Identity 360 - An Imprivata Blog

Physical logical security convergence has garnered increased attention over the past year, and we've had countless conversations with both IT departments and physical security teams about the people, process and technology issues that come with the territory.  Integrating teams and policy, not just the technology, needs to be well thought out.  Increasingly, the path of our conversations with prospects and customers interested in converging physical and logical access focuses on where to start that type of project.  Though very interested in the promise of converged access, like any technology, people want to wade into the waters to make sure that it works as advertised technically, is easy to adopt for users,  the kinks are hammered out in reporting and there is a clear understanding of the ownership of the integrated environment. 

Security Magazine's Bill Zalud just moderated an interesting Webinar on the topic of converged physical-logical solutions with folks from Convergint Technologies, Tyco International, M.C. Peterson & Associates and the Open Security Exchange - check it out here.  The topic of project ownership and budget, and inter-departmental communication were identified as primary hurdles to moving forward with a convergence effort.  Let's be honest, the physical and IT groups within most organizations often don't communicate as much as one might think. 

However, there is a strategic bridge for these two groups -- the data center.  IT owns the servers; physical security is responsible for locking down the room.  In most cases, the server room/data center is of tremendous importance in today's business and there is a smaller authorized employee base to manage/monitor, so both groups can certainly agree on the need to lock it down and ensure only authorized personnel have access.  Finger-pointing and avoidance both get thrown out the door when the company's crown jewels (secret formulas, customer lists, financial reports - which are all stored electronically) are on the line. 

The data center as a starting point can help physical and IT groups bridge the gap and start walking the walk, instead of talking the talk.  The stakes are too high not to collaborate.  In addition, leveraging existing investments tied to the data center makes it an easier transition - two-factor authentication can leverage physical security assets and infrastructure such as card readers.  This inserts IT into the process immediately and helps ‘force' collaboration amongst the disparate teams for the common good.

The annual ASIS event is coming up in September (swing by booth #4024 if you're there!), and the topic of physical logical access convergence will be a hot topic once again this year.  Come by Imprivata's booth and let's talk shop - I'd love to hear your thoughts on the data center as a physical-logical starting point... whether here on the blog, or at ASIS in September!

-Chip

The term "security policy" used to mean different things to different people.  For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night.  For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to.  However, this situation is changing with IT and physical security being managed together.  Although they come from separate disciplines, what these two areas have in common is policy.

However, from my travels in the field, I've found that the biggest area of interest in both the physical and logical sides of security is ensuring that these policies are actually being enforced and adhered to by employees. The physical security guys all agree that making security policies stick can be tough, especially if they change the ways that employees have been working for some time.  And, all agree that the convergence of these two disparate security disciplines ensures policy enforcement will now be possible across both disciplines.

During a recent visit with a pharmaceutical company, I chatted with a security executive about policy management and physical-logical security convergence.  We discussed that by linking the physical access system to the IT infrastructure, behavior can be enforced more strictly.  He agreed wholeheartedly.  I added that in the case of "tailgating," someone who does not badge in to a particular zone (such as a data center) can be denied access to his IT assets if he is not authorized to access them.  When logging in, the network can automatically query the building access system to check that the person has badged himself into the premises and into the zone accordingly. If not, access will be denied or the employee will be challenged with questions in order to access the network.  This approach does not impact correct user behavior and reinforces adherence to the company's policy.  The CIO seemed to have a Eureka moment - sound security policy theory with practical application in the real-world!

We continued to discuss how this investment in building access cards can be used as an authentication factor for gaining access to the IT system as well.  By linking a user's password to the building access card, an organization can roll out strong authentication for its staff without having to invest in additional tokens or biometric readers.  As most building access cards are short-range RFID devices, a USB reader connected to the PC can also act as a method for entering the network securely.  Having an additional factor replace the standard password for access means that security is tighter overall, and unauthorized access is more difficult.

Using building access systems and IT security together in a converged manner creates an infrastructure that is more secure overall, while offering cost benefits compared to the traditionally disparate solutions.  So instead of retiring older physical infrastructure investments like badges and readers, integrating with IT security can actually extend the value and revitalize those deep-rooted investments.  Ah-ha moment #2 for the pharma security executive.

In addition, auditing and reporting within this converged security environment can be simpler: having a single overview of security, whether it is to buildings or IT assets, considerably eases the burden of proving that employees are meeting company policy.  A converged security system covering both physical access and IT creates an infrastructure where the whole is greater than the sum of its parts - and makes it easier to see if policies are being followed appropriately and meet various compliance requirements.

What are your policy management concerns and challenges?  How has the growing awareness of the need to converge physical and IT security changed the way you interact with your security peers? And, what's working for you?

-Chip LeBlanc, VP Business Development