Single security strategy unites physical and logical assets

Company security is an absolute. Whether it's data or the physical IT infrastructure, if there is a single weak link the company is not secure, writes Fran Howarth, principal analyst, Quocirca.

Company security is an absolute. Whether it's data or the physical IT infrastructure, if there is a single weak link the company is not secure, writes Fran Howarth, principal analyst, Quocirca.

Even the most virtual of organisations have physical assets, such as storage systems, that need to be secured. Too many companies have been caught out by loss or theft, some of which have led to data being leaked, damaging the reputations and business of the companies involved.

Put simply, applying the same standards to both physical and logical or IT assets is the only way to achieve effective business security. But, in most organisations, the physical and IT security teams have reported to different people and maintained separate budgets.

But this is changing, and much of this change is being driven by the increasing regulation governing companies, be they industry-specific, employment laws, or privacy and data protection legislation.

By combining physical and IT security into one function within the organisation, companies can establish centralised control and achieve a co-ordinated response to security breaches. This will vastly improve their ability to comply with the regulations that they face and allow them to take a holistic view of risk management across the entire business.

Over the past two years, physical and IT security convergence has picked up speed faster in some industries than others, with those which are the most heavily regulated, such as financial services, leading the charge.

The initial goal is often to combine access to facilities - buildings, etc - with the processes they have in place for controlling access to the IT network.

The ultimate goal for many is to achieve a single sign-on across all systems, physical or logical, based on a user's identity and backed up with strong authentication.

One of the pioneers in this fast-emerging space is Imprivata, a provider of enterprise authentication and access management technologies, and one of the first vendors to tie physical and logical access controls together. Imprivata offers its technology as an appliance that provides a complete authentication platform that allows single sign-on to be enabled for all applications used by an enterprise without the need to modify back-end infrastructure such as directories or processes such as workflow.

For integrating physical access control devices, the platform supports physical access control systems from leading vendors such as Honeywell and Lenel, and provides an API for connecting to other systems not natively supported. It also provides built-in support for a wide range of strong authentication mechanisms, including those from vendors such as RSA and Vasco, and for integrating to backend directories from vendors including IBM, Novell and Sun.

In this way, the OneSign Platform allows companies to leverage their existing investments and achieve much higher levels of security at a fraction of the cost of replacing technology already in use.

By tying together all access controls in an organisation, companies can benefit from having one unified platform for authentication of users, making access and authentication policies easier to enforce.

This gives companies the ability to deny network access to all those who have not used a badge to enter the building, such as tailgaters who have sneaked in behind another person who has authenticated themselves by swiping their access badge across a reader.

Who hasn't held open a security door for someone? Now, if someone has not announced their presence in the building to the physical access system, they will be denied access to the network. This means that access to sensitive applications such as financial records, for example, can be limited to only those employees who are actually on the premises and have been registered as such.

But having such a system in place also means that it is easier to provide secure access to remote workers by tailoring access policies to the method of connection being used.

For example, companies can enforce access via a VPN connection for remote workers and can limit the set of applications to which they have access.

Another key benefit is that of deprovisioning an employee when they leave an organisation. One user's identity may have multiple rights associated with it, which has often proved a headache to the IT department when trying to work out all the applications and devices associated with a particular user.

In many organisations, this causes delays in locking out users from the network, potentially allowing them to access sensitive company information when they have already left to join a competitor.

By tying users' IT access rights to a single device that also enables physical access, companies can ensure all rights associated with a user's identity are revoked immediately when their physical access badge is handed in or revoked centrally.

One further benefit is that a centralised management platform for all access control provides companies with the ability to report on all access and authentication events across all the different systems used in the business.

So, if the benefits are real, what has been holding this back? Not only have the physical and IT security teams performed different roles, largely in parallel, but the types of equipment used for physical and logical security have been different.

Physical controls such as video cameras, locks and turnstiles, have normally been based on analogue technologies. Increasingly, however, physical security and access control mechanisms are being connected using internet protocol technologies, allowing them to be integrated into logical access systems.

By using an appliance such as that from Imprivata, tied into back-end directories, provisioning systems and strong authentication mechanisms, companies will be a great deal closer to achieving effective business security across all of their assets.


Read more on Hackers and cybercrime prevention