printer friendly version

The road to convergence

We have had no shortage of people talking about convergence in one form or another in Hi-Tech Security Solutions over the years. To start this year off, we have decided to give it another try and ask a few people where we are in the convergence cycle. Is this the year IT comes to the party, or perhaps the year security joins their party?

It is not a matter of technology, there is more than enough equipment out there to make the convergence between physical and logical security a reality. So what is it? Is it a matter of cost? How about people not being willing to expand their skills and risk their little empires? We asked the experts where we are.

Hi-Tech Security Solutions: Where are we on the road to physical and logical convergence?

Marius Coetzee, Ideco Biometric Security Solutions: We are pretty much at the start of the journey and uncertain about the right road to take. Perhaps the reason why there is no clear direction is that many organisations do not have a single point of authority that takes responsibility for overall security. For example, physical security within the workplace is regarded as a completely different function to security within the organisation’s IT systems and is handled by different people.

Although the two functions require different skills and knowledge, they both clearly share a common operational goal: controlling and monitoring who can do what, when and where within the organisation. It is also clear that the shared goal is fundamentally concerned with identity and the measures that are taken to authenticate people’s identities and authorise their activities. This underlying commonality – which we refer to as identity control – should perhaps be the starting point for how we approach the concept of converged security.

South Africa is well advanced on the road of identity control within the physical environment. Particularly within the workplace, the accuracy, convenience and speed of fingerprint-based identification is widely recognised as providing the most effective means of managing who can do what, when and where. Evidence of this ability is based on the fact that over 75 000 fingerprint scanners supplied by Ideco now authenticate the identities of more than 2,5 million local people within the access control and attendance management systems at thousands of SA organisations.

Hendrik Combrinck, ZKTeco: The market for these applications are still immature and need a lot of development because each client’s infrastructure is different and needs customisation for these systems to work.

Walter Rautenbach, Suprema SA (distributed by neaMetrics): In my opinion we still have a very long way to go. At least we are talking about it. The debate at this stage, at least for me, assists with understanding the related needs and challenges. However, the debate is still far from over and in my mind raises more questions than answers.

Now that access control systems are IP based, we are seeing some overlapping, raising questions around the benefits created by joining systems, functions and departments with the motivation of protecting all types of company assets. It is extremely idealistic but definitely a great objective to work towards. This convergence however starts with a coordinated effort to work together and not with joining departments as the main objective.

Some list the convergence of information security with logical and physical, while others categorise it as only part of logical. The convergence of physical and logical security allows for the merger of the control over who enters through a door, aiding the protection of physical assets, and then, over and above that, accessing information systems. Joint systems, or even just data in this regard, is extremely useful for merging multiple identities, securing access to tangible and intangible assets as well as forensic investigations to show who had access and who accessed company assets. A question that arises once a person has access to information is what prevents it from leaving through the door on a flash stick or even as a mental image. Although this is a separate debate on its own, it should be considered when clarifying the objectives of physical and logical security convergence.

Various hardware manufacturers have been producing both physical and logical security peripherals for a while. In many cases these are still managed by different business units, although some manufactures are now releasing software that offers this convergence through software provided.

Steve Lewis, Software House (part of Tyco Security Products): We already have integrations today to bring physical and logical access control together from a basic standpoint, such as not having to enter data multiple times into multiple systems. For example, when adding a new employee or disabling an employee’s active status in a company, data typically is entered in at least three separate databases, such as HR, IT and security. With integration, this data is pulled together in one place. Integration simplifies the addition and removal of employees and can be done quickly and consistently.

One area of major development is in additional security measures on the actual credential, such as biometrics for additional levels of authentication. PINs and cards can be stolen, but adding the step of reading a finger can ensure access is given to the person intended. Other new technologies here include the use of NFC (near field communication), included for example in a new smart phone from Sony that allows retailers to authenticate the user when the phone is used as a credit card.

HSS: Why do so many businesses take a chance on passwords and PINs instead of opting for integrating physical and logical authentication and authorisations?

Coetzee: The widespread use of fingerprint technology within physical security is based on the fact that cards, PINs and passwords (CPPs) are a completely ineffective barrier to unauthorised access. By replacing these outmoded credentials with fingerprint-based authentication, organisations across SA have cut the repetitive losses caused by the simple exploitation of CPPs. For example, sharing access cards and buddy-clocking for other people has been eliminated within those organisations that have replaced CPPs with fingerprint technology.

In these organisations, one half of the identity control challenge has been resolved. Their security has been substantially reinforced by integrating fingerprint technology within the systems that control access and attendance. And a lot can be learnt from these applications in order to increase security within IT systems.

However, the operational separation of physical and IT security does need to be acknowledged and addressed. At the moment, this separation is often a barrier to extending the security benefits of fingerprint based authentication into a broader spectrum of IT systems. We see technical co-operation as being the key to overcoming this hurdle. We need to encourage IT departments to work with us to fully benefit from the heightened security provided by fingerprint biometrics.

At the same time, there certainly needs to be increased awareness at the most senior levels of the damage caused by the criminal abuse of an organisation’s IT systems. Although identity-based abuses such as buddy-clocking can carry a hefty price tag, such losses are relatively minor compared to those that are increasingly caused by the exploitation of identity within IT systems. Equally, there are many organisations that do not have problems with buddy-clocking or unauthorised access but are shockingly vulnerable to criminality within their IT systems.

Combrinck: The end user does not know about these systems because the normal installers of access control do not want to get involved with their clients’ IT infrastructure.

Rautenbach: End users are very aware of the technologies available. However, understanding the integration into current solutions and platforms is a completely different story. We encountered an end user that purchased several PC biometric readers and after a week returned complaining that they had plugged it in but their accounting system still only asked for passwords. Managing end-user expectations through education is extremely important and tech savvy IT managers might have to accept the fact that their new tablet might still require the old infamous PIN or password, leaving the system exposed. This should however not lead to abandonment as gradual convergence does add value and should be built-up as technology and concepts develop.

Lewis: Convenience is one factor as authentication can easily slow the process down. For example, the individual waits longer trying to gain access to a portal where additional levels of authentication are required.

The second deterrent may be cost and maintenance. The cost to install and maintain the necessary equipment may not be clear to companies. The lack of discussion about cost and advantages of integrations may result in confusion and perceived complexity. Companies that are purchasing these systems may not know what is available or which questions to ask.

HSS: Which areas of business, or which markets would benefit from implementing integrated/converged solutions? What benefits would be quickly and easily measurable?

Combrinck: Any company can benefit from these systems because it protects the core information and intellectual property from physical intruders.

Rautenbach: I believe the benefits in convergence lie mainly in the integration of logical security side and add more value to protecting business information than it does to controlling physical access. For this reason we see the main target areas as corporate divisions of business, responsible for managing information. With this said we should, however, remember that it serves no purpose for such systems to be implemented on a corporate level and then allow remote operations free access to logical systems.

To obtain the full benefit, all logical/information users of an organisation should utilise converged systems when implemented. For this reason it might be easier to implement in companies with minimally decentralised infrastructures. Corporate's already utilising formal Identity Management (IdM) solutions – Microsoft (Active directory), Novel, Oracle etc – on the logical security side should be looking for converged solutions integrating their IdM as this would add more value sooner and success will be easier to measure.

One of the challenges when implementing in corporate environments is that most corporate office space comes with physical security measures already in place and the fact that most corporations leasing office space will look to building management agencies for physical security measures. In these cases shareholders might frown upon the expenditure related to replacing current non-compliant physical security measures with new converged compliant hardware.

Lewis: All businesses can benefit from a more convenient, secure method of data and physical access management, which keeps data consistent throughout the enterprise. This converged approach also eliminates the costs of entering the same information multiple times into multiple systems, and ensures that only authorised users of the system can quickly and easily access and manage the location and information.

The challenge may be getting HR, IT and security departments to agree how the integration will work. Sometimes this process is more complex than the actual technology that enables the integration. Working through issues such as who touches what, who shares what, who has access where and when, and what information is confidential should be decided before a converged solution is implemented. This takes time and a sound understanding of the needs of each department.

HSS: Can you provide examples of where converged solutions would improve security and/or reduce the potential for crime?

Coetzee: Organisations themselves are best placed to assess the nature of their exposure to the risks of identity-based crime. The first question in this assessment relates to their level of reliance on identity authentication across their full range of business processes. The second question concerns the consequences of identity abuse within these processes.

And the consequences can vary widely. Unauthorised access to a hazardous location may have dire consequences in terms of personal injuries and the associated liabilities. Equally, what would happen if someone gained unauthorised access to a payments system and executed a series of fraudulent EFT payments?

By developing a rational understanding of such risks, organisations can identify the type of activities that are not sufficiently protected by something as insecure as an access card or a PIN and a password. They should also be encouraged to look beyond the false sense of security that CPPs have created over many decades. We have become so accustomed to using them as credentials that we tend to overlook their inadequacies and are consequently somewhat blinded to the risks they create.

Combrinck: Any company that needs to protect the information on its IT infrastructure will be able to benefit from these systems. The physical access control is the first line of defence to keep unwanted persons from entering the premises. The logical access is the second line of defence if the physical access has failed. Combining the authentication database for these two systems enables a company to put more stringent measures in place to protect their information and intellectual property.

Rautenbach: Non-repudiation and single identities across physical and logical security; and consolidated identity activity and movement tracking within physical areas and logical systems

Lewis: In seaports and airports, additional credential authentications such as biometrics and image verification with online database updates (beyond background checks or badges) provide a more secure credential validation. Checking authentication regularly helps prevent theft in manufacturing, for example, by enabling security personnel to simultaneously disable an ex-employee’s access to a building and to the IT network, helping to prevent the theft of physical products as well as personal data.

HSS: What products/technologies are in the market at the moment that define/support/drive physical and logical convergence?

Coetzee: All the components already exist. There is certainly no technological barrier to implementing overall, converged security solutions that can manage the common goal of governing who can do what when and where. From controlling access at the main gates and individual offices right through to authorising access and activity within IT systems, the technology all exists. All the parts of the puzzle are in the box. What is perhaps still missing is the right level of motivation to put each piece in place. What is needed is collaboration, not isolation.

We need to encourage more collaboration in order to move physical and IT security out of their separate silos. Senior executives have a vital role to play here by promoting a shared approach to protecting the overall security of their organisation.

Combrinck: Each day more and more companies are releasing products like biometric mice and USB card readers that can be used to connect to authentication servers. Integrators and software houses have just been waiting for the correct tools to use to combine the physical and logical access control systems.

Rautenbach: None that stand out and which deliver functionality that I would opt for as a business owner at this stage.

Lewis: Access control, CCTV, video, intrusion and IT management software all can be part of a converged solution. For example, Tyco Security Products technology supports physical and logical convergence, employing such products as the C·CURE 9000 security management platform, the victor video management system from American Dynamics and intrusion products from DSC.

Share this article:

Further reading: