Growing numbers of organisations are recognising the natural economies of scale and operational efficiencies available when physical security teams work with similar, complementary IT security groups.
In 2005, companies in Europe and North America will increase spending nearly threefold on projects that combine traditional physical security controls with IT security. That is, locks, cameras, entry systems, and even guard desks will be upgraded to work with the same computing systems that control computer and network sign-on, identity management, and security incident management. Consequently, IT security vendors will rush to merge or find partnerships with their physical security brethren to respond to the new opportunities.
Why 'converge' security?
Historically, physical security vendors sold their products only to physical security departments, sometimes known as the corporate security, campus security, or simply facilities departments.
Meanwhile, IT security vendors targeted IT security departments, the CIO, and the occasional business unit manager. The two markets have always been almost entirely segregated. But now the lines of demarcation are blurring, and customers are inviting vendors from both sides to work together.
The convergence of physical and logical security is not a fad
Security is no longer performed quietly in the basement of the building, away from the cares of business managers. Now, security plays an instrumental role in compliance with regulations, protection of personal information, and enabling many business processes. Therefore, business managers are looking for ways to have better security while also cutting costs and finding economies of scale. One way that this can be achieved is by converging IT security with overlapping corporate or physical security functions.
* Consolidate credentials for IT and physical access onto a single card. A smartcard can serve as an ID badge for building access and can also store IT credentials like passwords and digital certificates. Standardising on a single card may save costs and improve security.
* Connect the processes for granting and revoking building and IT access. Linking the processes for managing employees' IT access rights with those for managing their building access will get people productive quicker and will improve security by ensuring that all necessary revocations take place when appropriate.
* Correlate security events across the physical and IT realms. Security event management systems, presently used to monitor and respond to IT-related events, should incorporate events from physical security systems. An alert should trigger if, for example, the VPN signals an employee logging in remotely while the badging system indicates that he is inside the corporate office.
* Unify the auditing of physical and IT rights and events. By assessing authentication and authorisation processes and controls across IT and physical facilities, organisations will find many opportunities for improved efficiencies and security. For example, Forrester recently performed an audit that showed ways in which one company could streamline processes of employee and visitor badging by integrating existing identity management systems. It also indicated that the company could save money on cameras by aligning intruder detection processes with the IT incident response procedures.
Watch for sudden growth during the next 12 months
The market, currently described as the convergence of physical and logical security, is beginning to take off. Forrester expects private-sector spending to top $300 million in 2005. Europe will lead in per-capita adoption with projected spending of more than 37 million Euros. Total spending on convergence projects in the public and private sectors in North America and Europe will exceed $1,1 billion in 2005.
These numbers may be conservative
Some public sources project much higher spending by government agencies and port authorities.
Although 2005 budgets have been announced or allocated for massive government convergence projects, Forrester does not expect actual spending to exceed this forecast because of political factors and the complexity of the proposed projects.
Disaster planning is another area of natural convergence. But because disaster recovery best practices have long called for IT systems and physical system backup, Forrester did not calculate disaster-recovery-related spending in this forecast.
Furthermore, the spectre of regulations affecting IT security certainly could cross over and converge with physical security. After all, it will only take a few large audit firms to start including physical security checks in their audits to transform the nature of security management. If that happens, spending could as much as triple over these forecasted numbers.
Convergence projects improve efficiency and security
The reasons for the sudden rise over the estimated $500 million total sales of 2004 include the large European Union-funded border, law enforcement, and homeland security projects, especially in Eastern Europe, as well as the availability of US Homeland Security funding. Additionally, early adoption of multifunction smartcards as a single card for physical and logical access and the emergence of new convergence technologies from companies like CoreStreet and NetBotz have added to the sales rise. Companies like Honeywell, Siemens, and others have contributed to the increase with technologies involving large-scale system integration consisting of authentication, administration, and audit processes.
Additional factors contributing to the rise in 2004 sales includes:
* Standardisation. The convergence think tank Open Security Exchange is growing in prominence as a standards discussion group. • Entry-point technology. Fingerprint, hand geometry, and facial recognition biometric readers at large campus entry points, airports, borders, and other ports are becoming increasingly common.
* Surveillance. IP-based network cameras from Axis Communications, Panasonic, and Sony Electronics and enhanced video systems from vendors like Extreme CCTV, NICE Systems, and ObjectVideo, continue to grow.
* Integration. There are new possibilities of integration between camera and access control systems, such as consoles that display video of physical or logical access events along with event log details of that event: Archival searches of access events along with video images are also becoming available.
* Security event management. Vendors ArcSight, eSecurity, and others are following Computer Associates' lead in converting their event monitoring consoles, which were originally designed for IT security events but can now correlate physical access events.
Vendors and system integrators will adapt slowly at first
According to a recent ranking by Wachovia Capital Markets, large physical security system integrators like Computer Sciences Corporation (CSC), Lockheed Martin and Northrop Grumman collectively account for 39% of the market share for US federal government system integration projects. But none of these firms have turned their relationships with IT security vendors into significant convergence strategies.
Conversely, other top system integrators like Accenture, BearingPoint, SAIC, and Unisys have active relationships with IT vendors and are talking about the convergence of IT and physical security as a focus of their respective security practices. While none of these firms articulates a clear vision on their websites regarding convergence, they nonetheless are sensitive to the challenges and opportunities of merging corporate and IT security projects in the private sector, in some cases partnering with convergence experts ActivCard and Daon.
Honeywell and Siemens are the most mature large integrators in terms of convergence strategy - they have combined IP cameras, access control, security event monitoring and identity management in their comprehensive systems architectures. Tyco Fire and Security combines several product and service brands, such as ADT, American Dynamics and Software House, to pull together some basic convergence projects without any formal convergence strategy or significant IT partnerships.
Lenel Systems International is focused on products rather than integration. Forrester's conversations with Lenel reveal almost no awareness on its part of the opportunities of convergence with IT security.
Convergence projects mean money
End-user organisations can save money by streamlining historically disparate security projects, while vendors can capitalise on new spending.
* Firms with interest in improving operational efficiency may now comfortably explore convergence projects.
• Smartcards function as a platform for multiple uses: corporate ID badges, building access, computer and network access, and more.
* New technologies open up new opportunities for efficient identity and privilege management, security monitoring, and trouble detection.
* A team comprised of members from the two security groups should coordinate their efforts in complying with common standards and regulations.
* Convergence extends beyond products. Organisations can develop joint awareness and training workshops addressing common security concerns: social engineering, proper document and data disposal, workplace harassment policies (including e-mail and Web use), and more.
* The convergence market will grow rapidly during the next five years as enterprise risk management points more companies to greater security efficiencies and effectiveness.
* Vendors of physical or logical security controls ought to investigate trends and seek out convergence applications for their respective technologies.
Note: The most successful convergence projects allow the respective physical and IT security departments to retain their autonomy. In other words, convergence happens best as discrete projects, not as a converged security organisation encompassing corporate and IT departments. See the 10 December, 2003, Planning Assumption 'Trends 2004: Limited Convergence of IT Security and Corporate Security'.
Reference: Forrester Research 2005.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.