By David Ting, Founder and CTO, Imprivata
The role of security is changing dramatically. As technological capabilities have finally caught up with security theory, many organizations are now looking to bridge physical and logical access systems for unified enterprise security management, and as these companies are realizing the benefits of a converged solution, the industry is beginning to redefine the role of security.
Despite their common purpose, physical access and logical access technologies exist in parallel worlds. Physical access technologies, such as building security systems and employee access cards, are controlled by the corporate security department. Application passwords and firewalls are the domain of the IT department. Each group’s respective networks, technology paths, and user interfaces are completely separate.
That situation is changing, however, as physical and logical security concerns mount and persistent issues such as inadequate security policy and enforcement continue. Organizations are now asking why physical and logical security systems cannot work together to share data, strengthen each other and ultimately allow a more cost effective overall security solution. Additionally, it is now possible for companies to successfully merge the two culturally and technologically disparate worlds of building access and network access with minimal disruption to current security investments.
The concept of converging physical and logical access security is not new. It has been around for some time, but historically, implementation has been a problem. Because physical and logical security systems traditionally operated in totally independent worlds with no reason to interconnect, convergence has been thought of as costly and complex. Various vendors have tried to solve this problem using approaches such as multifunction cards, pure identity management solutions and the consolidation of reporting systems. For a variety of reasons, these efforts have proved costly and extremely time consuming to implement, coupled with major investments – all ingredients for failure. However, an opportunity now exists for the worlds of physical and logical access security to come together at last.
Although they come from separate disciplines, what these two areas have in common are that they both deal with identities and they have a need to enforce policy. The term “security policy” used to mean different things to different people. For the facilities management department, it covers physical access points and teaching staff to lock all doors and windows before leaving for the night. For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to. This situation is changing with IT and physical security being managed together.
The biggest area of interest in both the physical and logical sides of security is ensuring that these policies are actually being enforced and adhered to by staff. Making security policies stick can be tough, especially if they change the ways that are used to working. The convergence of these two distinct security disciplines allows policy enforcement to now be possible across both disciplines.
From a physical perspective, policies can take many forms: for organizations with door access security, “badging” into the building is a mandatory requirement for all staff. However, proving that everyone who is within the building has badged in can be problematic, as an employee could walk in at the same time as another person who has badged in. This process is called “tailgating,” and results in no record of an individual coming into the building. This not only breaks the organization’s security policy over physical access, but also means that it is more difficult to build up a complete list of who is in the building in the event of a fire or other security threats.
By linking the physical access system to the IT infrastructure, behaviour can be enforced more strictly. In the tailgating example, someone who does not badge into the building can be denied access to their IT assets. When logging in, the network can automatically query the building access system to check that the person has signed themselves into the premises. If not, access will be denied until they have swiped their card. This approach does not impact on correct user behaviour and reinforces adherence to the company’s policy.
A building access card can be used as a factor for gaining access to the IT system as well. By linking a user’s password to the building access card, an organization can roll out strong authentication for its staff without having to invest in additional tokens or biometric readers. As most building access cards are short-range RFID devices, a USB reader connected to the PC can also act as a method for entering the network securely. Having an additional factor replace the standard password for access means that security is tighter overall and unauthorized access is more difficult.
Using a building smart card as an authentication method to gain access is also not new. Merely reusing the card while not integrating the systems is not enough. Instead of linking the two systems together and allowing the IT access system to query the building access server, a user within an organization will sign into two completely separate, “siloed” systems that happen to use one smart card. On the other hand, the combined approach integrates building and IT security at a system level and allows security policies to be managed and enforced across both the physical and network layers, instead of having two systems that don’t talk to each other.
Traditionally, there have been separate areas of the organization responsible: the facilities management department would cover the physical side of things, while IT would be handled by the IT manager and his or her team. As these two divisions would normally have completely separate budgets and targets to meet, there would be no reason for them to cooperate on projects. However, these circumstances are also changing: as more physical security systems rely on services provided by the network, IT will ultimately be called to participate in the design and support of physical security systems and vice versa. A converged approach lets both departments get the information they require and at a lower cost than would be possible through separate systems.
Using building access systems and IT security together in a converged manner creates an infrastructure that is more secure overall, while offering cost benefits compared to the traditionally disparate solutions. When physical and logical access security components work together, companies use them to complement and reinforce one another, improving security for all. Convergence allows organizations to manage all forms of security under a single umbrella for maximum control. Auditing and reporting within this converged security environment is simpler: having a single overview of security, whether it is to buildings or IT assets, considerably eases the burden of proving that employees are meeting company policy. A converged security system covering both physical access and IT creates an infrastructure where the whole is greater than the sum of its parts.
About the Author
Named as one of InfoWorld's Top 25 CTOs of 2006, David Ting, Imprivata’s co-founder and CTO, has more than 20 years of experience in developing advanced imaging software and systems for high security, high-availability systems. Prior to founding Imprivata, he developed biometric applications for government programs and web-based applications for secure document exchange. Ting was formerly the technical manager of Kodak's Boston Technology Center, a systems development group for Eastman Kodak. He managed an engineering group that developed the software platform used in most of Kodak's digital photography products including Photo CD print applications. Prior to that position, he managed Atex System's Imaging Department, where he was responsible for the first full color output system used in the newspaper industry. David worked for a number of start-ups including Lexidata, Inc., and Delphax Systems, now a division of Xerox. Most recently, he was chief architect for eCopyIt, an internet infrastructure start-up offering distributed document capture and direct delivery of documents. He was a member of the scientific staff at the BNR/INRS Labs in Montreal, a collaborative research institution jointly operated by Bell-Northern Research and University of Quebec. He holds six patents and has several patents pending.
Imprivata is the enterprise authentication and access management appliance company delivering OneSign—an easy, smart and affordable appliance for securing networks, applications and building/IT access. Its products include OneSign Authentication Management, which increases network security by replacing Windows passwords with strong authentication options; OneSign Single Sign-On, which quickly and effectively solves password management, security and user access issues; and OneSign Physical/Logical, which integrates building and network access systems to enable location-based authentication. For more information, please visit www.imprivata.com.