United front

Physical and IT security have functioned independently of each other for a long time, but pressure to unify them is mounting. While both security strategies are critical to the overall safety of a business, the gap generated between the two security disciplines makes businesses vulnerable to attack.

Anxious to fill the breach, managers and leaders of organisations are working to correct this problem and they are looking to the security industry for a remedy that makes practical sense.

The importance of bridging the physical and IT security chasm presents the security industry with an opportunity to learn and adopt integrated practices that will not only grow business but add value to their customer base.

Manufacturers, consultants and integrators must address today's need for convergence if they expect to compete in tomorrow's broader security industry.

Single credential approach

Convergence to date has focused on using one single authentication credential for both the physical and the network security systems.

A token issued with the security credentials for the access control system can double as the IT credential. A token certificate supplies the authentication data that the IT security system uses for the network.

The best vendors and integrators will enable organisations to adopt this dual-approach as well as building on investments already made in physical security.

As a result, organisations can:

• Adopt convenient and secure dual-purpose credentials to access both the facilities and the IT systems
• End casual access to sensitive locations and resources
• Enable legacy IT applications to accept a new authentication method
• Reduce help desk costs and work hours lost due to missing or forgotten passwords

The single credential approach can be extremely time and cost-effective within IT. It can eliminate the need to maintain the same data for different applications and the employment of people doing 'redundant' jobs. Moreover, it can physically authenticate access to network applications and make it easier to monitor employee activity. Businesses will be able to tie operational processes to security by using the same credential for application and network authentication.

Another advantage of single credentials is the physical checking of the end-user for IT security purposes. In the physical security world, there is a security staff member on hand to issue that first credential and check that the employee is real and present.

With IT credentials, often created by other programmes, users may not always be "real". The obvious problem is that there is no one to validate whether the issued credential is being given to an authorised user. Requiring credentials to be issued physically rather than virtually strengthens network security and provides the IT community with a simple solution to one of its chief security issues.

Physical security personnel have a duty as a part of the overall security force to know the IT technologies that extend beyond their standard systems.

So who's in charge?

Provisioning is the practice of automatically issuing a user all the credentials, rights and roles on all or many of the company's servers and systems. Managing this process is one of the biggest challenges organisations face. Product vendors and dealers familiar with this architecture can add a great deal of value to a business when helping to check these credentials.

Typically, provisioning begins with the human resources server or employee database. An effective process gives bi-directional communications between the HR system and the security system. When a new employee is created in the system, the credential information passes from one system to the other. The privileges and roles of these credentials can have a significant impact on a business' security.

Having a security staff member at the end of the process to validate the cardholder as a real and authorised person is much more powerful than any electronic process with no human intervention. Yet this kind of collaboration between IT, physical security and HR can cause conflict within the organisation.

Physical security personnel have a duty as a part of the overall security force to know the IT technologies that extend beyond their standard systems. Expanding their understanding steps up the level of security throughout the enterprise and is one of the strongest reasons for integrating physical and IT security.

Multiple vantage points

Security event management platforms pose another issue that concerns many customers.

Many access control systems today offer the ability to construct events from multiple vantage points in the security infrastructure.

Monitoring intrusion and fire events, video, asset activity, paging, and phone systems are all part and parcel of a "state of the art" security system today. Simply having such a platform at this time is an achievement.

And still, the market often wants more.

A similarity exists in the IT world … A security management system for IT gathers information from firewalls, anti-virus and intrusion detection applications, and a variety of non-security related hardware and software on the network. This infrastructure is fast moving and has many data points, as does the physical security infrastructure. However, the volume of event data that needs to be managed on the IT side is very much larger. Thousands of invalid access attempts for a single programme can occur in nanoseconds.

Because of this volume, the IT industry has created tools such as IBM's Tivoli, Hewlett Packard's OpenView, and Computer Associate's eTrust Security Command Center. These tools serve both management and security purposes and, as such, are key to integrating physical and IT security. Integration tends to hit a snag, however, when event data is transferred from physical security into the IT security management system. The answer is to create a common protocol for this event data to be shared among all security systems.

There will quickly be a dramatic shift to those whose solutions promote integration between the physical and IT worlds to maximise security while cutting operating costs.

Executive 'pain points'

Sooner rather than later, decision-making executives will adopt a policy of convergence as they continue to face the following trials and 'pain points':

• An inability to centrally manage physical access control systems from different vendors
• Incompatibilities between building access hardware tokens and IT access tokens
• An inability during 'forensic' investigations to relate building access logs to IT logs
• Limited situational awareness because no monitoring system can provide a coordinated view of physical and IT attacks
• An inability to apply business logic to security event data when it comes from multiple sources (physical and IT)

As executives continue to experience these problems, they will seek solutions and services provided by integrators and technology providers who are committed to interoperability.

There will quickly be a dramatic shift to those whose solutions promote integration between the physical and IT worlds to maximise security while cutting operating costs. Solutions that meet these needs will improve security for businesses, but will also enhance the security of our own environment on a global scale.

Customers will seek systems integrators offering technologies that convey an integrated security approach. The established manufacturers, consultants and integrators who have demonstrated proven product reliability and first-class customer service over the years will be the first choice.

The security industry at all levels must develop products and adopt practices that promote an integrated approach to security in order to fill immediate customer needs.

Looking ahead

We've witnessed the inauguration of several groups dedicated to standardising these processes and applications and thereby ensuring the products, policies and procedures needed for successful security are available to anyone who requires them.

In the USA one such group, the Open Security Exchange (OSE), has formed a consortium of companies and is developing a generic set of standards to alleviate the burdens of two security disciplines.

In the next few months, the OSE will publish documents to raise awareness about the needs of the physical and IT security industries. These documents will help create better security offerings.

New members have joined the OSE over the past few months and many more are expected, establishing an organisation governed by the needs of those who use and rely on security technology as well as those who provide it.