Smart First Steps in Convergence

Aug 1, 2007 12:00 PM, By David Ting

Physical and IT security might be said to have a “sibling” rivalry. IT security is very much the younger sibling, taking its fundamentals from what has worked for physical security. Despite the historical separation and delineation of responsibilities, the combined forces of physical and IT security are more than the sum of their parts. Combining them is worth the effort.

However, the status quo works well for many incidents and purposes. It is not about fixing something that is broken, but about enhancing security posture and improving overall efficiency. The two sets of functions are divided for good reasons. Even in a converged security environment, neither camp wants to be seen as controlling or stepping onto the other's turf. A converged system is best thought of as a collective system, sharing data to enforce a policy for who gets granted access to what resource — whether it is physical or logical.

Why now?

A shared sense of urgency and a quest for greater confidence in identifying who is allowed access into the building and onto the network are driving the cooperation. Since the terrorist attacks in the United States, physical security has become far more rigorous. Supplementing the guard at the front desk are X-ray scans of packages, guards at multiple stations and swipe-card access control at the building, floor and even office level.

Regulations and fear of costly data loss — with its associated negative publicity — drive IT security. There is also increasing pressure to make digital assets available to partners, customers and contractors in remote locations, effectively enlarging the boundaries of the company. IT needs to provide the right information to the right user at the right location.

Both need greater confidence in establishing approved users or allowed personnel in the facility in order to respond to a crisis. In other words, all security professionals need more of a logical basis for their decisions.

Where to start?

One way to accomplish these goals is converging the authentication device. A combined proximity badge and smart card can serve as the swipe card for access to physical assets and can also be placed in a reader on the user's computer to access digital assets. Unfortunately, this scenario involves recalling and reissuing more expensive cards, adding a smart card reader at each IT access point, adding a new layer of IT security for certificate management and changing behaviors for both IT staff and users.

Alternatively, existing assets can be used to drive new policies to improve confidence, auditing, compliance, privacy and security while lowering overall risk. Multifactor authentication and one time passwords are ways that have been adopted and exploited to do this on the IT side. Physical-logical convergence is another dimension — it's an enforcement mechanism for IT security that is easy to develop and overlay onto existing access policies.

Integrated security information is the key to building greater confidence around users. This is especially important as both sides strive for greater security and audit tracking. The best untapped information at the disposal of both IT and physical security leaders is the real-time access data held by each. By sharing this data and integrating information systems together, it is possible to construct new policies that replace guesswork with hard data.

This kind of convergence makes perfect sense. It's already in place. Almost every company has cards or some form of physical access system. When a person badges in, that action is rich with information that allows the IT staff to make solid decisions about rights granted to that person. When a user tries to log on to the network, a check against the physical security system would let the IT system know if that person is allowed to access from that location. Further, specific rules about access to certain servers could be devised to make those servers more secure than before. For example, a policy could state that only the IT administrator onsite at a location can log on to a server to make changes or to shut it down.

Cards, systems and, most importantly, behaviors do not have to change. It is a stricter application of established policy. Because the cost of changing user behavior is large, it is the area where it is most important to preserve status quo. The design premise is not to require users to change or learn anything in how they go about their work. They simply have to follow the rules, and even if they didn't follow the rules — via tailgating or a “wave and smile” check-in at the lobby desk — they know the rules.

Enforcing those policies across systems can make all systems more effective. Even if an administrator chooses to relax the rules to follow employee behavior more closely, sharing security information can make both systems stronger. For example: Not requiring a badge-in at the front lobby in the morning because the lines are suddenly too long doesn't have to mean security officers won't know who walked through the door. The IT system can tell the physical security system who has entered when they log onto their computers and, further, where users are in the building — an important fact in the case of fire or other building emergency.

The sharing of data between systems occurs at the data level and does not require changes to either the IT or physical security personnel. That said, as this information becomes more relevant to the daily activities of each team, there is a natural interest to develop a better understanding of the terminology and technology associated with each other's systems to create policies and solve problems together. Even physical security veterans who claim to have no understanding of IT systems find they know far more than they assume, and they often have plenty to teach their IT counterparts, especially in the area of investigations.

This is why the two camps can be referred to as “siblings.” As we share information on how security is designed at a fundamental level, professionals on either side come to understand that the basic models are the same. After all, IT security has looked to physical security as a guide from the start. Hallways can be viewed as networks, rooms as servers and gates as firewalls. Once you get past the security (authentication) check at the gates (firewall), the user is free to roam the hallways (network) at will. Some rooms (servers) are secured (password-protected) while others are wide open to anyone who was able to clear security at the front door (network logon) or presented the appropriate badge (password) at a side door (VPN gateway). The basic structure is perfectly analogous, and for good reason. Physical security is a model that works. From there, policies are easy to understand. IT is now just another zone in the physical security system. Physical security is another layer of authentication.

---

David Ting is founder and CTO of Imprivata, Lexington, Mass., and has more than 20 years of experience in developing advanced imaging software and systems for high security. Prior to founding Imprivata, he developed biometric applications for government programs and Web-based applications for secure document exchange. He was formerly the technical manager of Kodak's Boston Technology Center. He managed an engineering group that developed the software platform used in most of Kodak's digital photography products.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue