This is the fifth article in a series that explores the convergence of physical security and IT technology and its impact on security and IT departments, vendors and management.

Taking a look at the United States' largest integration project can shed light on potential issues in smaller-scall implementations.

Manufacturers estimate that between 5,000 and 10,000 access control systems have been sold that can support integration with IT systems for card access system provisioning (granting and revoking user access privileges). The same manufacturers report that hundreds of customers have expressed interest specifically in that kind of integration. Yet only a dozen or so systems have actually been integrated to any significant degree, and those deal mostly with revocation of access privileges upon termination of employment.

There are significant security and cost benefits to be obtained from the integration of physical security and IT security user management (see “Integrating Physical and IT Security Management” in the June 2003 issue of ST&D). So why haven’t more systems been integrated? An examination of the largest single integration project attempted may provide an answer.

The Common Access Card

The largest single program intended to integrate the management of physical and information systems access is the Common Access Card (CAC) program of the U.S. Department of Defense. On November 10, 1999, the Deputy Secretary of Defense issued a memorandum directing the integration of efforts to improve information assurance and reduce fraud associated with the then-current Armed Forces ID card. In response to this memorandum, the DoD began the CAC program.

Employees of the DoD at that time had anywhere between two and seven identification and building access cards, depending on how many sites they needed to access over the course of their work day. Most DoD staff would wear these cards on a chain around their neck. One objective of the CAC was to winnow the multiple ID cards—which were estimated to be as many as 30 million—down to one per employee. That's about 4 million cards. Similarly, contractors and vendors who need access to multiple facilities would require only one card. There are significant cost savings to be gained by issuing and managing 4 million cards instead of 30 million, both in terms of card holder personnel costs (time spent waiting for cards to be issued and renewed) and card costs, as well as security personnel costs involved in the issuance and management of cards.

The overall coordination and management of the CAC project fell to the Access Card Office, a new group in the Defense Manpower Data Center (DMDC), which is part of the Personnel and Readiness division of the DoD.

The objective of the Common Access Card program is to provide more than a strong ID system. In addition to functioning as a common ID card, the Common Access Card must provide physical access to facilities and logical access to unclassified information systems, and it must use smart card capabilities to secure electronic transactions. The ultimate objective is to support the re engineering of business processes to accomplish improved military readiness; improved quality of life; streamlined, paperless business processes; and cost savings. Initially, the cards contained identification and security information. As the appropriate applications are developed, they will also hold information about service members, such as medical and dental data and finance allotments. These capabilities streamline the now drawn-out process of verifying service members’ readiness for deployment.

"Under the old process," said Mary Dixon, director of the Access Card Office, "a person would have to go to a gymnasium once or twice a year with all their records and go to several different stations. It would take most of the day to go through that process. Now, deployment readiness can be verified in minutes if everything is up to date, and in an hour if something requires updating or the person needs additional processing, such as receiving and recording a shot."

In some cases, she said, personnel are required to show up as much as four hours before a deployment flight. They sit and wait while their information is processed for the manifest. With smart cards, the wait can be cut by at least half. "So that's more time that's given back to the soldier, sailor, airman, Marine—or it's given back to the commanders to use for training," Dixon said.

At the start of the project, the DMDC team assessed the state of physical and logical security technology and realized that then-available solutions would not accomplish their objective, because the CAC program would have to work across multiple systems provided by multiple vendors. Thus the CAC initiative resulted in the development of the Government Smart Card Interoperability Specification by the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce. This specification provided a common base for the smart card implementations of the vendors involved in the program.

Even in the successful CAC program, integration of the smart card functionality with physical access control is just getting off the groups, partly for technology reasons and partly for organizational reasons.

An Evasive Goal

The CAC program has accomplished technological and organizational feats that have no equivalent in the private sector. In spite of technology hiccups that delayed the project at various points, 4 million smart cards have already been issued, and today cards are being issued at the rate of about 8,000 per day.

However, even in this successful program, integration of the smart card functionality with physical access control systems is just getting off the ground, partly for technology reasons and partly for organizational reasons.

Culture Clash

Joel C. Willemssen is Director of Information Resources Management within the United States General Accounting Office’s Accounting and Information Management Division. In testimony to the House of Representatives on September of 2003, Willemssen said, “The ability of smart card systems to address both physical and logical (information systems) security means that unprecedented levels of cooperation may be required among internal organizations that often had not previously collaborated, especially physical security organizations and information technology organizations. Nearly all federal officials we interviewed noted that existing security practices and procedures varied significantly across organizational entities within their agencies and that changing each of these well-established processes and attempting to integrate them across the agency was a formidable challenge.”

Willemssen continued, “Defense officials stated that it has been difficult to take advantage of the multiapplication capabilities of (the DoD’s) Common Access Card for these very reasons. As it is being rolled out, the card is primarily being used for logical access—for helping to authenticate cardholders accessing systems and networks and for digitally signing electronic transactions using PKI. Officials have only recently begun to consider ways to use the Common Access Card across the department to better control physical access over military facilities. Few defense facilities are currently using the card for this purpose. Defense officials said it had been difficult to persuade personnel responsible for the physical security of military facilities to establish new processes for smart cards and biometrics and to make significant changes to existing badge systems.”

IT personnel in the private sector report this same sort of experience when they attempt to involve physical security personnel in integration with information systems. In most cases, the meeting presentations are technology-based, not strategy-based, and are not presented from the perspective of a non-technologist. Technology won’t motivate the physical security folks the way that sound strategy—and an executive statement or mandate that supports it—can. This stifles physical security participation instead of nurturing it.
To help support the use of the Common Access Card for physical access, the U.S. Office of Personnel Management (the federal government’s human resources agency) recently began an initiative to get agency HR folks and physical security folks talking to each other about how this should work.

Change Comes First

Willemssen’s statements highlight a lesson that transcends security projects and applies to any type of technology project: Don’t use technology to cause change; use technology to support change.

Joel Rakow is partner in Tatum Partners, the largest professional services provider of financial and information technology leadership in the United States. He stated the above lesson another way: “Don’t expect technology to fix a broken process. You have to fix the process first, and then you can utilize the technology successfully.”

In accordance with that advice, Rakow recently led projects in two client organizations whose objectives were to integrate physical and information system security at the management level.

“Typically, IT security managers employ a technology-focused approach, often without conducting formal vulnerability and risk assessments,” Rakow said. “When they do conduct assessments, they are targeted at technological risk and focused on tactical issues relating to the information systems technology. Security has to relate to business strategy and business practices, what assets are important to critical business operations, and what the security risks are for those assets. When you have identified the critical information assets within the context of business operations, you can develop a security strategy for them that naturally would include both physical security and IT security elements.

“This is the level at which physical security and IT security are first integrated, at the strategy level. From there you can determine to what extent, if any, integrating physical security systems and information systems will support your strategy.”

"Don't expect technology to fix a broken process. You have to fix the process first, and then you can utilize the technology successfully." —Joel Rakow

The Cornerstone Of Security

Control over who has access to what assets at what time is a crucial part of security. In order to integrate access across the physical and IT security realms, a unified strategy for managing user identities must first be in place.

Product literature and magazine articles can create confusion about what identity management means. Vendors use the phrase to mean any number of things, from single sign-on applications to certificate authentication. Yet such technologies are really add-ons to identity management. Rakow explained, “The three key ingredients to identity management are authentication, authorization and auditability. An important security aspect to identity management is identity federation, which means that no single entity operates the entire identity management system.”

Identity information in many organizations is spread across multiple repositories: personnel (HR), payroll (Accounting), visitors (Security or Facilities Management), information systems access (IT), e-mail (IT), employee physical access (Security), and janitorial personnel (Facilities Management). You may be John Smith in one repository, JLSmith in another, and John L. Smith in another. The naming conventions may not be consistent even within a single repository.

Mike Butler, Chief of Smart Card Programs in the DoD’s Access Card Office, said, “If you try to address identity management just from an IT perspective, it’s a lot of money. It you take solely an HR or physical security perspective, you have the same thing. But if you get all three participating in the solution and developing an overarching strategy, overall it can be cost effective.”

Planning the deployment of an identity management solution and reconciling disparate repositories of identity information are usually the largest steps in preparing for the integration of physical and IT access management. It is important to remember that identity management is not just a security issue; it’s an enterprise management issue. Although security may be a driver for implementing identity management, its strategy will include operational elements from all of the business units and will often extend outside the organization to include those with whom the organization does business. Identity management lets companies reduce user management costs, increase security, ensure privacy, comply with federal regulations and facilitate communication.

The Role of IT Service Providers

Identity management has been a part of physical access control systems since before the advent of the personal computer. But the type of identity management system that we now hear about is new in the past few years. It became necessary in the IT community when enterprise computing became a reality. In one sense, you could say that electronic security systems integrators have been in the identity management business for more than two decades, but using a proprietary, closed-protocol approach. Today’s identity management systems must talk to a multitude of information systems, and open protocols are being developed to support the interoperability that identity management federation requires.

Recognizing the importance of identity management for an enterprise, Lenel Systems developed OnGuard® OpenIT™, which is designed to integrate its OnGuard Total Security Knowledge Management Solution suite with any Lightweight Directory Access Protocol (LDAP) directory structure. OnGuard OpenIT integrates off the shelf with leading LDAP directory servers including Microsoft® Active Directory® (AD), Novell® NDS eDirectory™ and iPlanet™ Directory Server (Netscape).

While security systems integrators are moving to integrate with enterprise identity management systems, some IT service providers are stepping up to provide solutions in both the IT security and physical security domains. Siemens Information and Communications Network Inc. (ICN), a contributing member of the Open Security Exchange, has a number of such projects ongoing, according to Jeffrey Demers, a business development manager for ICN.

Demers said, “We are able to assist the customer with the entire process that encompasses the deployment of an identity management system, including integration with physical access control systems. You don’t start from scratch. You have to take into account the existing business systems as well future objectives. It’s not just a matter of product selection. As an experienced IT service provider, we understand the importance of management support, and we know when and how steering committees and working groups are needed and their function in the project. We are used to working with human resources to identify the various roles that are involved across the organization, and how the system to be implemented must support their related job functions. This is very organization-specific. A lot has to be done before you can get to the point of product selection. There is often more than one path open, and you have to understand, identify and clearly communicate the cost impacts and the organizational impacts of each path. Our team works as an integrated part of the customer’s team.”

Demers explained further, “By the time we are ready to implement the chosen solution, we have a well established working relationship with the customer and have a very exact and complete understanding of what they want to accomplish. We’re not just implementing a system; we’re accomplishing the customer’s objectives.” For an IT service provider like ICN, incorporating physical access control becomes simply another aspect of a much larger overall project.

"I think that integrators who are adept at incorporating key systems into enterprise business operations will be naturally well-positioned for the inevitable convergence between physical and IT security." —Katherine  Issel

UBS is a premier global financial services firm offering wealth management, asset management and investment banking services to individual, corporate and institutional investors. Katherine Issel is an associate director for the Global Industrial Group of UBS Investment Bank. Issel has been closely watching security and IT convergence issues for the past year due to the emerging opportunities for companies involved in one or both domains.

"I think that system integrators who have experience in the IT space are going to play a very central role in the convergence or integration of physical and IT security," she said. "Today, we're dealing with enterprise systems that play an important part in organizational management, but they have very discrete functionality. An access control system—whether for physical or logical access—benefits from integration with an enterprise identity management system … I think that integrators who are adept at incorporating key systems into enterprise business operations will be naturally well-positioned for the inevitable convergence between physical and IT security."

Lessons Learned

Organizations have been buying integration-capable systems, but there is little physical and IT security integration at this time. The following are some lessons that can help us change that picture, reduce costs and close the security gaps.

• The integration of physical and IT security starts with strategy at the management level.
• 
  Executive management and security management must drive the change by implementing the strategies; the technology folks can’t drive the change.
• 
  Implementing integrated security management (physical and information systems) starts with identity management. Typically Corporate Security or the CSO, consulting with the CIO or CISO, HR and Legal, would develop the strategy.
• 
  A leader who is not a technologist, or who can take the non-technologist viewpoint, must communicate the security vision and strategy within the organization, and must bring about the participation of the non-technical people who are to be key participants in the program. The bulk of the work is actually non-technical.

From Security Technology & Design Magazine, March, 2004.