Bridging Physical Access Systems and IT Networks
Nov 10, 2006 4:00 AM PT
In today's world, the role of security is changing dramatically. As technological capabilities have finally caught up with security theory, many organizations are now looking to bridge building and network access systems for unified enterprise security management.
Despite their common purpose, physical access and logical access technologies exist in parallel worlds. Physical access technologies, such as building security systems and employee access cards, are controlled by the corporate security department. Application passwords and firewalls are the domain of the IT department. Each group's respective networks, technology paths, and user interfaces are completely separate.
That situation is changing, however, as physical and logical security concerns mount and persistent issues such as inadequate security policy and enforcement continue. Organizations are now asking why physical and logical security systems cannot work together to share data and strengthen each other. Additionally, it is now possible for companies to successfully merge the two culturally and technologically disparate worlds of building access and network access without new investments.
For years, physical access security systems acted as the first line of defense against unauthorized logical access. After all, if a person could not gain entry to a corporate building, that person could not gain unauthorized access to corporate applications and data.
That changed with the advent of remote access. Remote access via VPNs, the Web, and wireless networking has opened up IT resources that can no longer be protected by physical access systems alone. Companies are gaining a more firm security posture by tightly associating building, LAN and VPN access.
With the convergence of physical and logical security technologies, organizations now have new opportunities to:
- Strengthen and gain greater control over total security;
- Add a practical and affordable second authentication factor;
- Better enforce both physical and logical security policies;
- Enable the enforcement of company anti-passback/tailgating building access policies;
- Better coordinate security resources in critical and emergency situations; and
- Achieve compliance with regulations, such as the U.S. Homeland Security Presidential Directive-12 (HSPD-12), Federal Information Processing Standard-201 (FIPS-201), Health Insurance Portability and Accountability (HIPAA), Gramm-Leach-Bliley (GLB), and Sarbanes-Oxley (SOX).
Various vendors have tried to solve the problem using conventional approaches. These include multifunction cards, identity management solutions and consolidating reporting systems. However, these methods have been unsuccessful for a couple of reasons.
They proved to be very costly and extremely time consuming to implement -- often taking several years. In addition, they failed to offer a comprehensive, converged solution capable of preventing security violations from happening in the future or the use of a card by an unauthorized person.
Physical and logical convergence enables organizations to create a single, converged security policy for use across systems and across the company. Taking converged security a step further than simply leveraging the building access keycard for network access, organizations are gaining the ability to grant or refuse network access based on a user's physical location, user role and/or employee status.
This means that users must physically sign-in to use the organization's facilities and network -- and cannot access their company's VPN while already logged into the building. This prevents redundant user log-ins, further raising the protection of each user's identity and the organization as a whole.
Location-based authentication ensures that IT resources are being accessed and utilized by authorized users as determined by where they should be, and eliminates the potential for redundant, questionable user log-ins from different locations.
Tying together physical and IT security effectively not only consolidates user credentials from disparate network, remote access, application and physical access accounts, but also provides a single point for administrators to instantly lock-out user access across both physical and logical assets. With this approach, events and alarms from physical security access systems are incorporated into network access decisions, providing a finer layer of authentication for closing security holes and providing organizations with broader monitoring and reporting capabilities in order to better demonstrate regulatory compliance.
When physical and logical access security components work together, companies use them to complement and reinforce one another. Convergence allows organizations to manage all forms of security under a single umbrella for maximum control.
Security, along with all types of risk, both operational and corporate, are now being done better and ultimately more cost effectively. Organizations of all sizes and types are taking the first, positive steps toward physical/logical access security convergence and a more secure future.
David Ting is the founder and CTO of Imprivata, a provider of enterprise authentication and access management solutions.