Security Products

By Rohit M. Gupta · August 2007

SECURITY convergence is a constant, healthy debate in enterprise circles. IT, system and network administrators have employed robust technology guidelines surrounding secure access to sensitive data across various systems and infrastructures. Each layer of the OSI stack has rapidly evolved, while continually adding sophistication to usability, availability and ongoing audit and control. The layers have expanded to Web and application assets and are today user friendly. At the same time, physical security has gone through a similar, but more stable evolution. Security officers and administrators have employed various infrastructure improvements, including card readers, biometric scanners, fire control management systems, power, voice and video control units, to deliver tight, holistic security within administrative confines.

In today's business environment, enterprises are rapidly realizing securing assets in silos does not scale well and typically adds to the overall cost and operating structures that officials want to tighten. Users want an approach that delivers stringent security across physical and logical environments, while offering a superior user experience and retaining operating efficiencies.

Defining Convergence
ASIS defines security convergence as the identification of security risks and interdependencies between business functions and processes within the enterprise, and the development of managed business process solutions to address those risks and interdependencies.

Physical security has long surrounded areas of surveillance, security guards and protection of physical assets. A common thread across each responsibility is observation and incident capture, typically reported manually. Physical security also focuses on monitoring and protecting assets and people against perceived threats. IT or logical security, on the other hand, focuses on a set of constructs and processes to secure, protect and manage access to sensitive data. The technology framework employed by commercial enterprises to deliver logical security is known as identity management. Typically, identity management systems include a framework for authenticating users and tying their credential to specific policies, which are defined and stored in a secure storage infrastructure.

With the advent of regulatory and corporate directives over the last few years, such as HSPD-12, FIPS 201 and Sarbanes-Oxley, convergence of physical and logical security, as well as granular visibility and disclosure of access rights and user behavior, is a critical requirement for enterprises. Corporate mergers have further expanded the need to drive efficiencies across these platforms. The need to cut costs and manage operational efficiencies also is another critical factor driving convergence.

As enterprises look to comply with regulations secure sensitive data and lower enterprise risk, a set of trends and best practices have emerged to deliver efficient and cost-effective solutions. These include synchronizing identity infrastructure and repositories; lifecycle management of employees and credentials; and consolidated logging and auditing.

Synchronizing Identity
Most enterprises have disparate repositories to support storage of employee, customer and other identity data. These are manifested through databases, LDAP directories or some hybrid. Physical access control systems also are typically based on some type of identity store, typically a commercial database. What emerges is an interesting paradigm with multiple repositories for the same set of identity. And in some situations, there may be conflicting attributes about the identity across the repositories. This has led to increased management access to protect identity data. “Privilege creep” is a critical consideration to clean up the identity house within an enterprise.

What follows is typically a set of processes to agree upon a single source of truth for identity information. Given the diverse nature of applications and business processes leveraging identity data, it is imperative to have harmonic dialogue among business owners to establish critical attributes of identity data prior and establishing a clean, consolidated repository enterprise user. Enterprises may choose to converge upon a single enterprise directory for consolidated data or may choose to retain a commercial, employee management system or a human resources application as an authoritative source for employees within the company. Such repositories also can be used for customer and partner data.

Enterprises also are encouraged to review virtual directory technologies, allowing identity data from directories and databases to be exposed as a single view. These are particularly attractive in situations where corporate or technology boundaries make it challenging to physically centralize identity data.

Lifecycle Management
The ability to manage employee credentials among changes and within a company tie directly into credential management systems. Any changes to an employee’s status, such as transfers, leaves of absence or termination, are directly translated into needed modifications in the surrounding physical environment.

Technologies to automate provisioning and de-provisioning for employees, contractors and customers across enterprise assets and applications have become particularly popular. As part of the logical security infrastructure, deploying a provisioning system can be complementary to deploying a badge or card management system governing access to physical resources. Just as provisioning applications can automate, creating and modifying user accounts and privileges, in enterprise applications, e-mail and other systems, the technology also can greatly improve security by providing a real-time view into the access privileges of users. The provisioning system also can be designed to provision badges/cards and VPN accounts for employees; restore inactive badges; and manage enterprise risk by enforcing consistent security policies from a single, administrative console.

Provisioning systems enable convergence in today’s enterprise environments, where mobility and networking are paramount. While continually driving down costs to manage lifecycles of physical and logical access for employees, provisioning systems also provide granular reporting and automated attestation—driving corporate compliance.

Consolidated Logging, Auditing
Enterprises need to regulate and monitor access to physical and logical assets. With the ever-increasing need to comply with regulatory and corporate mandates, it is no longer sufficient solely to provide auditors with documentation of processes and system logs. Enterprises need a sustainable framework to deliver real-time, granular reporting of access privileges of employees, which scales to meet the demands of auditors, as well as any resource changes within the corporate environment.

In addition to reporting and logging capabilities, enterprises should consider a framework that provides managers the ability to automatically attest to access rights of employees while applying business context such as physical location, user/group department information and asset relevance. Systems also provide advanced, real-time and forensic analysis to facilitate integrated incident management and remediation.

Deep Impact
The impact of convergence has been felt across multiple lines of businesses in the last several years. Some notable examples include convergence of procurement and financial lines and the convergence of IT networking and telephony. In a similar capacity, the impact of harmonic collaboration across various controlling lines of businesses managing physical and IT security systems is immense. While IT security has been on the forefront of the evolution curve, with significant innovations in authentication, authorization and auditing in the last several years, physical security has stayed the course of a stable, tried-and-tested innovation path with moderate changes across product generations.

Typical dilemmas impacting both controlling factions are represented by the attributes of downtime, availability and interconnectivity. In the case of IT, a typical offshoot of deployed tools and applications is managed downtime. This may be for patching, scheduling diagnostics and upgrades. A physical security system cannot generally be brought down. This directly impacta the ability for personnel to move across buildings or within a campus. Similarly, IT lives in a completely connected, online world. Seamless access across applications is a dynamic expected within today’s infrastructure. The same cannot be said about the world of physical security, where total connectivity across various surveillance and access systems is not yet complete.

Convergence requires sharing and consolidating of identity data and repositories, and expanding business processes to span boundaries across IT and into the asset world. The importance of collaboration and transparent communication across controlling factions is a critical enabler in the move to true convergence.

Corporate governance, increasing security concerns and rationalizing administrative costs are primary factors in convergence of logical and physical access systems. The convergence move represents new challenges to executives as they strive to adapt systems to meet demands. The road to convergence is not a sprint—it takes persistence, defined best practices and executive sponsorship to ensure success. With enhancements in system and software tools, enterprises can benefit from deeper integration across physical and logical access systems, enforcing tighter controls based on regulatory directives and corporate policies.

About the author

Rohit M. Gupta
Rohit M. Gupta is director of product management for identity management and security products at Oracle.