printer friendly version

Bridging the Great Divide

What do a padlock key and an application password have in common? In one sense, almost nothing. After all, one is a 4000-year-old hardware device and the other is a modern-day software-based technology tool. But they serve an identical purpose: they both allow only authorised access – one to physical assets and one to logical assets.

Despite their common purpose, physical access and logical access technologies exist in parallel worlds. Physical access technologies, such as building security systems and employee access cards, are controlled by the corporate security department. Application passwords and firewalls are the domain of the IT department. Each group's respective networks, technology paths and user interfaces are completely separate.

That situation is beginning to change. Physical and logical security technologies are beginning to converge, creating new opportunities for organisations to:

* Strengthen and gain greater control over total security.

* Add a practical and affordable second authentication factor.

* Better enforce both physical and logical security policies.

* Better coordinate security resources in critical and emergency situations.

* Achieve compliance with regulations, such as the US Homeland Security Presidential Directive -12 (HSPD-12).

This article addresses how converged physical and logical security works, the benefits it provides, and what it will mean for organisations of all kinds.

Why convergence?

All organisations need to protect their corporate assets - whether it is preventing the theft of office equipment, providing a safe environment for employees and their belongings, or keeping hackers and industrial saboteurs from wreaking havoc with networks, applications, and databases. Yet, because physical and logical security have traditionally been handled by separate organisations and technologies, few companies could envision the benefits from their convergence.

As a practical definition here, 'converged security' refers to the integration of physical access systems and related technologies (such as proximity cards and readers) with identity management and user authentication technologies (such as enterprise single sign-on, tokens, and proximity cards). This integration enables an organisation to establish and manage a single, consolidated repository for all authentication credentials, and to have a centralised means of setting access privileges for both physical and logical resources.

This identity-based convergence makes it possible for organisations to have:

* One identity-based system for managing all physical and logical access.

* A unified network policy for both network and remote access that leverages card status and user location information from physical access systems.

* Exchange of events and alarms from the physical access system to the logical access system.

* An identity-based reporting system for use in forensic investigations.

* A streamlined workflow for creating, deleting and modifying user identities from both systems simultaneously.

The benefits of these capabilities include:

Stronger more integrated security

When physical and logical access security components work together, organisations can use them to complement and reinforce one another. For example, a policy could be established that would allow a user logical access to applications only if that user had first presented his or her employee badge that day when entering a facility or restricted area.

Greater control over all security

Convergence allows organisations to manage all forms of security under a single umbrella for maximum control.

Affordable two factor authentication

Having more than one means of authenticating users is an excellent way to strengthen IT security. Experts recommend multifactor authentication (eg, complex passwords and a second form of identification) as the best protection against unauthorised application access. Convergence would enable the proximity badge to be used as the second authentication factor, sparing organisations the cost of additional smartcards, tokens, or biometric scanning systems.

Coordinated responses to problem or emergency situations

Physical and logical security should work in concert with each other. For example, when employees resign or are terminated, there is often a lag time of days or even weeks between when their physical access rights and logical access rights are terminated. This situation creates security gaps in which disgruntled former employees may continue logging onto the network remotely to steal or destroy confidential data. Convergence prevents this problem by allowing organisations to instantly lock-out logical access privileges the moment a user is terminated from the physical access system.

Regulatory compliance

In 2004, the US Executive Office of the White House issued HSPD-12, which mandates a common identification standard for US federal employees and contractors. Other governments and industry regulatory organisations are requiring similar standards. Converged physical and logical access technologies provide the two-factor authentication that ensures compliance with these regulations.

A solution to 'tailgating'

Tailgating is a common security problem in which a person without an ID badge gains access to a facility by following closely behind another person who has just presented his or her badge. With convergence, logical access security can be set up to alert corporate security whenever employees who have not presented their badges attempt to log onto PCs, thereby providing a means to better enforce badge-presentation compliance.

All of these benefits - plus the better protection, cost savings, risk reduction, and increased compliance associated with them - make converged physical and logical security a worthwhile goal for any security-minded organisation.

Industry analysts agree. As Eric Maiwald, senior analyst at The Burton Group, stated in his January 2005 report titled Physical and Logical Security, "The integration of physical and logical access control systems may provide significant benefits to the organisation in terms of reduced costs, improved user provisioning and improved security."

A sceptic might well ask, "If there are so many benefits to convergence, why has it not already happened?" To answer that question, one must understand how physical and logical security technologies evolved.

The world of physical access security technologies

Since the need for physical access security predates the corporate use of information technology, corporate security departments developed as organisations focused exclusively on protecting physical assets through locks, surveillance, and alarm systems. Most corporate security departments are staffed by people with backgrounds in crime prevention and law enforcement, not information technology. As new physical access security technologies have come to market - from electronic building security systems to closed-circuit television (CCTV) to access cards and readers - corporate security officials have largely implemented them on their own, without requiring much involvement of their IT organisations. For many of them, the integration of physical and logical security technologies was neither an option nor a priority.

The world of logical access security technologies

Logical access security has been part of information technology almost since its inception - and has always remained under the aegis of the IT organisation. In the early days of corporate computing - when multiple users shared access to a single main computer via directly-connected terminals - passwords provided a simple, yet relatively effective form of protection, especially when the terminals could only be used from inside a secured building.

As computing power has become more distributed and computer networks evolved from smaller, private entities to vast, shared resources on the public Internet, the need for logical access security has grown. Today, users can connect to corporate IT resources far away from corporate facilities via the Web and virtual private networks (VPN). At the same time, IT departments have had to contend with the constantly-escalating risks posed by hackers, industrial spies, cyber-thieves, and saboteurs, and disgruntled employees. With all of these concerns to deal with, most IT executives were likely happy to leave the responsibility for physical access security systems to their corporate security department peers.

This situation is changing, however, as physical and logical security concerns mount and persistent issues such as inadequate security policy and enforcement continue. Today, more and more organisations are asking: "Why can our physical and logical security systems not work together to share data and strengthen each other?"

Now is the time for convergence

For years, physical access security systems acted as the first line of defence against unauthorised logical access. After all, if a person could not gain entry to a corporate building, that person could not gain unauthorised access to corporate applications and data.

That changed with the advent of remote access. Remote access via VPNs, the Web, and wireless networking has opened up IT resources that can no longer be protected by physical access systems alone.

Various vendors have tried to solve the problem using conventional approaches. These include:

Multifunction cards for both physical and logical access

These cards use a magnetic stripe, barcode or radio frequency identification (RFID) to identify users as they enter corporate facilities and when they use a computer. These approaches provide a cost-effective solution, but the level of physical/logical integration is very low. For example, they offer no event reporting and no ability to control or streamline user privileges. Moreover, multifunction cards do not prevent the use of a card by an unauthorised person should that card be lost or stolen.

Identity management solutions

These solutions offer full provisioning for new users, streamlining the creation of Active Directory or directory accounts and required user applications, as well as physical access privileges. However, user provisioning systems are extremely costly, difficult, and time-consuming to implement, often taking several years. They require the wholesale rebuilding of an organisation's physical and logical security systems, including designing the requisite workflow and the consolidation of identities across all physical and logical systems. In addition, an identity management solution only becomes operational once all these tasks have been completed successfully; there is no way to implement one or benefit from it in an incremental fashion. As a result, identity management solutions are largely applicable for only the Fortune 1000 corporations that have the required budget and staffing resources to undertake multiyear projects.

Consolidating reporting systems

In lieu of tight integration between physical and logical access systems, this approach gathers logs from application, network, and physical access systems and generates consolidated reports by users. Implementing a consolidated reporting system can be time-consuming and difficult, because it requires the creation of an adapter for virtually every component of logical access security: every application, every directory, and every network access system, and in many cases, resolving ambiguities in user identities. A consolidated reporting system also needs to be able to understand all the different data formats for these technologies. However, the biggest drawback to consolidated reporting systems is that they do not offer a comprehensive converged solution. They only support forensic reporting, which - while certainly a key capability - can only provide a timeline of what has already happened. They do not allow policy control nor do they streamline provisioning, and they do nothing to prevent security violations from happening in the first place.

Requirements of a converged solution

While all of these approaches can provide some degree of additional protection, they do not satisfy all the requirements of a truly converged solution. To fulfil the growing demand among companies of all sizes for a fully-integrated answer, a converged solution must:

* Approach security from an holistic view.

* Offer fine-grained, zone-based logical access coupled to a user's badge status and location.

* Leverage existing security investments.

* Enforce both physical and logical security policies.

* Have monitoring and reporting capabilities in order to demonstrate compliance with acts such as Health Insurance Portability and Accountability (HIPAA), Gramm-Leach-Bliley (GLB), Sarbanes-Oxley (SOX), and HSPD-12.

* Be cost-effective for companies of all types and sizes.

* Be easy to deploy.

* Deliver a measurable return on investment.

The notion of converging physical and logical access security is not a new one. It has actually been around for some time, but historically, implementation has been a problem. Because physical and logical security systems have had little in common technologically, integrating them was a costly and complex proposition. The lack of interaction between the physical security experts and information technology providers has also hindered convergence.

However, an opportunity now exists for the worlds of physical and logical access security to come together at last. Here is why:

The widespread adoption of IP

Over the past decade, Internet Protocol (IP) has become the de facto standard for corporate IT networking. Having a common protocol reduces wiring requirements, deployment time, cost, and enables convenient management and administration via Web browsers. These advantages have led more physical security device providers to make their products IP-compatible. Today, many physical access devices are IP-capable, including cameras, card readers, and access controllers.

An increased effort by physical access security vendors to create convergence-friendly solutions

More vendors are responding to customer demand and seeing the value in supporting convergence. Many of them are now promoting standardised APIs for integration or exposing interfaces that can be accessed by IT-based solutions.

Greater awareness of what identity management can do for security

As shown above, converged solutions that are built around identity offer more comprehensive security protection and related benefits.

The recognition by auditors that corporate resources cannot be secured by door locks and firewalls alone

As auditing for regulatory compliance becomes more widespread, more auditors are seeing the gaps in corporate security and alerting their clients to take action.

Emerging standards

Standards such as Open Security Exchange and PhysBits are being defined to enable easier physical/logical access security integration.

More cost-effective card token solutions

Recently, vendors have introduced a new generation of more affordable smartcards, such as Mifare DESFire and HID's iClass. Based on a contactless smartcard chip, these widely-adopted cards offer a far more secure token than the traditional 125 KHz Prox technology used with most access control systems, making them suitable for use in IT security.

The impact of enterprise single sign-on (ESSO)

As more organisations deploy ESSO, which allows users to login from anywhere, to all applications, via a single, complex password, it is driving demand for strong user authentication and more comprehensive security policies for network and remote access.

New gateway technologies

A new generation of gateway technologies is targeting - and fixing - common convergence problems. These gateway products bridge the gap between the physical and logical systems to provide a secure means of exchanging identity information and realtime events.

As a result of all of these factors, converged physical/logical access security systems will no longer be too costly or complex to deploy.

How a converged security solution might work

The illustration shows one way of implementing a converged physical/logical access security solution that can consolidate identities, set policies, monitor and track events, manage access rights to software applications and generate consolidated reports.

The convergence gateway (centre) consolidates identities from the physical access system (lower right) and ties them into the true user identities obtained from directories and authentication servers used for network and remote access (upper right). The gateway maintains the relationship between the user's true network identity and the aliases by which the user may be known by other systems. The convergence gateway is also able to set access policies to control both the VPN (near left) and network authentication through each of the authentication modes available to end-users (far left). With the physical and logical access security mechanisms linked, identity management centralised, and policies in place, the converged solution is then able to monitor and track events generated by the physical access security system and the directories and provisioning systems.

In this example, software applications have been ESSO-enabled (middle box at right), allowing the converged solution to manage access rights to those applications, as well. Finally, because the converged solution is able to read and translate all relevant file formats from both physical and logical access systems, it is capable of creating consolidated reports.

Convergence scenarios

Once an organisation has implemented a converged physical/logical access security solution, it can be used in a variety of ways to support a range of policies. The following are some typical scenarios:

Network access policy

With a converged solution, organisations will be able to set policies with a variety of conditions, such as:

* A user is granted both network and remote access - only - with a valid ID badge.

* A user is granted network access - only - if he or she has logged in within a specified time after entering the facility.

A user is granted network access - only – upon entry through a specific door or zone.

Event management

A converged solution will be able to assist an organisation in responding promptly to a variety of security events by alerting the proper people. For example:

* It will be able to notify a facility administrator if a network account is being accessed when the user is not present in the facility.

* It will be able to notify an IT administrator if a remote account is being accessed while the user in question is in the building.

* It will be able notify an IT administrator when a terminated user attempts to gain network or remote access.

Access reports

Organisations will be able to track each user's network and remote access history and compare them against facility entry records. This would be useful for providing a complete timeline that establishes a history of how and when a user entered a building, logged onto a network, and if ESSO is enabled, what applications were accessed. This comprehensive audit trail is extremely useful for investigating breaches or leakages.

This is also a key compliance tool for auditors. It is extremely difficult to recreate such a timeline today because access logs are locked within the different physical and logical access security applications: the log that tracks people who enter a facility is locked within the physical access system; the network access log is kept in the network directory; and each software application keeps its own record of each time a user accesses it.

However, a converged solution enables forensic timelines by supporting integrated event and report generation. The convergence gateway collects such information from all components, enabling it to recreate the entire sequence of events: how the user got into the building; how the user got onto the network; what authentication mode was used; what the network logon name was; how long the user stayed on the network. If ESSO-enabled, the converged solution can also track which applications the user accessed, either via the network or remote access.

Beyond the gap

What will it mean to corporate security when the worlds of padlocks and passwords finally converge?

A number of converged physical/logical access security systems are expected to come to market within the next year. As they do, those organisations that deploy them will be among the first to benefit from the enhanced capabilities they offer. These benefits include:

Improved user management

* Streamlined procedures for adding/removing users from physical and logical security systems.

* Improved consistency of user demographics across all systems.

Greater ROI from existing infrastructure

* More value extracted from badges and proximity cards that organisations have already deployed.

* Full leverage of the existing infrastructure of readers and doors controlled by physical access control systems.

Enhanced perimeter security

* Incorporation of user location, time of badge-in, and badge status within network/remote access policy.

* Verification of badge status prior to granting network/remote access.

* Better enforcement of physical access. policies against tailgating.

Regulatory compliance

* Support for HIPAA, GLBA, SOX, HSPD-12, and more.

Improved risk management

Incorporation of user location, time of badge-in, and badge status within network/remote access policy.

* Consolidated logging of entry and access records by true user identity.

* Realtime response to network alarms.

* More accurate emergency roster lists.

A bridge to a more secure future

With the momentum building behind the development of converged physical/logical access security systems, it is not too soon for companies to begin thinking about how their organisations could benefit from the enhanced security and compliance these solutions will deliver.

In particular, companies may want to begin formulating their convergence solution plans in order to ensure a sensible, affordable, smooth, and incremental implementation.

One way to begin is by asking some basic questions such as:

* How should existing security policies be revised to take advantage of the capabilities of converged solutions?

* Should the planned converged solution take a comprehensive approach that includes ESSO-enabling applications for stronger application security and easier password management?

* Should all facilities deploy converged security, or only those buildings - or areas within buildings - that present the highest security risks?

* Should the solution encompass all employees, or only those at certain levels, within certain departments, and/or within certain facilities?

* What components of the converged solution should be implemented first, and which can wait until a later date?

By discussing these and other questions with representatives from both the corporate security and IT departments and achieving consensus, organisations of all sizes and types can take the first, positive steps toward cost-effective physical/logical access security convergence and a more secure future.

Share this article:

Further reading: