When Delaware State University took a hard look at its campuswide security systems in the late 1990s, it didn’t like what it saw. The school’s 1,800 students used multiple passwords for various campus IT systems. They carried a mish-mash of identity and access cards for the library, residence halls, bookstore, and cafeteria. According to CIO and Assistant Provost Dr. Charles D. Fletcher Jr., “We were experiencing difficulty with keys and significant theft.”
School officials set out to unite the university’s multiple physical and IT security systems with a single, campuswide access card, which could be centrally administered and monitored. So in 2002, working with Siemens, Delaware State launched the DSU Smart Card, incorporating a picture ID, bar code, magnetic stripe, RF (radio frequency) antenna, and microprocessor to manage student access to the campus’s diverse physical and IT infrastructure.
Fletcher claims theft is down almost 20 percent and says the unified system makes it easy to trip alarms and immediately cut off access to buildings or networks.
Welcome to the world of converged enterprise security. By linking physical access systems to IT security systems, organizations are laying the groundwork to ensure that the two systems work in concert, controlling access and fending off attacks, while providing greater efficiency in user provisioning and authentication. Vendors such as Siemens and Computer Associates already offer systems that monitor and correlate data from both physical and IT security sources. Although adoption in the enterprise is still in the early stages, it’s growing steadily behind the scenes, particularly at large financial services companies and in government, health care, communications, and intellectual-property-intensive industries.
Not only will the resulting converged systems make legitimate access easier, they will also dramatically raise the level of security intelligence by correlating physical and virtual data in real time to detect threats. These systems may sound an alarm when your machine is in use but you’re not physically in the building. They may lock you out if you try to enter two buildings 100 miles apart in under an hour. They may automatically delete data on mobile devices that stray outside of a certain perimeter and are thereby deemed stolen. And they will be sure to log suspicious behavior for future analysis and potential prosecution.
“Previously this was just a dream,” says Erik Layton, senior investigator at Pinkerton’s worldwide IT practice group. “If you can integrate the identification of potential anomalous behavior, you’re going to have a much more integrated approach to responding to risk, [resulting in] an exponential increase in enterprises’ ability to thwart attack,” he says.
Authentication: The enterprisewide credential
A key building block of the converged security vision — and one of its biggest benefits — is the ability to give employees a single enterprisewide credential they can use for both online and physical access. Having one credential would provide convenience to users and would make it easier to centrally provision and administer user identities and authentication.
“The No. 1 reason for interest in merging physical and IT security systems is provisioning,” says Eric Maurice, director of eTrust Security Management at CA. In most enterprises, these disparate systems don’t talk to each other, he adds.