Of a single mind

Nov 1, 2000 12:00 PM, Jim Spencer

Many companies have two security directors ... one for physical security and one for information security. Does it make sense? How is it changing?

The convergence of IT security and physical security

A corporate security director (in the traditional sense) is responsible for executive protection, investigations and physical security. He or she buys and uses access control, CCTV and other security systems.

But within a corporation's IT or MIS department is another person charged with security. His or her mission is to secure data and communications.

These individuals represent two different security industries, each speaking a different language, but both serving the same customer concurrently. Until recently, these two groups barely acknowledged each other. Only lately are emerging the advantages of their working together to view the "big picture" of a corporation's security.

The early years In the not-too-distant past, physical security was content to deal with its own proprietary wiring schemes and protocols, the newest (or oldest) card technologies, smart panels, sensors and maybe to dabble in biometrics and software. It was, and still is, a primarily hardware-based industry and mindset.

Information security on the other hand has always been primarily software-driven. Originally these professionals were concerned with the security of data and focused on the use of passwords to restrict or enable, full or partial, access to data as well as to establish an audit trail. With the advent of telecommunications, and now the Web, much of the attention has shifted to network security. The vocabulary has expanded to include terms such as firewalls, viruses, and secure log-ons. The federal government is even "helping" with rules on encryption and secure transaction.

For the most part the terminology of one discipline is foreign to the other. Also, the trade press and associations remain separate. There is little or no serious attempt to understand mutual needs or to work together to produce converged value.

Change started in the 1990s In the beginning, the physical security industry used proprietary systems, such as those from Rusco and Cardkey. The systems primarily opened and closed doors or sounded alarms. There was little reporting capability. Then in the late 1980s DOS-based systems came on the market, and customers began to use data to do their jobs better.

Physical security directors were discovering that the value of data is even greater than the value of opening doors. Suppliers learned that software was the way to sell more hardware, which was their real business. To this day, they refer to themselves as manufacturers.

A big change came when Software House introduced the first proprietary relational data-based product on a multi-processing VAX computer. For the first time, customers could really use software to manage the process and the data concurrently. It was real IT functionality. It also marked the first intrusion of IT into the private world of physical security.

Information technology had been wrestling with a technology explosion taking place within almost every company. Everybody had a different computer and none of them talked to each other or even shared data. Everybody entered their own data, even if it was the same data. Duplicate costs and database synchronization became major problems, expenses and risks. For example, human resources might terminate an individual and then inform IT and security several days or weeks later by internal mail. Even later, the termination would be keyed into their separate computers.

The days of IT being able to run everything from a mainframe were long gone and would never return. The value of departmental systems and the PC were firmly established, as was the value of application owners for their parts of the business. Order needed to be established, and IT was given that mission in most, if not all, companies.

They began by establishing corporate standards on IT technology. IT mandated that all databases be OBDC-compliant to facilitate data sharing between systems, and that LANs be either Ethernet or Token Ring and all communications follow TCPIP. IT mandated that desktops and servers use either Windows or one or two of the flavors of UNIX and so on. The list was long and wide enough to give users choice, but narrow enough to be affordably supported and to achieve the cost savings of single data entry and integration.

This incursion was not universally welcomed by physical security, which was used to "doing their own thing". Often was heard the statement, "those IT guys just don't understand security". Corresponding statements were also being muttered in IT.

This resentment, for the most part, passed quickly. Physical security directors began to realize the value and opportunity that these standards afforded. They could begin to envision the value they could derive from the integration of various data-based systems, such as between access control and human resources. They also began to recognize the value of getting IT support as these systems became increasingly complex.

Casi-Rusco took a chance in the late 1980s and began developing a Unix-based system that for the first time used a commercially-available OBDC-compliant database product (Informix) with a GUI interface and "smart" panels.

Physical security rapidly increased its use of IT technology to provide increased value to its clients. Manufacturers increasingly used software to sell more hardware, and IT terminology has been learned and disseminated by the trade press and associations. IT and physical security people were actually talking, yet they remained distinctly apart.

The second wave: Consolidation, network communications Data, or knowledge, was becoming increasingly valuable and labor increasingly costly. Consolidation and productivity became corporate mantras and were enabled by the availability of increasingly robust technologies.

Physical security now had the product availability to consolidate remote sites on centralized systems to give them increased functionality, capabilities and productivity. However, it was clearly uneconomical and inefficient for security to continue to operate private networks and wiring schemes. The technology was there to use the corporate data networks managed by IT. For the first time, physical security would be operating inside the boundaries of information security under their rules.

Physical security computers and devices, such as panels, could now be attached directly to the corporate LAN/WAN through an IT address. IT addresses are the portals to the IT treasure chest of data and are fiercely guarded by the elite of IT technicians. The physical security community viewed these people as truly strange individuals. They seldom speak beyond the word "no", and if they do, nobody can understand them.

Many security manufacturers were shocked to discover that their devices did not meet the standards to be assigned IT address and so would not be attached to the network.

Integrators were infuriated to learn that they had to specially schedule with IT as to when they could attach a device or even service one and the work could only be performed by a technician individually certified by IT as being capable. They were seldom given the IT address, and if they were given it for a particular call, it would be changed immediately afterwards.

Many physical security directors learned too late that IT had a policy that all servers attached to the network had to reside physically in IT and behind their firewalls. Often the charges for this were not in the budget. Directors also learned that IT frequently took the network down on weekends for maintenance because "nobody was working then".

Some of the initial encounters ranged from confrontational to downright nasty. In some cases the relationship remains tenuous. However, for the most part, wiser minds have prevailed, and the two security functions have made the effort to understand what the other is trying to accomplish and to build mutual respect and accommodation. They know they are far more effective as partners rather than advisories. As George Booth, of Ebay, states, "When going forward with a program or budget request, my chances of gaining approval go up exponentially if my IT partner is happily at my side."

Unfortunately, while customers are forging partnerships with IT, most of the physical security industry lags behind. Most manufacturers still regard software and networking as a means to sell more proprietary hardware. They reject open systems, as it would destroy their proprietary advantage. They regard such "high-handed" rules on IT addresses, supportable devices, software and release levels as impediments rather than as opportunities. Wonder why Lenel is having great success? It's because Lenel is a software developer that understands and embraces the IT community and open architecture. (And by the way, they also open doors, produce badges and do alarms). They saw the opportunity while others muttered about the impediments and remain staunchly proprietary.

The next wave Web-enabled applications are expanding rapidly and both physical and IT security must deal with the associated security concerns. Asset management is another emerging area of common concern and opportunity. Digital video is perhaps the hottest new technology for physical security, but other members of the IT technology-using community, like retail merchandisers, are seeing the value of the technology for determining shopping patterns within a store or mall.

The common thread has been the increasing use of IT technologies and resources by physical security. An emerging thread is that IT and application owners within companies are finding uses for the data and knowledge created by physical security. The next wave could well be the exciting opportunity of using physical security technology and experience to help IT security.

Today, various application owners within the IT community authorize varying access by employees and contractors to their applications and data. Various IT security suppliers, such as Microsoft, are developing database products to coordinate these access permissions into a common repository linking to an individual. IT security people are searching for a secure credential to identify the individual to the system and network.

Sound familiar? Well there are a few new twists and turns to the story. Just presenting an access control card to a workstation probably would not be considered secure enough. A secondary identification such as a password and/or a fingerprint comparison of the person and a stored template on the card has good possibilities. Even though some coding might be needed, it is not beyond the existing capabilities of the physical security community to address. But there is more.

What about sensing when an individual, who had successfully logged on to an application, leaves the defined proximity of the workstation without logging off? The system should automatically lock the workstation until someone successfully logs on again and an incident should be created. It might also be important to know which individuals were in the proximity of the workstation at any given time for potential investigation of an incident.

What about the situation where an employee was fired by human resources? We now do a pretty good job of liking human resources systems to security so that person is immediately prevented from having physical access to facilities. But in today's Web-enabled world, individuals do not have to be on-site to be granted access to ITbased applications, data and systems such as email.

Look at the similarity of terms: access privileges and levels, permissions, primary and secondary levels of identification, credentials, proximity, termination and denial, and individual. They're the same words with slightly different meanings and connotations. The IT and physical security industries must work together to share experiences, knowledge, technologies and infrastructures to come up with converged solutions to these real problems?

Doesn't it make sense to use a single credential? Doesn't it make sense to be able to sense the presence of that credential in a secure area and sense when it leaves the defined proximity of the area? Doesn't it make sense that when an individual's physical access permissions expire or are terminated that all his IT access and permissions also be immediately terminated? Doesn't it make sense to support open architecture to enable the convergence of the two industries?

The problem in bringing these questions forward to real solutions does not lie with the customers or end-users. Both IT and physical security professionals understand both the problem and the implications. Together they are speaking a common language.

The problem, and hence the opportunity, lies in the two security industries, each with its own suppliers, VARs/integrators, consultants, publications, associations and trade shows. The problem is that they largely remain separate. Once again the customers are way ahead of their supply train and support.

What an opportunity for a new converged industry focusing on supplying and supporting all aspects of security to seek the common ground to create value!

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue