Physical Logical Security Convergence and What It Can Mean to Your Business

By David Ting, Financial Services Today

Does the name Société Générale ring any bells? For those in the financial services or security sectors, chances are it does. At the recent Kuppinger and Cole’s 2nd European Identity Conference, Société Générale was a big topic of discussion. Based on the conversations I had at the event, it’s safe to say the incident has done its part to collectively raise industry sensitivities around security – specifically the dire consequences a company may incur if they do not have a holistic security solution in place capable of giving it 360 degree protection.

One could argue that financial services companies are a bigger target for security attacks than many other businesses. After all, everybody knows these businesses have money – a lot of money. This large target explains why financial services companies are some of the earliest adopters of any new security technology – from firewalls and intrusion detection through to one-time password tokens for customers to prevent phishing attacks. The problem is that despite the potential for breaches and the recent wave of awareness, many still don’t realize that the threat, which was once considered exclusively an “outsider” issue, has entered the building and is widely becoming known as insider threat. In the case of financial institutions, it’s not hard to imagine a disgruntled employee who feels like they are entitled to a little bit of that money. What security breaches in the financial market are showing us is that if company does not have in place a solution capable of securing the entire operation – from front door to back door and everything in between – someone can do just that. This wrinkle has created an entire new wave of security challenges that have many businesses searching for answers.

And, what have they found in the way of answers?

So what can financial services businesses do to protect their entire operation, both from outsider and insider attacks? The answer is a solution that marries physical security with IT security solutions to redefine how they manage identities and control access. Consolidating user credentials from these two separate systems, converging physical and logical security systems, means that a better picture of access control can be created, leading to tighter overall security.

Bringing these two sides together sounds completely logical and the concept has been around for quite some time. The issue is that in the past this move presented a set of challenges that prevented many from taking their first step. The first hurdle was the fact that access control systems in the IT and physical had little in common technologically. As a result the integration of the two sides was a costly and complex proposition that many were not willing or able to take on.

A second challenge was the lack of interaction between the physical security experts and information technology providers. Under the old model the facilities management department would cover the physical side of things and the IT would be handled by the IT manager with help from their team. This “tunnel vision” approach was primarily the result of their historical separation and the delineation of responsibilities of those in charge (i.e. each division had separate budgets and unique targets to meet) which in the end gave the two parties very little cause to co-operate on a project.

Physical/Logical: Why Now?

Despite past hurdles the cry for 360 degree security solutions remains on the hot seat. The catalyst behind IT and physical security working comes from several sources. First it’s a shared sense of urgency. IT security is driven by both regulations (e.g. Sarbanes-Oxley Act, the Gramm Leach Bliley Act and the Payment Card Industry Data Security Standard) and fear of costly data loss, as well as with its associated negative publicity. Translation, nobody wants to make the next day’s newspaper for a security breach. Just ask Société Générale, whose $7 billion loss made the front page of papers all over the world and has a never-ending shelf life on sites such as Google.

Add to these fears the evolving business models which have placed increasing pressure to make digital assets available to third parties outside of your physical office as well as your company network, including partners, customers and contractors all of who are in remote locations. This change has effectively enlarged the boundaries of the company and placed further strain on the IT department whose goal of ensuring the right information gets to the right user at the right location grows considerably more difficult.

What security professionals need is a more logical basis for their decisions, one that gives them greater confidence in establishing which individuals are authorized to do what and when (i.e. enter the building, access files, etc…). What is also required is a flow of information where knowledge can be pulled from one side to the other to help the overall organization develop a greater confidence in the identity of the allowed users.

This is precisely where the third catalyst comes into play and it’s the piece of good news that you have been waiting to hear. Over the past decade, Internet Protocol (IP) has become the de facto standard for physical access system devices. What this means is that the two sides have begun to speak with the same language. Having both sides using the same protocol has helped to bring them together by reducing wiring requirements, deployment time, and expenses and ultimately has given each greater confidence in identifying who is allowed access into the building and onto the network. It has also sparked the ongoing day-to-day conversation between IT and those in charge of physical security. The regular two-way dialog between the two sides has led more physical security device providers to make their products IP-compatible. In fact today, the list of access devices that are IP-capable has expanded considerably including cameras, card readers, and access controllers.

What’s Next?

As echoed throughout this article traditionally companies have viewed the process of converging IT and physical access systems as being a daunting task. It is also one that has been regarded as a long-term process that could take years to complete. This is no longer the case. Companies today can begin to take advantage of convergence more quickly and easily than they might think. This can be achieved by using existing assets to drive new policies for improving confidence, auditing, compliance, privacy and security while lowering overall risk. Strong authentication and strong passwords are ways that have been adopted to improve security on the IT side. Physical/logical convergence is essentially just one more dimension, an enforcement mechanism for IT security that is easy to develop and overlay onto existing access policies.

Integrated security information is the key to building greater confidence around users and is especially important as both sides strive for greater security and audit tracking. The fact is that the best untapped information at the disposal of both IT and physical security leaders is the real-time access data held by each other. By integrating information systems together, the two sides can now share this data and construct new policies that eliminate guess work and assumptions with decisions based on hard data around users.

Almost every company has cards or some form of physical access system. When a person badges into the office, that action is loaded with information that enables the staff to make solid decisions about rights granted to that person. Now when that user enters the building and tries to log on to the network, a check against the physical security system lets the IT system know if that person is allowed in from that particular location. On top of that, specific rules about network access within certain controlled areas of the building. For example, a policy can state that only the IT administrators within certain areas can access a server to make changes.

What’s important to remember is that cards and systems do not have to change to make an environment more secure. What we are talking about is a better way to enforce established policy. Why is this the case? The design premise of the physical/logical converged system is to take advantage of the systems you have. And, not require users to learn anything new, but instead simply enforce the required rules – eliminating tailgating or a “wave and smile” check in at the lobby desk.

Enforcing those policies across systems can make all systems more effective. Connecting security information can make both systems stronger.

The keys to the entire model are information sharing, policy enforcement and the ability to track and trace. By sharing information on how security is designed at a fundamental level, the physical and IT folks come to understand that what they once looked at as being very different are in fact very similar. Hallways, in the physical world are like networks in the IT world. Rooms like servers and the front gate as firewalls. Once you get past the security (authentication) check at the gate (firewall), the user is free to walk the hallways (network), with some limitations, per their policy. Some rooms within the office (servers) are secured (password protected) while others are open to anyone who was able to clear security at the front door (network log on) or presented the appropriate badge (password) at a side door (VPN gateway). The basic structure is very analogous and for very good reason. Physical security is a model that works. From there, policies are easy to understand. IT is now just another layer in the physical security system and physical security is another layer of authentication.

The financial services industry is under an unprecedented amount of pressure. One small mishap or oversight, whether letting an unauthorized person enter the building or a disgruntled employ accessing confidential company documents, can quickly take on a life of its own. The results can be anything from lost revenue to a tarnished corporate reputation. As a result financial services companies have taken the lead in looking long and hard at their current security solutions and policies with the goal of creating one complete and unified model. What these organizations are finding is that the hurdles that were inhibiting this merger in the past have been eliminated and now more than ever they have the opportunity to implement the 360 degree protection that they have been looking for.

David Ting ­– Founder and CTO, Imprivata

Named one of Infoworld's Top 25 CTOs of 2006, David has more than 20 years of experience in developing advanced imaging software and systems for high security, high-availability systems. Prior to founding Imprivata he developed biometric applications for government programs and web-based applications for secure document exchange. David was formerly the technical manager of Kodak's Boston Technology Center, a systems development group for Eastman Kodak. He managed an engineering group that developed the software platform used in most of Kodak's digital photography products including Photo CD print applications.

Prior to that position, he managed Atex System's Imaging Department, where he was responsible for the first full color output system used in the newspaper industry. David worked for a number of start-ups including Lexidata, Inc., and Delphax Systems, now a division of Xerox. Most recently, he was chief architect for eCopyIt, an Internet infrastructure start-up offering distributed document capture and direct delivery of documents. He was a member of the scientific staff at the BNR/INRS Labs in Montreal, a collaborative research institution jointly operated by Bell-Northern Research and University of Quebec. He holds eight patents and has several pending.