More and more companies are marrying their physical and logical security environments to improve efficiencies, reports Alan Earls.
Nick Nikols, CTO at Quest Software, a data protection vendor based in Aliso Viejo, Calif., says many organizations have kept their physical and logical access management separated, often leaving the logical security to the IT staff and entrusting the physical aspect to the facilities department or to guards. But, that's a formula for disaster, he says. Such practices can lead to a number of potential problems, such as physical access cards still remaining active long after an employee has been fired, simply because a mechanism was not employed to update the physical access system when the employee was processed for termination in the HR system. “Also,” says Nikols, “with this separation, it is nearly impossible to manage physical access at a finer granularity, such as by the individual's role.”
Since much of the decision-making for both logical and physical access management really stems from understanding the actual identity of individuals, he says it also makes sense to integrate these environments to leverage a common identity infrastructure. “There can be tremendous cost savings – by eliminating duplicate processes and infrastructure,” Nikols says. Furthermore, integration can greatly improve defenses by enabling better, more real-time access enforcement.
While experts, vendors and organizations have a variety of experiences and views on the topic, physical and logical integration is at the forefront of thinking in many organizations. For instance, in the Los Angeles Police Department, the Counter Terrorism and Special Operations Bureau recently migrated from a microwave-based analog system of mobile surveillance cameras to an IP-based digital system. The change not only provided improvements in “on the spot” capabilities – in terms of running more cameras in a given location with less complexity for law enforcement personnel – it also provided a new level of connectivity, data storage and analysis.Now, the cameras stream encrypted data to a server at the command post where it can be handled securely, like any other media, and be made available to multiple users in real time.
Similarly, at Port Fourchon in Louisiana, located on the Gulf Coast, the Greater Lafourche Port Commission (GLPC) and security firm Crescent Guardian recently completed implementation of an advanced video analytics application developed by BRS Labs, as part of a digital security camera installation project. Although primarily a video surveillance application, the system also helps ensure that first responders in Port Fourchon – including harbor police, the sheriff's office and fire services – receive alerts and can coordinate actions in real time. According to April Danos, director of information technology for the GLPC, the U.S. Department of Defense supported the port's integration initiatives by sharing the Department of Defense (DoD)-developed capabilities of the Knowledge Display and Aggregation System (KDAS) as a template for the port's incident command-and-control system. The use of KDAS also allowed the port to network its system with DoD so that information could be shared if necessary.
Another indicator of how the worlds of physical and logical security are rapidly becoming one is evidenced by the ownership stake recently taken by Dunbar Armored, an armored car services company, in Taasera, a software company focused on cloud security. “Expanding our enterprise in strategic partnership with Taasera to provide ‘digital armor' that expands the protection of our financial, government and retail customers to digital or cyber attacks is simply an evolution of our services,” says Kevin Dunbar (left), president and CEO of Dunbar Armored.
To achieve success, the process of integrating the two disciplines must be planned efficiently. The convergence of physical and logical security has to be managed by one team, says Gary Bahadur, CEO at Razient, a Torrance, Calif.-based risk management software-as-a-service (SaaS) provider. “Most companies treat this as separate projects, but with the technologies in place to manage physical risk integrated with software and hardware solutions, one risk assessment process has to be in place,” he says.
Another key capability enterprises should look for when blending security is a directory-to-directory approach that can deliver one unified view into physical and logical access control policies, reports and activities, as well as the addition, editing and deletion of identities, says Terry Neely, founder, president and CTO at RedCloud, a Sterling, Va.-based provider of web-based, physical access control systems.
Too, convergence enables organizations to automate policy enforcement and improve risk mitigation within the current IT environment, without having to endure costly and customized implementation and management, says Neely. For example, he adds, a door held or forced open can automatically alert computers in an adjacent room to suspend building and network access simultaneously, and also send a command to an IP camera to stream video to the head of security or to the network operations center.
Neely says there is a greater chance of achieving success where both physical and IT security teams together report to decision makers. “Organizational convergence must precede security and technology convergence, and the greatest chance for maximizing the benefits is where a holistic mission or mandate drives the unification of physical and logical security,” he says.