Security policy has typically meant different things to different people within an organisation.
The facilities management department covers all physical access points, teaching staff to lock all doors and windows before leaving for the night. IT managers keep up to date with the latest patches and ensure users only access the applications and data they are allowed to access.
Despite the common purpose, physical and logical access technologies have existed in separate, parallel worlds for years. Physical access technologies, such as building security systems and employee access cards, are controlled by the corporate security department. Application passwords and firewalls are the domain of the IT department. Each group’s respective networks, technology paths and user interfaces are completely separate, and there is no coordination between the two departments.
Today, however, enterprise security is changing dramatically. Technological advances have finally caught up with security theories, and now many organisations are looking to bridge network (logical) and building (physical) security operations together for unified, enterprise security management.
At the heart of this intersection is security policy.
Enterprise security management
Enterprise security is governed by established policies employees are required to follow. Both physical and logical sides of security are tasked with ensuring respective policies are being enforced and actually adhered to by staff on a consistent basis. However, making security policies stick can be tough, especially if it changes the way employees have been working.
For a facilities management department, physical security policies can take many forms. For organisations with door access security, badging into the building is a mandatory requirement for all staff. This creates a problem – the ability to prove everyone who has entered the building has actually badged in. Employees oftentimes walk in at the same time as another employee who has already used their badge. This process, known as tailgating, results in no record of an individual coming into the building. This not only breaks the organisation’s security policy regarding physical access to the enterprise, but it also means it is more difficult to build up a complete list of who is in the building in the event of a fire or other security threat. The result of the behaviour is a gaping hole in the physical security side of the enterprise.
By linking the physical access system to the IT infrastructure, employee behaviour can be enforced more strictly. For example, if an employee does not badge into the building, their access to IT assets can be denied. When logging in, the network can automatically query the building access system to check if the person has signed into the premises. If they have not, access will be denied until they present their card.
A building access card also can be used as a factor for gaining access to the IT system. By linking a user’s password to the building access card, an organisation can roll out strong authentication for staff without having to invest in additional tokens, biometric readers or another form of two-factor authentication. As most building access cards are short-range RFID devices, a USB reader connected to the PC also can act as a method for secure network access.
Using a building smartcard as an authentication method to gain access is not new. However, previous approaches to using the cards have not integrated the typically disparate systems. Instead of linking the two systems together and allowing the IT access system to query the building access server, a user within an organisation will sign into two separate, siloed systems that happen to use one smartcard. The combined approach integrates building and IT security at a system level and allows security policies to be managed and enforced across the physical and network layers.
Uniting facilities management
Convergence of physical and IT security brings with it the need for businesses to change approaches to managing these areas. Traditionally, there have been distinct areas of the organisation responsible for managing IT and physical security. The facilities management department would cover the physical side of enterprise security, while IT issues would be handled solely by the IT manager and team. As these two divisions have completely separate budgets and targets to meet, there is no reason to cooperate on projects.
This situation is changing. As more physical security systems rely on services provided by the network, IT will ultimately be called to participate in the design and support of physical security systems. A converged management approach allows both departments to get the information required at a lower cost than what would be possible through separate systems.
© Technews Publishing (Pty) Ltd | All Rights Reserved