It might not seem as if a building security guard and a network administrator have much in common. But they do--and the distinction between the two is blurring more every day.
It's true that the people who control building access from security desks and those securing computer networks both watch traffic and walk perimeters to safeguard an organization's assets. But now, technology, tighter security controls, federal regulations and potential cost benefits are bringing the two traditionally separate worlds together--and the convergence is driving industry alliances that may have seemed unusual in the past.
Oracle, for example, has partnered with Honeywell and Lenel to make its identity and access-manager software work with the physical access systems sold by those companies. A similar announcement from Novell and Honeywell is expected in coming weeks.
"It used to be the guns, gates and guards versus the bit chasers and the hacker trackers," said Howard Schmidt, president of the Information Systems Security Association, an international group of IT security professionals. "Technology has fundamentally changed the way all those groups do business. We're much more united today than in the past."
Unifying technologies include network-connected surveillance cameras and that tie into the same systems used to grant network access, said Schmidt, a security consultant who has served as cybersecurity adviser to the White House and ksecurity executive at Microsoft and eBay.
"We're seeing the technologies that used to be restricted to physical space--the cameras, the alarm systems, the card readers--all of which were unique to a hard-wired analog environment, moving into an IP-based digital system," Schmidt said. The Internet Protocol, or IP, is used to connect computers on modern networks.
Software can catch what the human eye might not, such as somebody sneaking into a building behind another person who just swiped a security badge. Also, a single system for credentials can replace multiple access systems and passwords. One badge, or smart card, could be used to enter buildings, log on to networks and buy lunch in the campus cafeteria.
Removing security silos
"It is all about removing the silos around security," said Wynn White, vice president of security and management products at Oracle. Many software applications already let users sign on with a single password--the integration of physical and logical security takes that several steps further, he said.
Through integration, organizations will get a better view of their overall security, said Geoffrey Turner, an analyst at Forrester Research. "You now are able to follow through in securing both tangible and intangible assets," he said. Ultimately, this should provide more security for employees, as well.
One benefit: instead of discovering that an employee who left a company months ago still has an e-mail address or building access, access to all resources can be severed with a single action, White said.
Aside from technology and demand for tighter controls, the convergence is being driven by regulation. Homeland Security Presidential Directive 12, issued in 2004, includes a requirement for automated and secure user credentialing at federal agencies. As a result, the government is leading the move, but the private sector is close behind, according to Turner.
"This is a real trend; there is a sense of inevitability about it, but it is slower than everyone thinks," Turner said. "The private sector has some breathing space. But they need to watch the government."
The next two years will be important in bringing together the security disciplines, Turner said. Companies such as networking giant Cisco Systems, along with software makers Microsoft, Novell, Sun and Oracle will play a key role, he said. They will partner with the likes of HID Global and Honeywell, makers of physical access systems, he said.
"I can hear the elephants dancing, and I know there are a lot of discussions going on," Turner said. "But we were anticipating more partnership announcements between companies this first quarter than we've actually seen."
Katie Moussouris, a hacker for hire at Symantec, often tests the security of businesses, and that doesn't just include IT security. "We're requested by customers to do physical penetration tests," she said. In other words, she's hired to try to enter a building and get past the guards. "Those requests don't come from the physical security folks, they come from the IT department," she said.
With IT folks now involved in physical security, Moussouris expects her job to become tougher. "They will see a lot more places to harden than just the people who are in charge of physical security," she said. For example, weak spots, such as phone closets that have been turned into network hubs, will also be secured, she said.
Ultimately, the executive in charge of information security at an organization could also become responsible for the security guards, who today typically are part of a facilities group that may report to a different executive. That's because IT departments and chief information security officers are used to managing projects, Turner said.
"IT security has already made a progression from the data center glass house to desktops and mobile computing, where things have to be managed in a ubiquitous geographic context," he said. "They are better prepared to reach out and manage additional responsibility."
While technology is an enabler, it is also an obstacle to integration. Traditional security systems--the locks and cameras--are just now going digital.
"Not all physical access products are digitalized in a way that allows them to be integrated and managed through a network," Turner said. "They have to make a transition from an analog technology base to a digital base." Part of that is building secure systems, so they won't be a weak link in a security chain, he said.
Even if physical security systems have moved into the digital realm, they often aren't compatible with tools used to manage users on networks, such as those sold by Oracle.
"Interoperability is a key challenge," White said. Oracle has built connectors that allow its identity and access manager products to work with some physical security systems, but it had to custom-build those, he said. "The standards are ill-defined," he said, adding that nobody in the industry has yet stepped forward to establish any standards.
Also, controlling all aspects of security from a single system could provide a single point of failure. If the one system goes down or is breached, that could create a serious problem or compromise. The easy answer to that concern is strong security and using redundant systems, said Eric Maiwald, a Burton Group analyst.
"That concern may be more of a red herring than anything else," he said. "You're not going to leave that system somewhere it can be broken into." Also, there should be tight controls on who can grant access and clearances to people, he said. "You're not just talking about outsiders; you're also talking about insiders."
Convergence is very much a work in progress, experts agree. But while that work is being done, some organizations, mostly in government, are already moving to a single system and some, such as Delaware State University, already have.
Said Turner: "We're designing the shoes while we're running along wearing them."