Bridging two worlds
Previously, the physical and virtual worlds couldn’t be further apart when it came to security. You entered a building using a physical token like a key or access card, and logged into your computer with a user name and password – with no overlap between the two. Yet that has all begun to change.
Desktop card readers are highly affordable and a growing number of PCs have begun to integrate smart card readers. Accordingly, today’s workers can now gain access to their office buildings and log onto their PC desktops with a single smart card, while one back-end database verifies their identities and access privileges.
Although adoption of security convergence is just beginning, the trend could transform how organizations manage security – and enable greater levels of protection and efficiency as well as exciting new applications. As observed by Derek Brink, Research Director for IT Security at the Aberdeen Group, “Convergence can help companies have a more comprehensive view of risk – it shouldn’t be about logical risk or physical risk in independent silos, but about risk management for the organization. To me that’s the real payoff.”
Different disciplines meet
Unifying two traditionally separate arenas has not been an easy task, and it certainly hasn’t happened overnight. Physical and information security were usually implemented by different types of vendors and different disciplines within customer organizations. Physical security products were also often based on proprietary technologies that made upgrades difficult. According to Brink, in Aberdeen’s company research “we saw a strong bias against ‘rip and replace’ projects,” which older infrastructures may require to achieve convergence.
However, as key physical security components have gone digital – including everything from cameras to readers to controllers to access cards – embracing IP standards was a natural next step. “The starting point of this convergence was really when the access control segment of the physical security industry moved up to contactless smart cards,” states Holly Sacks, Senior Vice-President for Marketing and Global Strategy at secure identity solutions company HID Global. Since the data stored on these cards can also be easily used by computer systems for a variety of applications, they enabled compelling single-token access and digital transaction scenarios for customers.
The US government has also played an important role in encouraging the growth of security convergence. In 2004, President George Bush issued Homeland Security Presidential Directive 12 (HSPD-12), mandating a single unified security system for federal facilities and systems. In the first step last fall, government employees and contractors began receiving ID smartcards that are compatible with both physical and virtual security systems. While the IDs are not actually being widely used as of yet, “HSPD-12 was fantastic because it provided a framework,” notes Sacks, giving vendors an easy model to follow for creating new products.
As confidence grows, more cost-effective and easy-to-implement solutions are emerging, giving organizations more incentives to make the move. “Choices have become wider,” states Sacks. For example, HID has partnered with Dell Computer to build readers compatible with HID iCLASS smartcards into select Dell Latitude notebooks. Users can thus carry a single card for facility and network access – and organizations can quickly implement a near off-the-shelf solution. As Sacks notes, “It’s affordable, accessible and easy to use.”
These new solutions provide obvious convenience for users, and that’s just the beginning. Other potential applications seen by Sacks include systems that can track whether an employee has entered the office, and deny remote VPN access if the employee is onsite. Security access can also be tailored by role, so an employee can only access specific parts of a building – and specific applications on the company network – based on one centralized database profile. Or, “green” systems can activate lights and air conditioning only for the floors that workers currently present in the building need to access.
Indeed, companies are already realizing incredible gains through convergence. According to a recent Aberdeen Group report, best-in-class companies adopting this model are experiencing improvements in both security and efficiency. 83% of those surveyed stated they reduced the number of physical security incidents while 48% reduced virtual security incidents. Meanwhile, more than 20% of best-in-class companies stated they were able to reduce both the time and cost needed to address these incidents. All of these results significantly outperformed industry averages. “Initiatives in integrating logical security and physical security are already helping best-in-class organizations to achieve superior performance,” concludes Brink.
Convergence solutions aren’t flawless: For one, IP-based, networked systems can be vulnerable to hacking. “In cases where the physical infrastructure is controlling critical systems, this is a very real concern,” states Aberdeen’s Brink. However, these issues can be addressed with multiple layers of protection – a standard best practice for computer networks. And given the strong potential advantages companies can achieve, it seems likely that nothing will hold convergence back.