The Convergence of Physical Security
and IT:
Integrating Physical and IT Security Management

by Ray Bernard, PSP

This is the fourth article in a series that explores the convergence of physical security and IT technology and its impact on security and IT departments, vendors and management.

Protection systems integrate people, procedures and equipment to safeguard assets against theft, sabotage and other malevolent attacks. Organizations typically have two major protection systems, one for physical security and one for IT security.

Physical Security and IT Security

Physical security focuses on the protection of physical assets, personnel and facility structures. This involves managing the flow of individuals and assets into, out of, and within a facility. IT security focuses on the protection of information resources, primarily computer and telephone systems and their data networks. This involves managing the flow of information into, out of, and within a facility's IT systems, including human access to information systems and their networks. Clearly these two are separate domains. Why should they be integrated?

A Management Issue

The question above accurately reflects the thoughts of most security practitioners as they approach this subject. How is the question misleading? To lean on a common idiom, it focuses on the trees rather than the forest.

It is the management of physical and IT security that must be integrated. No one is going to integrate a brick wall and a database. However, the management of who is allowed inside the wall and inside the database must be integrated, or there will be gaps in the organization's security. Figure 1 below illustrates the concept of integrated security management. Whenever you hear or read the phrase “integration of physical and IT security,” think “integration of physical and IT security management” and you'll be on the right track.

Figure 1.

In almost every large enterprise, the physical and IT security departments operate independently of each other. They are generally unaware of the strengths and weaknesses of one another's practices, the liabilities of operating independently, and the benefits of integrated security management.

Integrating Security Management

Security objectives are carried out through the application of security policies, processes and procedures. Figure 2 below describes key security management processes and the physical and IT security processes and technologies that support them.

Figure 2. (Click on the Figure 2 picture to open a larger picture in a new window.)

Figures 1 and 2 are taken from the "PhysBITS" document provided by the Open Security Exchange. See the section below titled, "Standards".

While it is true that many of the physical and IT security processes and procedures must be integrated at the technology level, it is not the technology that defines the integration. The business processes and procedures define it; the technology implements it. That's why the first step in integrating physical and IT security is an examination of security-related business requirements and the physical and IT security processes that support them. The integration of the business processes will determine where integration of physical security and IT technology is required.

In “The Convergence of IT and Physical Security”, an article written for Faulkner Information Services, a provider of in-depth information for technology professionals (www.faulkner.com), Laurie Aaron, Director of Business Development for Tyco Safety Products’ North American Sales Channels, says, “The lack of technical integration between physical security systems and IT security systems has resulted in organizational and procedural gaps for virtually every organization in the world. Beside a few government agencies, very few organizations have adopted a comprehensive security strategy encompassing both physical and IT security. From an organizational standpoint, very few organizations have formal procedures in place between the different departments handling physical and IT security. Excessive risk exposure results from this lack of manageability.”

Security Gap Scenario

Mr. CFO is traveling abroad, therefore has not checked into his office via his access control card at the main turnstile in the New York City office. He has, however, checked into his office in Paris, France and will be working there for the next 10 days. The physical access control system in New York is a different system, completely independent from the one securing the office on France. Therefore, the guards monitoring the system in New York City are not even aware that Mr. CFO is not in the building.

In the mean time, a trusted employee has been looking over Mr. CFO's shoulder and has acquired his login credentials, which are simply user name and password. Knowing he is out of the country for 10 days, and on a very different time schedule, she logs on to the network, during normal working hours, and accesses sensitive files, which she will later share with competitors.

Will an alarm be annunciated anywhere? No. Why?

There is no apparent violation in either the physical access system, nor the network access system, which are operating independently.

  • The employee committing the crime is authorized to enter the building during US, EST working hours, so nothing will be annunciated in the physical access system, or even flagged as abnormal.

  • The Network security system sees Mr. CFO logging on and accessing files that he is authorized to view during time periods that are otherwise normal for him. Therefore, nothing will be annunciated or flagged as a network security breech. Effective security management combining both physical and IT controls could result in organizationally and operationally coordinated security.

  • If the physical access systems were compatible, the guards monitoring the facilities, may have at least known that Mr. CFO was entering the facility in France, not locally in New York.

  • If the physical access system were communicating activity to the network access system, Mr. CFO's credentials may authorize him local access, only where he appears to be physically located.

  • If the physical access system were communicating to the network access system, it would annunciate an alarm if Mr. CFO logged onto the network remotely or in another location than he appears to physically be located based on the last doors he physically accessed.
  • If the physical security department had procedures in place to communicate abnormal events such as this, they would notify the network security department of a possible security breech.

  • If the credential required for Mr. CFO to enter the facility in France were also required for him to log on to the corporate network, another person would not be able to utilize his credentials.

By Laurie Aaron, Tyco Safety Products, courtesy of Faulkner Information Services.

If an organization fails to examine its security procedures, gaps in protection are certain to occur. Usually the larger the company, the larger the security gaps, and the larger the opportunities for cost reduction.

Tatum Partners (www.tatumpartners.com) is the largest professional services provider of financial and information technology leadership in the United States. Tatum is a national organization of 400 former chief financial, chief information and chief technology officers of world-class organizations such as the CIA, Nabisco, Hilton, Disney and IBM.

Joel Rakow, a Tatum partner located in the Los Angeles area, said, “We encourage every client, if they do nothing else, to integrate physical access controls with the corporate network. It lays the groundwork for a proactive security program that enables early detection of emerging security attacks, and it produces immediate reduction of the cost of the security effort. Our Tatum CFOs calculate the return on investment to be between 16 and 18 months.

“We also like to point out that integrating physical and data security is a great mitigator against the legal liability of being found negligent in our client's ‘duty to protect' sensitive information protected by such legislation as California Senate Bill 1386, Gramm-Leach-Bliley and HIPAA,” said Rakow.

Benefits of Centralized Management

Managing users, their privileges and their credentials—a process called user provisioning—is one of the biggest challenges faced by organizations. Typically HR makes the first database entry for a new user, in support of payroll and other employee-related functions. Security makes another entry, to provide an access control card/ID badge for physical access to facilities. IT makes a third entry, to provide access to information systems. The results of inconsistencies between the three areas range from personal inconvenience, such as an employee being denied access to parking or to the computer network, to significant corporate risk, such as failure to suspend physical or network access privileges immediately upon termination.

Such inconsistencies motivate people to bypass security by manually affording access (holding a door open) or sharing information system passwords. This often results in a person gaining access to areas and information to which he or she would not normally have access. These types of access violations are undocumented. Furthermore, not having centrally managed users means that the question “Who has access to what?” cannot be answered quickly enough to provide ideal response times in the event of a suspected breach or a heightened security condition.

Reducing the user provisioning steps from three down to one not only eliminates the security vulnerabilities and enforces consistent role-based privileges across the entire organization, but may drastically reduce the cost of managing users.

Challenges to Integration

The sidebar titled “Platforms Supporting Integration” presents three vendors of security management products that offer significant support for the integration of physical and IT security. Two of the product offerings are comprehensive physical security application suites, and one is a product specifically designed to integrate physical and IT security management. While several thousand customers currently use the two security application suites, few are currently integrating physical and network security. Why?

There are several distinct challenges that to date have hindered efforts to integrate physical and IT security, including the following.

  • Initial focus on technology issues rather than security management issues
  • Conflicting or lacking standards
  • Apparent reluctance of physical security practitioners to embrace IT
  • No clear roadmap to organizational readiness

Standards

The benefits of standards have already been proven in the IT world. The past decade's growth in information systems and networking has required product and system providers to embrace standards. In general, the physical security industry is just starting to catch on to their importance. (The Security Industry Association's Open System Integration and Performance Standards [OSIPS] initiative is less than two years old.) However, a new forum has now been established to accelerate the introduction and adoption of security standards: the Open Security Exchange.

In a move uncharacteristic of the security industry's earlier days, four companies announced the formation of the Open Security Exchange on April 16, 2003. The OSE is a cross-industry collaborative group whose purpose is to define best practices and promote vendor-neutral specifications for integrating the management of security devices and policies across the enterprise. The four founding companies were Computer Associates International Inc., Gemplus, HID Corporation and Software House.

The OSE's initial press release stated that it was “created to address today's most significant security challenge—the lack of integration between various components of the security infrastructure.” By promoting more effective exchange of enterprise-wide security data, the OSE intends to enable organizations to significantly reduce both their exposure to a diverse range of threats and their total operation costs. At the announcement of the group's formation, Russell M. Artzt, vice president of Computer Associates International, said, “[Physical] security hasn't been dealt with in the same way that, for example, network and systems management have been dealt with over the last 10 years.

“People—IT people and physical security people—are very much aware of the problems in security, the complexities, the exposure to risks. And today we've really dealt with antivirus systems, firewall systems, but our IT organizations realize very well today that security needs to be managed much better. How do we deal with all the various security management problems coming in from firewall systems, [network] access control systems, physical access systems, antivirus?” asked Artzt. “The ability to understand security management across all these security technologies and disciplines is very, very important.”

Initially, the Open Security Exchange will focus on the integration of physical and IT security technologies. Its first release is a 39-page specification called “PHYSBITS—Physical Security Bridge to IT Security.” The specification can be downloaded from the OSE Web site. PHYSBITS presents a vendor-neutral approach for enabling collaboration between physical and IT security, including security management integration on three levels:

  1. Common administration of users, privileges and credentials,
  2. Common strong authentication for access to physical facilities and cyber systems through the use of dual-purpose credentials, and
  3. Common point of security management and event auditability.

This specification is not just for those involved in the technical aspects of physical and security integration. The initial 10 pages of the specification have to do with security management. These 10 pages are a must-read for every person involved in managing physical and/or IT security.

The OSE's development of specifications and best practices will provide valuable tools that organizations can use to integrate security management. It will also establish a common ground for vendors that provide products and services in support of that objective.

Is Physical Security Reluctant to Embrace IT?

Physical security systems already embrace information technology, and many security products are based on information processing, networking, or some other aspect of IT. Organizations and their security personnel definitely rely upon the computing and networking capabilities of their physical security systems. There is no reluctance there.

But to date, nearly all of the talk about integrating physical and IT security has been at the technical level. Since the technology integration itself takes place in the IT domain (networks, databases, and information exchange) and the results are displayed or managed on computers, it’s only natural for the physical security folks to think to leave such matters in the hands of IT. It’s not really a reluctance to discuss the issues, as much as it is a recognition that such discussions—as they have been conducted—are not likely to be productive. A good understanding on both the physical and IT sides of the security management issues involved will make productive communication possible, and that’s what is really needed.

Furthermore, widespread incorporation of information technology is blurring the distinction between physical and IT security. figure 3 below shows the primary areas of IT security. Infrastructure protection includes physical security measures. Business continuity involved physical security managers long before IT became involved. Information protection includes the performance of background checks for personnel as well as investigation into suspected or documented problems or incidents. These tasks have long been the province of physical security managers working with their HR departments. Overlaps in security functions exist in both directions—another reason to step back and take a wider look at the overall picture.

Getting Up To Speed

The rapid pace of technological change has made it difficult for security managers and physical security practitioners to keep up with IT technology issues, because IT technology is not their primary field. Many IT practitioners are familiar with information protection and rules-based systems, but they lack experience in thinking in the broader context of physical security.

In addition to the Open Security Exchange there are other places to turn for help, and one of the primary sources is ASIS International, which has member councils for many fields, including the Physical Security Council and the Information Technology Security Council. If you are involved in any aspect of security, join ASIS and get in touch with the security council for your area of practice to learn about events and publications of interest. Local ASIS chapters facilitate information sharing, so you should join the chapter nearest you and actively participate in its activities.

If the professional organizations in your industry don't have security issues on their radar screen, you shouldn't find it hard to nudge them in that direction by participating in security-related initiatives. Often the resources of such organizations are under-utilized, because members don't let them know what issues they want help with in regards to security.

Most security consultants themselves need to get up to speed with regard to integrated security management. However, there are a few firms who have already gotten started along this line, such as Control Risks Group, a leading international business risk consultancy, and Pinkerton Consulting and Investigations Inc., a global provider of corporate security services.

Pinkerton and Computer Associates have joined forces in a strategic alliance to enable customers to better mitigate business risks through the protection of cyber and physical assets. The CA/Pinkerton alliance was created in response to organizations' growing concerns about the effectiveness of their security management operations. Pinkerton has worked directly with CA to develop security policies for CA's eTrust 20/20.

“CA and Pinkerton are responding to a revolution in thinking about security challenges that is leading to the convergence of physical security, cyber security, and business continuity planning under a single executive,” said Ty Richmond, senior director with Agilent Technologies. “By leveraging CA's eTrust enterprise security management solutions and Pinkerton's end-to-end corporate security services, security executives should be better positioned to minimize corporate risk and protect the interests of their shareholders, customers and employees.”

Benefiting From Experienced Professionals

Most security consultants have specialized areas of security practice, and themselves need to get up to speed with regard to integrated security management. However, there are a few firms who have already gotten started along this line, such as Control Risks Group, a leading international business risk consultancy (www.crg.com), and Pinkerton Consulting and Investigations, Inc., a global provider of corporate security services (www.ci-pinkerton.com).

Pinkerton and Computer Associates have joined forces in a strategic alliance to enable customers to better mitigate business risks through the protection of cyber and physical assets. The CA/Pinkerton alliance was created in response to organizations' growing concerns about the effectiveness of their security management operations. Pinkerton has worked directly with CA to develop security policies for CA's eTrust 20/20 (see the sidebar “Platforms Supporting Integration”).

“CA and Pinkerton are responding to a revolution in thinking about security challenges that is leading to the convergence of physical security, cyber security, and business continuity planning under a single executive,” said Ty Richmond, senior director with Agilent Technologies, the world's leading designer, developer, manufacturer and provider of electronic and optical test, measurement and monitoring instruments, systems and solutions. “By leveraging CA's eTrust enterprise security management solutions and Pinkerton's end-to-end corporate security services, security executives should be better positioned to minimize corporate risk and protect the interests of their shareholders, customers, and employees.”

Organizational Readiness

Jeffrey A. Smith, the Western regional manager for General Dynamics Network Systems, has been dealing with critical security and IT projects for more than a decade. “The role of standards is critical, but you do need more than that,” Smith said. “Without standards to point to and work from it's difficult to foster agreement between physical security and IT. You need to develop a roadmap that both can follow to implement the standards. Standards provide a basis, and roadmaps provide a way to accomplish things organizationally.”

Since few companies have traveled down the physical and IT security integration road, roadmaps are only now being developed. However, knowing that sooner or later they will have to make the trip, organizations can start preparing for it without having a completed roadmap on hand. There are two reasons to start preparing now for the integration of physical and IT security:

1) It is not an instant process.
2) The preparations alone will benefit the organization.

Phil Mailes of Lenel International relates a story that illustrates these points. “During a recent deployment of a physical access control system the customer wanted to import employee information into the system so as to negate the need for time-consuming keyboard input. During a roundtable kick-off meeting this issue was discussed. Initially it was suggested that the HR database should be the source of this information; however, it was then indicated that contractors, for example, were not on the HR database. The next suggestion was to use the e-mail directory, but again there was a problem in that not everybody had access to e-mail, i.e., cleaners or shop floor operatives. The final suggestion was the IT database, but again, not everyone had a log-on account.

“Finally, as the company had recently deployed a cashless vending system, it was decided to use this as the source database. Investigation of the various databases found that there were serious errors in all of them. In many cases people had left the organization and had been removed from the HR database, but were still active in the IT and e-mail databases and so still had access to corporate resources. If they were so inclined they could have logged in and deleted files, for example. I have since found that this situation is not unique. In fact, many organizations have multiple legacy systems where the integrity of the data is questionable.”

Preparing for Integrated Access Control Management

The following list provides a few preparation steps that must be performed in advance of any physical and information systems access control integration project.

  • Locate all of the identity-related organizational databases, reconcile them, and if appropriate upgrade them to current levels of best practice and best product. (One approach is to implement an identity management system. This is not a small step and requires thorough analysis and planning.)

  • Document your existing policies, processes and procedures for physical and IT security.

  • Discover, by interview and observation, any unknown or little-known de-facto policies, processes and procedures affecting security, and document these as well.

  • Review the assignment of responsibilities for implementing and monitoring the policies, processes and procedures. Make sure the assignments are consistent with the current organizational structure and staffing. Verify that each person with responsibilities understands them and has the resources, authority and management support necessary to carry them out.

  • If higher-level business security processes aren't defined, work to define them at the general business level.

  • Pull all of the above information together to establish an up-to-date baseline picture of the organization's security, including identity management.

In addition to the immediate benefits, these steps will provide valuable input to future security initiatives.

Platforms That Support Integration

Lenel Systems International

Lenel Systems International, Inc. (www.lenel.com) has incorporated IT integration capabilities into its product line, the Lenel OnGuard® Total Security Knowledge Management Solution. OnGuard OpenIT™ is an advanced Application Integration Service that allows real time, bidirectional seamless integration between the OnGuard Total Security Knowledge Management Solution and IT applications.

OnGuard OpenIT allows OnGuard cardholders to be linked to Windows Login Accounts. OpenIT also allows OnGuard applications to be deployed (full scale or scaled down versions) onto alternative computing platforms. Open IT enables information sharing and integration with third party information systems products.

The flexibility of OpenIT allows many unique business security applications to be solved by leveraging existing data residing in IT information systems. For example:

  • OnGuard Cardholder Accounts can be created based on the establishment of a Windows account for that person.

  • A disabled OnGuard badge can cause the cardholder's Window's or other Active Directory/LDAP (Lightweight Directory Access Protocol) account to disable.

  • Customers can create scripts to automate movement of data to and from Human Resource Systems or Directory Servers.

  • Customers can create applications allowing the deployment of OnGuard applications onto alternative mobile computing devices such as wireless PDAs.

  • Login access, for example—to computers in a lab, can be controlled based on card access of the person carded into the lab.

Note that this last example is a solution for the problem exemplified in the Security Gap Scenario sidebar.

Lenel Systems International has also teamed up with Unisys Corporation in a strategic alliance to enhance the abilities of both companies to provide integrated physical and IT security solutions.

Computer Associates International

Computer Associates International, Inc. (www.cai.com) is one of the world's largest software companies, with more than 26 years of experience in enterprise and security software. CA develops and supports software solutions for 99% of the Fortune 500 companies in more than 100 countries.

CA’s eTrust security solutions secure enterprise resources and provide organizations with holistic views of their physical and IT infrastructures:

  • eTrust 20/20 — bridges the gap between physical and IT security by collecting, correlating, analyzing and intuitively displaying security events

  • eTrust Security Command Center — centrally manages an organization’s security infrastructure, providing situational awareness, and full command and control

  • eTrust Audit — gathers data from heterogeneous sources, enabling true, cross-platform event management

The eTrust 20/20 product is a rules-based system that allows organizations to implement exactly the kind of security integration they need. By virtue of its rules based architecture, it can easily be adapted to account for organizational changes over time.

Once integrated with existing physical and IT systems - including audit logs, badge readers and human resource applications - eTrust 20/20 can provide complete visualization of every individual's access of physical facilities and information systems along with timestamps, a clear display of where access is authorized for the individual. Innovative visual 'playback' functionality also provides analysis and documentation capabilities, essential for discovering, preventing, remedying and prosecuting inappropriate or malicious behaviors.

One of the things that eTrust 20/20 does is correlate access control information from the physical and IT systems to identify and track where unauthorized users are accessing computer resources. With that information, the system identifies the user, calls up his digital credentials and plots his movements on a graphical representation of the company's physical plant (see Figure 4 below).

Figure 4. Computer Associate's eTrust 20/20.

For example, the system can tell you that Mary used her handprint to enter the network operations center (NOC), but then Alison’s—not Mary’s—network login credentials were used to access a NOC workstation. The system would flag that the two access credentials don't match, and a security administrator would deduce that Mary was the actual person in the NOC.

Organizational security policies and procedures, knowledge of its critical assets, and an understanding of the threats the organization faces all form the basis for rules creation. Thus CA has teamed up with Pinkerton Consulting and Investigations, Inc., who has developed security policies for eTrust 20/20. (See the section titled “Benefiting From Experienced Professionals.”)

Software House

Software House (www.swhouse.com), a member of Tyco Fire & Security, is a well-known leader in integrated security solutions. Software House’s C-CURE® product line provides a central integration platform for video, access and other peripheral electronic security networks. Software House has partnered with Computer Associates for the development of an interface between the C-CURE® line and CA’s eTrust 20/20.

Software House has long been an advocate of integrated security systems, and provides an example of how centrally managing alarm information can be of benefit. Recently, a fire alarm led to the evacuation of employees and members of the public from the main government executive building in New York's Westchester County. Using a new C-CURE integrated security system from Software House, public safety officials were able to check video associated with the event. Within seconds they saw that an elderly woman had mistakenly pulled an alarm, thinking it was necessary to enter an adjacent restroom. Those who had already left the building were allowed to quickly return.


From Security Technology & Design Magazine, June, 2003.

 

Copyright © 2003 by Ray Bernard.