Identity Convergence

Jun 1, 2007 12:00 PM, By Sandra Kay Miller

Organizations are bringing together logical and physical identity management under a unified system for better control and management of their locations and networks. They are also reaping the benefits of better efficiency, not just within security, but in other departments as well.

For many years, IT departments and physical security departments existed in their own worlds, independent of each other. However, over the last 10 years, there has been a technological creep into the physical world, such as the use of electronic security badges and digital surveillance. Still, for the most part the two remained largely diverged.

Thanks to rocketing malware, electronic intrusions, online theft and regulatory compliance, logical security shot past its physical brethren to hog not just the spotlight, but also the budget. IT departments struggling under the weight of surmounting threats and regulations began separating security from the network and application infrastructure. Dedicated IT security teams and their accompanying executives — CIO, CSO, CISO — took on the responsibilities of ensuring the safety of digital assets, information and the network.

Then, Sept. 11 occurred, and the world went into security overdrive. In government entities, enterprises and educational institutions and anyone remotely associated with security — regardless of whether they were configuring firewalls or sitting in a guard booth at the front gate — began talking to one another and realizing that many of their seemingly disparate systems were, in fact, similar if not outright redundant.

Peter Boriskin, vice president of Access Control and Video Systems for Tyco Fire & Security, Boca Raton, Fla., recalls the initial push for the integration of physical and logical security departments in 2001. Unfortunately, in many organizations the concept of convergence quickly regressed into pre-2001 silos due to the lack of viable technology and organizational challenges.

“There are really two types of convergence — technological and organizational. What we're seeing right now is the technological, which is getting multiple systems to work together in an interoperable fashion, so that what you have at the end of the day is higher situational awareness and fewer gaps between systems,” Boriskin says.

“If you think about it, managing identities as a function of physical access procedurally is no different than managing identities for logical access,” explains Brian Nugent, president and CEO of Applied Identity, a San Francisco-based company specializing in identity-driven access control and policy management solutions. The first step is to create a common identity for both physical and logical access. Next, the identity needs to be tied to a username and password, token, card or badge. The third key is a common repository. Nugent points out that in organizations using a system to physically manage identities for logical access, authentication and automatic provisioning (like Active Directory or LDAP) the common repository already exists. “What I have seen is organizations using these systems as the basis for integrating their physical access, be it a card system or whatever,” he says.

Organizational convergence of security and identity management has presented more of a challenge largely due to the human factor of territorialism. “It is not just that the systems work together. That is sort of a bottom-up approach. To have the physical security, the logical security, the facilities management and human resources working together, that's very much a top-down initiative,” Boriskin explains. Once everyone is onboard for unified identity management, regardless of their department, incredibly tight integrated security is possible. “People will understand what they are looking at and why they are looking at it, thus providing much better situational awareness.”

“This is a very hot topic for the industry right now,” Nugent says. He has witnessed strides toward physical and logical identity management convergence taking hold in the federal realm, thanks to the Homeland Security Presidential Directive (HSPD-12), which requires a common identification standard for all federal employees and contractors. “These universal IDs will be the same ones used to access a building as well as provide logical access to the network. It is beginning to happen, and I think the federal segment is leading the charge,” Nugent says.

Given regulatory compliance edicts, such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley (GLB), government oversight has become a driving force for instituting auditable security measures in both the physical and logical realms. “Our early adopters are the ones for whom not meeting the burden of requirements means a very negative impact financially or on their brand,” Boriskin says.

As identity management begins to cover both physical and logical aspects, a number of trends are emerging. Surprisingly, Boriskin finds that organizations want more flexibility with their policies.

“We didn't really expect the pushback where people wanted to go around the rules on a pretty routine basis,” he says. What Tyco had to do to meet their customers' demands was to design a more tailored rule set on both physical and logical security. Boriskin explains, “Maybe it's all right for a group of people to come into the building holding the door open for one another and not make everyone badge in. But when you sit down at your desk after violating that one rule, then instead of just locking the person out of their desktop, you can say if you break one rule, we're going to enforce others.” Instead of using only a smart card or password for access, a user might be faced with two or more tokens of authentication. “That hits the sweet spot because people want the ability to go around the rules as necessary, but still enforce higher security,” Boriskin says.

With two previously disparate departments working together and becoming a single entity, other business units are getting involved. “I think people are wrapping their minds around solving other business challenges using the security infrastructure they already have. It is costing them less to work together. By leveraging each other's technologies, everyone can come out looking like heroes.” Boriskin illustrates his statement with an example of how organizations are using their security video infrastructure to help marketing with data, such as customer counting and line queuing. Customer service is also getting a boost by allowing store management to keep tabs on cash register lines and customers at the counter that need help.

Unified identity management and the convergence of physical and logical security is continuing to evolve. Boriskin already sees new companies emerging around incident management and situational awareness. Although right now, some of the near-term requirements emerging in the space are for data mining and analytics. “I think we've got a good handle on how our systems validate credentials, but the real driver is what to do with all that data. A lot more will be done in data mining, incident and situational awareness and all of that ties into multiple systems. It will take convergence to the next step,” Boriskin says. “Now companies are asking, how do we distill down the ocean of information that we have so that it's really actionable intelligence?”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue