Information and Physical Security: Can They Live Together?

Gregg LaRoche

The future of enterprise security has long been summed up in one word: convergence. For years, pundits, analysts and others have predicted that at some point in the future, companies will begin to take a holistic view of their security operations. The building security you encounter at the front desk when you swipe your card in each morning will no longer be a separate system from the security you encounter when you sit down at your desk and log-on to your computer. When converged, these typically disparate systems will be connected and will communicate as a way to validate your identity when you access your office or your companys network.

However, combining these parallel but different universes requires both cultural and technological changes to your organization. A companys physical and logical information networks and user interfaces have been completely separate for years. Building access, or physical security, systems are typically put in place by either the owner of the building or, in the case of larger businesses, by the corporations security department. Network and data security, or logical security, systems are the domain of the IT department. Each developed separately within the organizationcorporate security departments developed to protect physical assets through locks, surveillance and alarm systemsand are typically staffed by people with backgrounds in law enforcement, not technology; in contrast, protecting a companys information and knowledge assets has been one of the main tasks of IT since day one. This role has evolved into protecting both company and employee data since the dawn of the Internet age.

At this point, many companies are hesitant to embrace convergence, asking questions such as, Why should I consider a converged solution? What is the benefit? Doesnt this seem like more trouble than its worth? Wont this be costly from both an implementation and a human capital perspective? And, do the benefits outweigh the costs?

Merging the cultures of these two areas is not an overnight processand ever since the buzz started about convergence, companies felt that merging physical and logical access systems could take even longer. But this is starting to change with new, more intelligent solutions that help companies add these capabilities while maintaining the operation of their existing security systems.

Reasons for Convergence
Lets take a look at the first couple of questions: Why integrate these seemingly disparate systems and what are the benefits in doing so?

All corporate assets need to be protectedfrom office equipment to employee belongingsand hackers, industrial saboteurs and terrorists must be prevented from wreaking havoc with networks, applications and databases. However, because physical and logical security systems have traditionally been handled separately with little or no cross over, few companies realize how much a converged system could help.

In many ways, building access security systems have always acted as the first line of defense against unauthorized access to any company assetsphysical or logical. If an intruder could not gain entry to a companys offices, that person could therefore not gain access to corporate applications and sensitive data. However, with the advances in technology, this is no longer the case as telecommuting and remote access become more prevalent every day. A companys IT assets and critical data can no longer be protected by physical security systems alone.

There have been other, more conventional, attempts made at solving the issue of unauthorized access to company informationbut they all stop short of true integration. Some of these have included:

• Multifunction cards using either proximity capabilities or a traditional magnetic strip combined with a digital certificate or other credentials to identify users when they enter buildings or access their computer. However, there is no way to correlate access policy across systems or revoke all the various credentials contained on the card simultaneously.
• Identity management solutions can enable provisioning for new users, streamlining the creation of directory accounts and required user applications, as well as physical access privileges and web-application access control. However, they are costly and time-consuming to implement and are not a realistic solution for small to mid-size businesses.
• Consolidation is closest to an integrated physical and logical approach, as it gathers logs from application, network and physical access systems and generates consolidated reports by user. The problem with this approach is that it is time-consuming to set up and still only lets administrators see what has already happenednot control access or prevent a transgression from happening in real time.

Physical and logical security concerns continue to mount, bringing the problems with the above solutions and issues such as inadequate security policy and lax enforcement to the forefront. Today, more and more organizations are realizing that a combination of their physical and logical security systems will help strengthen their security and better protect their company, employee and customer data.

Benefits of Convergence
First, well take a look at the top-line benefits that convergence brings to an organization; and following that, well go into some more detail about each:

• The creation of one system for managing all physical and logical security, including a streamlined workflow for creating, deleting and modifying user identities;
• A unified network policy for both local network and remote access that leverages location and status information from physical access systems;
• Improves user access and helps solve privacy concerns;
• A practical and affordable second authentication factor;
• Greater ROI from existing infrastructure;
• Better coordination of security resources in critical and emergency situations;
• An identity-based reporting system for use in forensic investigations; and
• Assists with company-wide compliance efforts.

The integration of physical access technologies, such as magnetic or proximity cards and readers, with identity management and user authentication technologies, such as tokens and biometrics, enables an organization to establish and manage a single, consolidated repository for all authentication credentials and to have a centralized means of setting access privileges for both physical and logical resources.

By linking the two access security systems, companies can extract more value from the badges and proximity cards that theyve already deployed and fully leverage their existing infrastructure of readers and doors controlled by physical access control systems. Additionally, by incorporating data now available on user location, time of badge-in and badge status within the organizations network/remote access policy, companies are able to enhance their overall security posture.

The integration of building access with network security lets the two types of security solutions compliment and reinforce each other. The synchronization of these two systems leads to stronger, more integrated security, as convergence allows organizations to manage network security under a single umbrella. For example, one of the most common applications of security convergence is for companies to allow employees access to their network applications only after using his/her employee badge that day when entering the building. This prevents someone from trying to log into the network remotelyas the system will read that the employee in question is in the office and should not be trying to log in from elsewhere.

In addition, an integrated security policy of this sort also helps to prevent tailgating, which is when one employee closely follows another employee into the building without swiping his/her badge; or when a guest or unauthorized person closely follows an employee in, without signing in as a visitor or gaining lawful entry. By tying network and application access to physical entry, employees are encouraged to swipe in each morningor be unable to access IT resources. In addition, a policy can be set up to alert corporate security representatives whenever someone (either employee or outside person) who have not swiped their badges attempts to log onto PCs or access certain data.

Another benefit of security convergence is that it enables companies to take advantage of two-factor authentication, meaning a security system that combines complex passwords with a second form of ID. By integrating physical and logical security, existing tools such as employee badges with a magnetic strip can be used instead of forcing companies to spend extra money replacing employee badges or deploying biometric scanners.

Converging building and IT access measures also improves how organizations can remove an employees access rightssomething that needs to be done quickly when an employee resigns or is fired. For example, after a termination or resignation, there is often a lag time of days or even weeks between the last day and when the ability to access the building and/or the network is eliminated. In the lag time, security is compromised as disgruntled former employees could log in remotely, or in some cases, enter the building and steal confidential or sensitive data. Convergence prevents this problem by allowing organizations to terminate all building and network access privileges simultaneously.

Also, with physical and logical systems fully integrated, real-time response to network alarms is now possible and in the case of an emergency, because convergence enables consolidated logging of entry and access records by true user identity, companies can easily create a more accurate occupancy roster listknowing exactly where employees are in the event of emergency.

The Benefits of Convergence Outpace the Costs
But why havent companies been able to do this before? The idea of convergence has been a long-running theme the past few yearsbut the problem has been the actual implementation of a converged security solution. Because physical and logical security systems have had little in common on any level, integrating them was seen as a costly and complex proposition. In the last few years, however, there have been some changes that have made the prediction of convergence become closer to reality.

Some of these reasons are:

• Recognition of Security Limitations: As auditing for regulatory compliance becomes more widespread, more auditors are seeing the gaps in corporate security and alerting their clients to take action.
• Convergence-Friendly Solutions: Converged solutions that are built around identity offer more comprehensive security protection, regulatory compliance and improved coordination when responding to emergencies or security threats. More physical access security vendors are responding to customer demand and seeing the value in supporting convergence. Many of them are now promoting interfaces for integration with IT-based solutions.
• Widespread Adoption of IP: Internet Protocol (IP) has become the de facto standard for corporate IT networking. Having a common protocol reduces wiring requirements, deployment time and cost and enables management and administration via Web browsers. Many physical access devices are IP-capable, including cameras, card readers and access controllers.
• Emerging Standards: Standards such as Physical Security Bridge to IT Security (PHYSBITS), a vendor-neutral approach developed by the Open Security Exchange for enabling collaboration between physical and IT security, are being defined to enable easier physical/logical access security integration.
• More Cost-Effective Card Token Solutions: Vendors have introduced a new generation of more affordable smart cards. Based on a contactless smart card chip, these widely-adopted cards offer a far more secure token than the traditional 125KHz Prox technology used with most access control systems, making them suitable for use in IT security.
• Single Sign-On (SSO): As more organizations deploy SSO, which allows users to login from anywhere to all applications via a single authentication, it is driving demand for strong user authentication and more comprehensive security policies for network and remote access.
• Gateway Technologies: A new generation of gateway technologies is targeting and fixing common convergence problems. These gateway products bridge the gap between the physical and logical systems to provide bi-directional exchange of identity information and real-time events.

Taking the integration beyond reuse of building access cards, a truly converged physical/logical access security solution should consolidate identities, set policies, monitor and track events, manage access rights to software applications and generate consolidated reports.

Privacy and Reporting Regulations Drive Adoption
In this day and age of strong government regulations and restrictions being placed on companies in regard to reporting performance, releasing financial data and protecting customer/employee data, it is no surprise that companies have turned toward their security solutions to assist in compliance efforts.

Converged security solutions enable organizations to comply with data collection and data protection regulations like the Heath Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley, Homeland Security Presidential Directive (HSPD-12) and others. Converged security can help prevent unallowed access to databe it patient data or company databy allowing access only to those authorized to view the data, such as a doctor and his or her patient. Companies can also use the systems to collect data and to record any times that someone tried to access areas of the companys network that they shouldnt have.

Converged security solutions can also be key tools for auditors. It is extremely difficult to recreate a timeline of access to the building and network today because the log that tracks people who enter a facility is locked within the physical access system; the network access log is kept in the network directory; and each software application keeps its own record of each time a user accesses it.

However, a converged solution enables forensic timelines by supporting integrated event and report generation. The convergence gateway collects such information from all components, enabling it to recreate the entire sequence of eventshow the user got into the building, how the user got onto the network, what authentication mode was used, what the network logon name was and how long the user stayed on the network. If single sign-on is being used, then the system can also track which applications the user accessed, either via the network or through remote access.

Taking Advantage of Convergence
Once an organization has implemented a converged security solution, there are several different ways it can be usedeach with its own benefits. Some ways that converged solutions have been used in the past include:

• Network Access: organizations can set network access policies for the organization, with conditions where a user is granted both network and remote access  only - with a valid ID badge; a user is granted network access  only - if he or she has logged in within a specified time after entering the facility; or a user is granted network access  only - upon entry through a specific door or zone.
• Event Management: With converged security solutions where companies can see where an employee is or isnt, administrators can respond more promptly to security events such as when a network account is being accessed when the employee is not present in the facility; or alternatively, when a remote account is being accessed while the user in question is in the building; and in the case that a terminated employee attempts to gain network or remote access.
• Access Reports: Organizations will be able to track each employees network and remote access history and compare them against facility entry records. This has proven useful for providing a complete timeline, establishing a history of how and when a user entered a building, logged onto a network and what applications were accessed. This comprehensive audit trail is extremely useful for investigating breaches or leaks.

Building for the Future
It is not too soon for companies to begin thinking about how their organizations could benefit from the enhanced security and compliance these solutions deliver. With several converged physical/logical access security systems being released to the market this year, companies need to review what their current security needs are and how converged solutions could help.

When evaluating solutions, it will be important for companies to recognize whether technology can be added to enhance what they already haveor force them to replace existing gearsomething that could be costly and cause disruptions among employees work, effecting productivity. But its not just technology or equipment interoperability that companies need to think aboutcompanies must also recognize that the physical building access side and the logical IT security side represent different views and ideas. For convergence to work, solutions need to integrate with what youve already invested in on both the physical and logical sideand when implemented, operate in such a way that employees practices (other than tailgating) are not affected. Solutions need to recognize both sides of security convergence and ensure that they both can use the resulting converged solutionand naturally, the easiest way to do this is to add-on to what you already have without replacing your equipment and re-writing employee roles and responsibilities. Solutions that do not require changes to incumbent IT and building access technology investments will see the most success.

With all of the benefits that converged security solutions can bring a companybetter protection for sensitive corporate information, employee and customer data; improved cost savings; enhanced risk reduction and compliance assistancecompanies of all sizes, from all industries, should make this one of their priorities for the next year.

---

About the Author
Gregg LaRoche is the director of product management for Imprivata, Inc., an enterprise authentication and access management appliance company that helps companies secure their networks and applications and integrate building and IT access. He has more than twenty years of experience working with high technology hardware and software products and services in enterprise markets. Prior to joining Imprivata, Gregg was product marketing director at Ubizen, NV. (now part of Cybertrust), a European leader in IT security solutions, served as marketing programs manager at RSA Security Inc. and built successful marketing, product, and channel organizations at building automation and security management innovator Andover Controls Corporation (now TAC Andover Controls). Gregg holds a BS in Management from the University of Massachusetts and an MBA from Bentley College.

 

© Copyright 2006 Imprivata, Inc.