Smaller security firms such as S2 and Imprivata are also taking advantage of the move to IP based networks and Web services to create open platforms that can tie physical and IT security together.

S2’s product, NetBox, is a physical security management appliance that integrates access control, alarm monitoring, temperature monitoring, video surveillance, and intercoms, according to CEO John Moss. S2’s technology uses controllers that bolt on to existing card readers, video monitors and other physical security point devices. Those readers store access policies, and communicate with the network appliance using standard IP-based protocols, where a policy database centralizes physical security policies and then pushes them out to the devices it manages.

Similarly, Imprivata’s OneSign product is an appliance-based, single-sign-on solution that joins physical and logical access systems. Web services standards such as SPML (Service Provisioning Markup Language) allowed the company to create interfaces for third-party user provisioning systems from Courion and others to create and manage user accounts, applications, and credentials within OneSign.

Moss, who founded the card-access company Software House before selling it to Tyco in the mid-1990s, says that’s a big departure from the “1990s’ big software model” that has dominated the physical security market until recently, in which integration happened at the application layer, and big vendors such as Tyco extracted hefty fees for access to APIs. In contrast, S2 has published open Web services APIs that allow companies to link their IT-based user provisioning systems to S2’s NetBox, Moss says.

Culture clash
Despite such advances, the biggest obstacle to converged security has nothing to do with technology. It’s the cultural chasm between the physical and IT security professions.

“The two groups just don’t know how to talk to one another,” says Vancouver’s Tyson. “The world of technology is a very term-based environment. If you don’t understand those terms and the technology behind them, you’re on the outside looking in.”

That’s often where people with a physical security background — a group that once included Tyson himself, who started his career as a bodyguard — find themselves. “There’s no really good school for IT security, unless you go back to school and get a CS degree, but who can afford that?” he says.

S2’s Moss agrees. “Physical security practitioners make less per hour than in the IT world. And [professional certifications] don’t always require IT training. IT security practitioners are more highly trained and have certifications for the things they do, but they don’t know much about physical security,” he says.

In other words, your IT security staff may be perfectly trained to sniff out a Trojan or keylogger on a PC, but don’t go to them if you need an unruly visitor hustled out of the building. On the other hand, if that disorderly visitor started harassing an employee via IM, the physical security folks wouldn’t know where to start, says Tyson.

Until recently, that basic cultural difference permeated most physical security vendors, where such established vendors as ADT, Honeywell, and Tyco tailored their wares to the guys with badges.

To this day, the servers and systems for managing door access and video surveillance frequently form a kind of “shadow IT” within corporations, overlooked by trained IT staff who might not even know they’re there, and ignored by physical security staff who do know they exist but lack the expertise to manage them. Vulnerabilities in those systems can pose big risks, especially as they migrate from closed, proprietary networks to the same IP-based network used by mission-critical applications, Tyson says.