Crowell notes that Sarbanes-Oxley has created a thirst for bullet-proof audit capabilities and the capability to answer such questions as: “How could John Q. have accessed those financial records if he never entered the building that day?”

Click for larger view.

Government organizations face other, more stringent mandates. The recent implementation of Homeland Security Presidential Directive 12 (HSPD-12) has primed the pump for security convergence. The directive, which took effect in October, requires government agencies to begin issuing standard PIV (personal identity verification)-2 cards to employees. In time, HSPD-12 smart cards will be used to tie logical and physical access together at government agencies as well as at their private sector contractors.

“HSPD-12 is an attempt to say ‘These worlds should converge. They should be managed together,’” says Brian Contos, CSO of security information management firm ArcSight.

Beyond government, critical infrastructure owners such as health care, telecommunications, and transportation are also standardizing on cards that meet the FIPS (Federal Information Processing Standard) 201, a set of specifications for personal ID cards issued by the National Institute of Standards and Technology (NIST) in response to HSPD-12, notes Peter Boriskin, director of product management for Tyco Fire & Security’s Access Control and Video Systems.

If nothing else, the money and regulatory weight behind HSPD-12 promises to reduce the cost of smart card deployments and focus the physical and IT security industries on a key point of intersection: the security credential.

“HSPD-12 created a nexus around the token,” Boriskin says, noting that previous attempts at physical and IT security integration were focused on integrating security applications. “Rather than try to integrate all these complex, fragile systems, now we all just know the token.”

While smart-card readers may take years to reach the bulk of enterprises, in the interim, Fehl of Honeywell sees companies picking and choosing from FIPS 201, grabbing onto the smartcard technology and adopting government standards for card enrollment, verification, and background checks.

Emerging technologies
Perhaps the biggest boost to converged security originates with the security industry itself, where a generation of proprietary physical access systems is giving way to newer, network- and Web-based products, built using open architectures and with third-party integration in mind.

At Tyco, long a leading player in physical security, a next-generation access control system, the C-CURE 9000, marks a radical departure. The 9000 series was built with convergence in mind, using Microsoft’s .Net framework and Web services to connect physical security systems’ fire and door access with HR and IT systems network single sign-on and user provisioning/deprovisioning systems.

Rather than being a “security management” system, Tyco thinks of C-CURE 9000 as an events-management system that can link physical security with IT-centric tools such as ERP software, Boriskin said. Previous generations of the C-CURE platform could only have accomplished that through brittle and expensive integration projects.

“XML and Web services have been the biggest enabler of convergence,” Boriskin says. “It’s a layer of abstraction that provides a common language for all these different products to talk to each other.”

Experts agree that the lack of an open, services-based approach hobbled early efforts at convergence, such as the Open Security Exchange (OSE), a joint physical-IT consortium that launched in 2003 with the backing of companies such as Computer Associates, HID, Tyco, and Wells Fargo.

“The big problem back then was that when you started to connect systems like that, you needed direct access to the database, and that can break things,” Fehl says. “Today, XML creates an intermediate layer where you can filter the data and apply rules that process the data before it hits your database.”