When Delaware State University took a hard look at its campuswide security systems in the late 1990s, it didn’t like what it saw. The school’s 1,800 students used multiple passwords for various campus IT systems. They carried a mish-mash of identity and access cards for the library, residence halls, bookstore, and cafeteria. According to CIO and Assistant Provost Dr. Charles D. Fletcher Jr., “We were experiencing difficulty with keys and significant theft.”
School officials set out to unite the university’s multiple physical and IT security systems with a single, campuswide access card, which could be centrally administered and monitored. So in 2002, working with Siemens, Delaware State launched the DSU Smart Card, incorporating a picture ID, bar code, magnetic stripe, RF (radio frequency) antenna, and microprocessor to manage student access to the campus’s diverse physical and IT infrastructure.
Fletcher claims theft is down almost 20 percent and says the unified system makes it easy to trip alarms and immediately cut off access to buildings or networks.
Welcome to the world of converged enterprise security. By linking physical access systems to IT security systems, organizations are laying the groundwork to ensure that the two systems work in concert, controlling access and fending off attacks, while providing greater efficiency in user provisioning and authentication. Vendors such as Siemens and Computer Associates already offer systems that monitor and correlate data from both physical and IT security sources. Although adoption in the enterprise is still in the early stages, it’s growing steadily behind the scenes, particularly at large financial services companies and in government, health care, communications, and intellectual-property-intensive industries.
Not only will the resulting converged systems make legitimate access easier, they will also dramatically raise the level of security intelligence by correlating physical and virtual data in real time to detect threats. These systems may sound an alarm when your machine is in use but you’re not physically in the building. They may lock you out if you try to enter two buildings 100 miles apart in under an hour. They may automatically delete data on mobile devices that stray outside of a certain perimeter and are thereby deemed stolen. And they will be sure to log suspicious behavior for future analysis and potential prosecution.
“Previously this was just a dream,” says Erik Layton, senior investigator at Pinkerton’s worldwide IT practice group. “If you can integrate the identification of potential anomalous behavior, you’re going to have a much more integrated approach to responding to risk, [resulting in] an exponential increase in enterprises’ ability to thwart attack,” he says.
Authentication: The enterprisewide credential
A key building block of the converged security vision — and one of its biggest benefits — is the ability to give employees a single enterprisewide credential they can use for both online and physical access. Having one credential would provide convenience to users and would make it easier to centrally provision and administer user identities and authentication.
“The No. 1 reason for interest in merging physical and IT security systems is provisioning,” says Eric Maurice, director of eTrust Security Management at CA. In most enterprises, these disparate systems don’t talk to each other, he adds.
Such an enterprisewide credential can take the form of a smart card or a combination of a smart card plus biometrics, explains Sun’s Director of Java Card Business Peter Cattaneo. “I can now write a Java smart card applet, which can talk to my door or log in over the network. When you show up at a door, it just opens and your session is ready on the computer.”
But the devil is in the details because of an immature but quickly evolving set of authentication technologies and the difficulty of getting large organizations to develop unified processes to make sure a person is who their credential says they are.
Enterprises must make trade-offs, for example, between strong multifactor authentication and usability. Biometric authentication methods such as fingerprint analysis are growing in popularity but have several issues (see “Biometrics Move Into the Mix”). Smart cards, which can combine legacy methods such as a magnetic stripe with stronger authentication on a microchip, are still costly, largely unstandardized, and can be stolen if left lying around. Other technologies such as RFID (RF identification) and GPS (Global Positioning System) are just emerging as potential players in the authentication process.
“It’s nice that people have so many different choices of so many different technologies to experiment with right now,” says Novell Security Czar Ed Reed. But he also points to inherent challenges when large enterprises deploy dual-purpose smart cards that enable both online identity authentication and physical access.
“There’s a disconnect if you have to take your smart card out and put it in a card reader, and you then have to get up and go to the bathroom,” Reed notes. “If you don’t have to have the card to go to the bathroom, you’re susceptible to leaving the card at the workstation, and now you’ve just blown the whole purpose. It’s got to be more like your keys — you don’t leave the office without your keys because you can’t drive away if you don’t. Coming up with solutions to those types of issues is where the rubber meets the road with these integration efforts.”
Organizational roles are another issue. Can enterprises make their centralized or federated credential management, role-based provisioning, and deprovisioning operable? “The technology isn’t the biggest part of the problem,” says Richard Hunter, research director at Gartner. “It’s setting up the mechanism to gather the data — and [having] the personnel to manage the systems and the databases.”
And finally, making integration investments pay off requires wholesale adoption, explains John McKeon, a business development executive at IBM Global Services. “The ROI is typically not just in physical access or network access. [It involves] incorporating biometrics as a strong authentication technology across a number of systems or smart cards — not just with security apps, but with other business apps, such as payment, loyalty, vending, cafeteria, employee benefits, and parking” he says.
Monitoring and correlation
After an enterprisewide credential is in place, the heart of the converged security vision will be the ability to correlate and analyze physical and IT security data in real time and to take action based on that data to prevent unauthorized events and attacks.
Pinkerton’s Erik Layton, who also runs online security, tells of a recent incident at a large company where a coordinated approach could have averted millions of dollars of losses.
“We had a case where an organization was attacked by an external distributed denial of service attack,” Layton recalls. “Simultaneous with the DDoS attack, there was a physical theft of intellectual property within the organization — multiple millions of dollars worth of customer information and critical plans for future development. The net result of the investigation was that the success of the theft was in large measure because the IT security staff’s eye was taken off the ball by trying to prevent the DDoS attack.”
Layton believes that if the right rules had been in place across a converged IT and physical security system, the organization could have thwarted the property theft by shutting down physical access to certain critical systems when the external servers came under attack. “Where these types of monitoring systems will have the most impact is handling internal risk,” he asserts.
Mark Cherry, product development manager at Honeywell, agrees. “Access control will typically help a customer keep people segregated from areas, based on their work roles.”
Before an organization can implement a system to monitor and respond to the actions of its employees, it must develop an acceptable set of policies to be scripted into a rules engine governing data collection, activity-pattern analysis, anomaly detection, and archiving. As with most security systems, converged systems will do only what the corporate policy rule book tells them to do. The issue of how to respond to incidents, for example, is always tricky. A converged system might execute certain automatic responses to an apparent combined physical and cyber threat, such as recording a video clip for later review.
But Glenn McGonnigle, CEO of VistaScape, a video surveillance software company, says that most incidents still require a policy-driven escalation process involving human beings.
“Several years ago, we had systems that could respond to an attack by dropping a connection or shutting off a firewall,” McGonnigle says. “But customers weren’t ready for that. They didn’t want those systems to take that action without oversight.”
Connecting the physical systems
All the benefits of converged security — more convenient authentication, more efficient provisioning, and better threat detection — assume that an enterprise’s physical access systems are IP-enabled and can share data across a network, which is not always the case. Devices such as locks, badge readers, and surveillance cameras have traditionally run on proprietary legacy networks and protocols and are hardly ever upgraded. This has begun to change as enterprises look to economize by sharing digital infrastructures.
“The industry is going more and more to open protocols because customers want to be able to share data at enterprise levels across the organization,” Honeywell’s Cherry says. Although physical access systems increasingly use common protocols such as an LDAP or SQL database back end, their administrative software dashboards, called panels, are still largely proprietary and don’t easily interconnect with other systems.
“The biggest challenge really is the lack of standards. The panel manufacturers are not working together,” says CA’s Maurice, who is also executive director of Open Security Exchange (OSE), an industry group formed to develop common APIs for physical-systems functions, including user provisioning and privilege management. OSE is working with the Security Industry Association, which is launching a Data Modeling for Access Control workgroup to address similar issues. “I think we are a year away at least from getting such a standard,” Maurice says.
Another challenge is that when a physical access system has been IP-enabled, it becomes more vulnerable. “These systems become vulnerable to identity spoofing and session hijacking,” Maurice notes. “A bad guy can remotely monitor your location by using your own camera, and you will not know.” And in one recent case, he adds, an upgraded physical-access system running Microsoft’s SQL database on the back end became infected with SQL Slammer, partially shutting down the system and preventing administrators from adding or deprovisioning users.
Bridging the cultural divide
A final piece of the converged security puzzle involves getting IT and physical security personnel — who often have different perspectives, priorities, and reporting relationships — to work well together. “The guy tasked with catching a hacker has a different skill set than the guy tasked with catching a guy climbing a fence,” VistaScape’s McGonnigle notes.
“The primary function of IT security is to make sure the system works, keeping the system up and running,” CA’s Maurice says. “Whereas the physical security guys say we need to maintain the chain of evidence, we can’t use this computer anymore. On the one hand, you have people who deal with cheaters and thieves and physical danger, and on the other hand, you have young propeller heads.”
This power struggle has not played out yet. “Neither side wants to give up ownership and management of identity,” Novell’s Reed says. “There are politics involved, having to do with who’s authoritative and whom the various [departments] of the organization trust to feed them update information.”
But VistaScape’s McGonnigle thinks both sides are gaining the other’s respect as they increasingly share the same infrastructure and become more reliant on each other. Honeywell’s Cherry agrees, noting that IT staff must rely on security personnel to safeguard their own physical infrastructure. “Somebody going in and throwing a wireless LAN device into a wiring closet is a security manager’s worst nightmare.”
Whether and how soon the vision of converged physical and online security systems will become reality at most large enterprises remains to be seen. But today, key building blocks are falling into place, advancing the vision, from smart cards and correlation software to IP-enabled access systems and surveillance devices.
As DSU’s Fletcher notes, however, one thing is unlikely to change in a converged security world. “There’s no perfect system.” IT managers should set their expectations accordingly. He also emphasizes the importance of having trained, competent staff on both sides of the house involved in a converged security project from start to finish. “You don’t want to outsource this,” he insists. “You need people who are committed to your corporate plan. They must have some skin in the game.”