Developing a United Front

The importance of bridging the physical and IT security chasm that has existed for so long presents the security industry’s end user base with an opportunity to learn and adopt truly integrated working practices that help to grow their businesses by adding value to them. For their part, manufacturers, consultants and integrators must address today’s need for convergence if they are expecting to compete in tomorrow’s broader security industry.

To date, the convergence initiative has focused on using a single credential for authentication (ie access) to both physical and networked security systems. A token issued with the necessary security credentials for the access control system to validate entry to a building can also double as the IT credential. In essence, a token certificate supplies the authentication data that the IT security system uses for the network.

The very best vendors and integrators will enable organisations to adopt this dual approach to authentication technology while building on the investments already made in the physical security infrastructure. As a direct result, client organisations can:

• ladopt convenient and secure dual-purpose credentials in order to access both facilities and IT systems;
• maximise security by ending casual access to sensitive locations and resources;
• enable legacy IT applications to accept a new authentication method;
• reduce Help Desk costs and work hours lost due to missing and/or forgotten passwords.

The single credential approach may be extremely time and cost-effective within the IT area of an organisation. It can eliminate the need for employees with redundant jobs, such as maintaining the same data for different applications. Moreover, it can physically authenticate access to network applications and increase an organisation’s ability to monitor employee activity. Businesses will have the ability to tie operational processes to security by using the same credential for application and network authentication.

Another advantage of the single credential system is the physical checking of the end user for IT security purposes. In the physical security world, there is inevitably a member of the security staff on hand to issue that first credential, and check that the employee in question is real and present. With IT credentials often being created by other programs, users may not always be ‘real’. The obvious problem is that there is no-one to validate whether the issued credential is being given to an authorised user. Requiring credentials to be issued physically rather than virtually strengthens network security and provides the IT community with a simple solution to one of its chief security issues.

Provisioning: who is in charge?

As part of the overall security ‘force’, physical security personnel have a duty to know the IT technologies that extend beyond their standard systems. Expanding their understanding steps up the level of security throughout the enterprise

Provisioning is the practice of automatically issuing a user all the credentials, rights and roles on all or many of the company’s servers and systems. Managing this process is one of the biggest challenges organisations face. It has to be said that product vendors and dealers familiar with this architecture can add a great deal of value to a business when helping to check these credentials.

Typically, provisioning begins with the Human Resources (HR) server or database. An effective process enables bi-directional communications between the HR system and the security system. When a new employee is ‘created’ on the system, the credential information then passes from one system to the other. The privileges and roles of these credentials can have a significant impact on business security.

Having a member of the security staff at the end of the process to validate the cardholder as a real and authorised person is much more powerful than any electronic process with no human intervention. Yet this kind of collaboration between IT, physical security and HR can cause conflict within the organisation.

As part of the overall security ‘force’, physical security personnel have a duty to know the IT technologies that extend beyond their standard systems. Expanding their understanding steps up the level of security throughout the enterprise, and is in truth one of the strongest reasons for integrating physical and IT security.

Security event management platforms are a further area of concern and debate for many enterprise customers. A host of today’s access control systems offer the end user the opportunity to construct events from multiple vantage points in the security infrastructure. The monitoring of intrusion and fire events, video, asset activity, paging and telephone systems is all part-and-parcel of a state-of-the-art security system. At this time, simply having such a platform in place is an achievement in itself! Still, the market invariably clamours for more and more...

A similar paradigm exists in the IT world. A security management system for IT gathers information from firewalls, anti-virus and intrusion detection applications (as well as a variety of non-security related hardware and software on the network). This infrastructure is fast moving and has many data points, as does the physical security infrastructure. However, the sheer volume of event data that needs to be managed on the IT side is significantly larger. Thousands of invalid access attempts for a single program can occur in nanoseconds.

In a short space of time, there will be a dramatic shift towards the vendors and integrators whose end user solutions promote organisational and technical integration between the physical and IT worlds in order to maximise security while at the same time cutting operational costs

Commitment to interoperability

Due to the volume of data on the IT side of the equation, the industry has created new tools – among them IBM’s Tivoli, Hewlett Packard’s OpenView and Computer Associates’ e-Trust Security Command Centre. These tools serve both management and security functions and, as such, are key to integrating physical and IT security. However, that integration process tends to hit a snag when event data is transferred from physical security regimes to the IT security management system. The solution to this ‘hitch’ is to create a common protocol for the event data such that it may be shared among all security systems.

Sooner rather than later, decision-making executives will adopt a policy of convergence as they continue to face the following trials and ‘pain points’:

• an inability to centrally manage physical access control systems manufactured by different companies;
• incompatibilities between building access hardware tokens and IT access tokens;
• an inability during forensic investigations – to relate building access logs to IT logs;
• limited situational awareness because no single monitoring system can provide a co-ordinated view of physical and IT attacks;
• an inability to apply business logic to security event data when it has arisen from multiple sources (ie both physical and IT);
• an inability to fully co-ordinate cardholder lifecycle management for cardholders across multiple credentialing systems.

• As enterprise security executives continue to see these problems, they will seek solutions and services offered by integrators and technology providers committed to interoperability. In a short space of time, there will be a dramatic shift towards the vendors and integrators whose end user solutions promote organisational and technical integration between the physical and IT worlds in order to maximise security while at the same time cutting operational costs.
• Meeting customer requirements
• Customers will seek systems integrators who can offer technologies that convey an integrated security approach. The established manufacturers, consultants and integrators who have demonstrated proven product reliability and first class customer service down the years will be the first choice. At all levels, the security industry must develop products and adopt practices that promote an integrated approach to security to meet client demand.
• Of late, we have witnessed the inauguration of several groups dedicated to standardising processes and applications, thereby ensuring that products, policies and procedures needed for complete and successful security are available to any company, vendor or client requiring them. Indeed, one such group in the US – the Open Security Exchange (OSE) – has formed a consortium of companies to develop a generic set of standards that will alleviate the burdens placed on the two security disciplines.
• During the next few months, the OSE will publish documents aimed at raising awareness concerning the needs of the physical and IT security industries. While not the final answer in terms of meeting those needs, these guidelines will help in creating better security offerings for end users and in filling the gaps left by current practice.
• Over the past few months, new members have joined the OSE and many more are expected to do so, establishing an organisation that is governed by the needs of those who use and rely on security technology as well as those who provide it.