IT security gets physical

The good news: The physical and IT security systems your company uses will merge. The bad news: It'll probably take a while.

The spitzer factor
But the reasons to fill those cracks are mounting. The parade of new regulations, led by Sarbanes-Oxley, provides even greater motivation for organizations to consider converging their IT and physical security operations.

Crowell notes that Sarbanes-Oxley has created a thirst for bullet-proof audit capabilities and the capability to answer such questions as: “How could John Q. have accessed those financial records if he never entered the building that day?”

Click for larger view.

Government organizations face other, more stringent mandates. The recent implementation of Homeland Security Presidential Directive 12 (HSPD-12) has primed the pump for security convergence. The directive, which took effect in October, requires government agencies to begin issuing standard PIV (personal identity verification)-2 cards to employees. In time, HSPD-12 smart cards will be used to tie logical and physical access together at government agencies as well as at their private sector contractors.

“HSPD-12 is an attempt to say ‘These worlds should converge. They should be managed together,’” says Brian Contos, CSO of security information management firm ArcSight.

Beyond government, critical infrastructure owners such as health care, telecommunications, and transportation are also standardizing on cards that meet the FIPS (Federal Information Processing Standard) 201, a set of specifications for personal ID cards issued by the National Institute of Standards and Technology (NIST) in response to HSPD-12, notes Peter Boriskin, director of product management for Tyco Fire & Security’s Access Control and Video Systems.

If nothing else, the money and regulatory weight behind HSPD-12 promises to reduce the cost of smart card deployments and focus the physical and IT security industries on a key point of intersection: the security credential.

“HSPD-12 created a nexus around the token,” Boriskin says, noting that previous attempts at physical and IT security integration were focused on integrating security applications. “Rather than try to integrate all these complex, fragile systems, now we all just know the token.”

While smart-card readers may take years to reach the bulk of enterprises, in the interim, Fehl of Honeywell sees companies picking and choosing from FIPS 201, grabbing onto the smartcard technology and adopting government standards for card enrollment, verification, and background checks.

Emerging technologies
Perhaps the biggest boost to converged security originates with the security industry itself, where a generation of proprietary physical access systems is giving way to newer, network- and Web-based products, built using open architectures and with third-party integration in mind.