An urge to converge: Physical and logical identity and access management

As a company that manufactures weapons, aircraft and defense electronics for the military, Northrop Grumman certainly knows security. When it comes to protecting its own assets, the company is on the cutting edge, currently implementing a converged physical and logical identity and access management program.

By this time next year, it's expected that each of the 120,000 Northrop Grumman employees will carry a smart card that supports multiple authentication methods and enforces policies throughout the enterprise. The move will provide multilayered security across company networks, systems, facilities, data, intellectual property and information assets, says Keith Ward, director of enterprise security and identity management at the company.

When arriving at work, employees will swipe their personalized identification card to enter their Northrop Grumman facility. The card will store information about the employee – name, address, photo, fingerprints, access controls, passwords, digital certificates and training information, as well as data about the company. Once inside the facilities, employees will again swipe the same card to log onto their computer at each workspace, which will be equipped with a smart card reader.

“The issue of logical and physical convergence is real,” says Larry Ponemon, chairman and founder of independent research company Ponemon Institute. “A lot of organizations are starting to think about one holistic model.”

But security convergence has different meanings to different organizations. Some are changing their organizational structure by merging the physical and logical groups themselves and aligning policies and budgets. More commonly, organizations are rolling out converged technologies, such as access control systems and IP-based surveillance cameras.

“The federal government has been a significant driver for the development of converged technologies,” says Randy Vanderhoof, executive director of the nonprofit Smart Card Alliance. For example, in 2004, the Homeland Security Presidential Directive 12 (HSPD-12) was passed, requiring all federal government employees and agencies to use a converged physical and logical ID badge. Standards were created for how the badge is designed, what identity elements are present inside the card, and how the card is used for physical and logical access.

Northrop Grumman's identity and access management convergence effort began in May 2006. At that time, the company was hindered by numerous physical security, human relations and information technology systems it had inherited through years of acquisitions.

“We had a lot of disparate systems, applications and authoritative sources for identity within the company,” Ward says.

Since Northrop Grumman works largely with government organizations, it followed the federal HSPD-12 model, allowing employees to not only use their smart card internally, but also to gain physical and logical access to federal government facilities and systems.

Lessons learned
Besides access control systems that merge physical and logical security, another leading convergence security technology is IP-based surveillance cameras. These cameras are being widely deployed today. But, says Steve Collen, director of product marketing for Cisco's physical security business unit, IT teams need to work closely with physical security teams to ensure deployments do not open security holes to the corporate network.
At Cisco, this lesson was learned the hard way after the company implemented digital security cameras about 10 years ago, says Deon Chatterton, manager of workplace resources for Cisco's safety and security team. Initially, the physical security department let the IT department know what it was doing – implementing 2,000 cameras that would record digital video to 300 servers. However, that was the extent of the collaboration.

“We found out this approach wasn't good. We left ourselves vulnerable on the network,” Chatterton recalls.

In 2001, a virus spread throughout 150 of Cisco's video management servers. The physical security team was forced to ask IT for help. It took about 20 IT and physical security employees working through a weekend to fix the issue, Chatterton says. Since that incident, the IT department has helped manage and secure physical security products.

“IT is a valuable partner – from the planning perspective to helping test and design architecture,” Chatterton says.

In general, IT departments are getting more involved in the purchasing decisions of IP-based physical security products, according to a recent survey conducted by global electronics research organization IMS Research. The survey of 105 North American physical security systems integrators and installers found that IT managers are included in decisions to purchase IP-based physical security products 60 percent of the time.

“Now, physical security is controlled in a lot of capacities by IT,” says Karim Hijazi, founder and CTO of cybersecurity services firm Demiurge Consulting.

In addition, 75 percent of respondents to the IMS survey said they deal more with IT managers now than they did a year ago. And, more than 35 percent of respondents said they expect half their physical and logical access control installations to be integrated in three years, says Niall Jenkins, market analyst at IMS Research.

Both sides now
But while IT is becoming more involved in physical purchasing decisions, some say a convergence effort and security itself is more successful when it's moved out of the IT department.

“I believe it's a conflict of interest for the IT security group to be reporting solely to the CIO,” says Kent Anderson, managing director of security risk at consulting firm Encurve.

When IT security falls under the purview of the CIO, who is overseeing the applications that support the business, it's much easier for risks to be ignored or played down, Anderson says.

The Smart Card Alliance's Vanderhoof agrees, noting that organizations must commit to both IT and physical security. So, rather than continuing to invest in both separately, there are products on the market today that will achieve the organization's security goals through a converged, system-wide approach.

“I am a proponent of having all security fall under some group in upper management, like a CISO or CSO,” says Colby DeRodeff, enterprise strategist at security vendor ArcSight and co-author of Physical and Logical Security Convergence (Syngress, 2007). “Most of the time, it's not like that, unfortunately, but it would make things easy to be successful.”

One of the biggest challenges of aligning the two groups is that they're so fundamentally different, says Demiurge's Hijazi.

The physical security group, often made up of ex-military or law enforcement personnel, has a different skill set than the more technology-savvy information security personnel. But an organization that gets these two groups working together can reap tremendous benefits, says Craig Lucca, manager of security administration and management at Bloomberg. Specifically, the physical security team can provide risk mitigation insight, help enforce policies and conduct investigations.

“If you have the right people on both sides, you can put together a very strong team,” Lucca says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.