looking at?”

OSE addressed this and other issues that smart cards present to end-users in a recent white paper entitled “Smart Card Enabled Access Control Used in Logical and Physical Systems.” It provides technical guidance and objective selection criteria designed to enable users to make educated choices among available standards and products from magnetic-stripe and proximity cards to biometric identity management.

Technological advances will continue to demand that physical and logical security providers adjust the way products function. For instance, the credentialing and authentication process has now gone beyond cards into a cyber-realm called federated identities. A user with a federated identity can be authenticated by one company or Web site and be recognized and deliver personalized content and services in other locations without having to re-authenticate or sign on with a separate username and password. Federated systems link identity information between accounts without centrally storing personal information.

In February, OSE announced a liaison with the Liberty Alliance, an open standards organization for federated identity and identity-based services. OSE and Liberty plan to collaborate to create standards and best practice authentication methods for wireless, subscriber identity module (SIM)-based access to Liberty-enabled Web services. “Our alliance with the OSE will help extend federated identity standards into the realm of physical security,” says Michael Barrett, president of the Liberty Alliance and vice president for privacy and security for American Express.

There is more to convergence than technology, however. Industry observers point out that the convergence of logical and physical security must also begin to focus on getting the security directors themselves to work more smoothly together. “IT security people and physical security people both have different goals,” says Kroll's Grniet. “Open security technology will present issues that both sides will want to tackle in different ways.”

An IT security director is responsible for preventing unauthorized network access, while the security director uses part of the network to manage access control and video data important to the work of the physical security department. How will the two sides react when the human resources department begins to credential employees for physical and logical access? The loss of control will likely make both uncomfortable.

In many companies, physical security departments are demanding additional bandwidth from IT directors to accommodate video data. At the same time, IT directors, to the chagrin of physical security directors, have gained levels of control over physical security technologies simply because access control and video systems operate on company networks.

“The turf wars will continue,” Grniet says. “There will have to be more communication to bridge the gap between physical security and IT security people. Maybe the ultimate bridge is a chief security officer responsible for both areas.”

• Computer Associates International Inc., Islandia, N.Y
• Gemplus International, SA, Luxembourg
• HID Corp., Irvine, Calif.
• Software House, Lexington, Mass.

• ActivCard Corp., Fremont, Calif.
• CoreStreet Ltd., Cambridge, Mass.
• Fargo Electronics Inc., Minneapolis
• Siemens Building Technologies Inc., Buffalo Grove, Ill.
• Siemens Building Information and Communications Network Inc., Boca Raton, Fla.
• VistaScape Security Systems, Atlanta

• Sandy Jones, principal consultant, Sandra Jones and Co., Chardon, Ohio
• Steve Hunt, vice president, research director, Forrester Research Inc., Cambridge, Mass.

For information, circle the Reader Service number (listed below) or visit securitysolutions.com