IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
October 25, 2008

Nothing found. Please check your show/episode id.

Download

State of Physical Access Trend Report 2024

Converging on access

In the past few years, it’s fair to say that no other security industry ‘buzzword’ has been defined in journal articles and company promotional materials as many times as ‘convergence’. In the main, these definitions have most commonly referred to the integration of physical security and IT systems, with occasional elements of building control thrown in for good measure.

While ultimately helpful to the end user, the definitions beg the ultimate question from practising security professionals: ‘How do I make it work?’

Convergence uses data generated by physical and IT systems alike to drive both business process efficiency and security, while its framework defines a migration path for organisational growth. What, though, are the basic elements demanded to ensure that a given solution is truly converged?

Security policy management

The backbone of a converged solution is the IT infrastructure, and the sharing of knowledge relating to key business data across systems. The physical security system doesn’t inherently know critical business data such as employee status, staff security clearances and training certifications obtained. A computerised Human Resources (HR) system, however, often harbours such knowledge.

In turn, IP-enabled security systems allow end users to take advantage of fixed investments and improve their overall return on investment.

Developing common protocols for managing access to company assets and data enables more efficient provisioning and management. An organisation develops role-based policies that can manage badge issuance, enrolment and revocation processes by leveraging XML/SOAP interfaces for integration with identity management solutions. The key benefit is that building security personnel continue to use tools best suited to their roles. By the same equation, HR personnel will continue to use HR tools.

Put simply, every end user organisation must identify:

  • authoritative sources (the system that has the ultimate say) for each person who has a building badge or an IT account;
  • sources (either IT systems or people) of key data used to determine whether or not an individual has permissions to use a resource or access an area;
  • compliance or audit needs where the data exists on multiple systems;
  • any business or security concerns that are unique or very important to the company;
  • key business processes (on-boarding, off-boarding, change of position, etc) and the responsibilities of different systems;
  • a policy platform that supports ‘customisable’ workflow creation tools for easy modelling of processes and/or approvals.

Common user provisioning

Convergence drives the business to contemplate the inter-relationship of physical security on IT security and vice-versa. How many organisations can definitely claim that terminated employees or contractors are immediately removed from their buildings’ access control systems? How many are genuinely confident that a former employee who tailgates into the head office building doesn’t have any active IT accounts?

In addition, exactly how many corporate organisations are fully confident that current employees would recognise former employees and know that they have been ‘terminated’ from the system’s records?

Provision dynamics are evolving and, it’s true to say, actively driving user permissions in non-IT and external IT systems alike. Organisations have to determine how many terminated employees or contractors still retain active building badges and IT accounts. They must also determine how many contractors who have not been on site for the past three months still have active badges.

It’s worth performing a series of studies to see if anyone questions tailgaters. Also, security managers ought to benchmark how long it takes for someone to be provisioned or de-provisioned. Don’t forget, also, that it’s absolutely vital you educate employees on security risks and threats (and on a regular rather than an infrequent basis).

Single access credentials

Building security begins with a badge, often in the form of a proximity card. IT security begins with a user name and a password.

When end user organisations wish to add more layers of security to a particular card, they can put on a PIN or a biometric, for example. As IT system managers look to increase security levels, though, the choices are not really equivalent. Companies can choose to add an RSA token or biometric that authenticates the correct person. There’s also the possibility of a contact smart chip – embedded either within a card or a USB dongle – that authenticates the correct person and is also used for non-reputable digital signatures.

Digital signatures are hugely important in regulated environments in terms of verifying that a person did approve or take action.

A single card solution that includes a contact smart chip for IT and proximity technologies (contactless smart or 125 kHz proximity) enables the end user organisation to manage one resource for each employee, thereby minimising both material and administrative costs. An optimised card issuance process will be connected to IT systems for provisioning as a single process.

What are the steps to be taken here? Building security teams should discuss with their IT counterparts in great detail by way of identifying opportunities for leveraging cards across the organisation. For their part, IT Department personnel must review authentication and PKI requirements/needs.

Correlation of events

By connecting systems, organisations can correlate seemingly disparate physical and IT-related security events. For example, it may not at first appear suspicious for an employee to download large amounts of data. However, system correlation might show the employee only downloads the data when he or she is in the room by themselves.

Security managers must identify the thresholds of normal employee behaviour by job classification. It may well be necessary to audit current behaviours. It’s always wise to keep on top of business events that may cause – or pave the way for – serious security breaches (for example, the receipt of a resignation notice, termination for cause or an unexpected change in working hours).

IT resources and/or locations harbouring sensitive information (intellectual property, identity data) require identification. A plan must be developed and put in place to lock down for normal security levels and for a heightened security level. Companies really do need to determine the return on risk for each sensitive item, and then develop their security response plans.

Also, the normal usage for each sensitive resource – and what would be considered abnormal (for instance downloading all customer data) – has to be pinpointed.

Coherent security policy

Convergence is the first step for any organisation intent on connecting its critical systems to provide a comprehensive and coherent security policy. By integrating systems to share information, an end user organisation will be able to see vulnerabilities in real-time and thus link IT security events with physical security responses. All of these abilities drive security policy management.

The next step will be proactive threat management, which enables the correlation of real-time information with historical data. The system will ‘learn’ how to manage the current environment, and react in a real-time manner (in turn increasing system value and improving return on investment). For instance, the system can classify behaviour such as a certain employee trying to access random doors every few days, or unusual behaviour by a sub-set of employees (all of whom had their clearances processed by a specific adjudicator).

Using a converged system can reap substantial benefits, and will provide additional bonuses in the future. How organisations and their security professional(s) choose to implement these all-new ‘toolkits’ is really up to them. The benefits of doing so promise to be pretty substantial.

Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

man reading a tablet, probably the IFSEC Global newsletter

Related Topics

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted