There are obstacles to integrating physical and logical security, but the upshot is a more seamless operation, says Honolulu CIO Gordon Bruce. Dan Kaplan reports.
When Honolulu was preparing for an expected onslaught of protests that typically mark the annual APEC Economic Leaders’ Meeting, city and county leaders knew they had one security measure working in their favor which no one could compromise.
“We are on an island and are 2,500 miles away from the other states,” Gordon Bruce, chief information officer of the city and county, says. “So it’s not easy to jump on a bus and come here.”
But the government, of course, didn’t simply rely on its geographic isolation to ensure the annual forum – attended by dignitaries of 21 Pacific Rim countries and the United States to discuss economics, trade and investment policies – went off without a hitch. The integration of physical and logical security assets, namely bringing some 300 traffic cameras online under Honolulu’s integrated physical and access control monitoring system, also played a major role to ensure there was limited disruption to operations.
“We know where all the cameras are,” Bruce says. “If we need to bring them into some event going on, we can now easily fold them in…The whole point was to limit conflict and encourage participation in the process. The Secret Service even said it was one of the tightest events with which they’ve ever been a part.”
Since it embarked on a project seven years ago to converge physical and logical security, Honolulu, which makes up the entire 600-square-mile island of Oahu, is an entity that finds itself flaunting a rare synergy: Physical and facilities security and data/network/application security all fall under its Department of Information Technology. In other words, both sides of the house – the guards, gates and guns piece as well as the IT component – all work together under one roof.
“That was a conscious decision that was made in 2005 to bring all that together as one set of security complements,” says Bruce, 62, the CIO for seven years. The result is a more holistic, risk-based approach to security, he says.
Security convergence is certainly nothing new – the Sept. 11, 2001 attacks certainly gave it a healthy push forward – but its widespread adoption remains a work in progress. Brian Contos, senior director and customer security strategist at McAfee, defines convergence as a process by which physical and logical protection can be centrally managed and monitored through analytics, policies and procedures – all the while keeping a clear, communication channel between the two disciplines.
“If I have a solution in place that lets me centrally manage, configure and respond to all these disparate endpoints, whether it’s a computer or a door, that’s an efficiency win,” says Contos. “It allows one to be more effective and mitigate threats.” He adds that it also leads to cost savings over the long run.
More businesses are realizing that the lines of demarcation between physical and logical are certainly not what they used to be, especially as organizational leaders think about their security in terms of risk. Besides, IT-specific or blended threats are more likely to affect many organizations today than an exclusively physical attack. Once one accepts the benefits of integration, it’s easy to understand how boundaries can quickly erode. As a sign that the tide is turning, in September, ASIS International – an association for physical security professionals – and the IT-focused (ISC)2 held their annual meetings concurrently for the first time.
But the path to this aggregated style of security remains littered with obstacles, most notably the philosophy that the physical and IT security departments are distinct groups. According to a poll conducted by ASIS and (ISC)2 in the fall, almost half of 1,841 respondents said they do not have a definitive, enterprise-wide view of risk.
That explains why convergence is more common outside of the United States, in countries where IT connectivity is just beginning to emerge, places like Latin America, Southeast Asia and Africa. “It’s easier to go ahead and integrate this type of component as opposed to bolting it on after the fact,” says Contos.
When explaining the still-limited levels of convergence adoption, technology can no longer been seen as the largest barrier. After all, solutions now exist that make the integration of physical access control systems (PACS), such as badge readers, and logical controls, such as Active Directory and user provisioning, much more seamless, says Mark Diodati, a research vice president at Gartner. The analyst firm prefers the term physical identity and access management, or PIAM, instead of convergence.
“Before PIAM, there was a whole lot of customization you had to do to integrate with a PACS,” he says. “You’d have to hang a modem off a PACS or trigger a dial-up connection. There was a whole lot of hassle, and even if you could do that integration, there was no application programming interface to do the work. You had to figure out how the PACS systems worked. We’ve come a long way since then.” Diodati adds that logical systems, too, particularly the Windows Vista and 7 platforms, are offering increased smart card support.
This corporate symbiosis makes sense, experts say, given the more prominent role that security plays in today’s business environment, with concerns over data breaches, compliance and even terrorism remaining at high levels.
Perhaps no vertical has been leading the convergence push more than the federal government. In 2004, the Homeland Security Presidential Directive 12 (HSPD-12) was approved, requiring all federal employees and agencies to use a converged physical and logical ID badge., known as a PIV card.
Other industries, such as financial services and health care, are also seeing accelerating adoption rates. In the case of the latter, a market that traditionally lags in the area of technology, health care is beginning to place an uncharacteristically heavy emphasis on IT security, in response to audit fears of HIPAA and the HITECH Act. This is enabling the linking of physical and logical security functions.
Synergies allow physical security to benefit from technologies that were largely considered the domain of IT, such as security information and event management (SIEM). In the past, if something suspicious showed up on a surveillance camera, for example, the process to review the incident was arduous.
“You had to take out the video tape and watch for hours and fast forward,” Diodati says. “Now these can be catalogued and indexed, and can be fed into a SIEM product to correlate across disparate systems. SIEM is about looking at what’s going on across systems.”
Perhaps the upside of convergence is no better expressed than in a manufacturing or critical infrastructure entity, which often must follow strict mandates governing the access and identity of users.
Pan Kamal, vice president of marketing at AlertEnterprise, which makes software that unifies systems and applications across domains, offers a mock scenario of how a blended threat may warrant convergence within these environments: A warehouse supervisor who is marked as “disgruntled” in the HR system badges into the plant’s physical security system during off-hours. He then proceeds to look up valuable data related to pharmaceuticals on an inventory control system, adjusts the quantities in an inventory IT application, and then physically removes some of that merchandise from a warehouse shelf. Kamal explains that no single action the employee performed may have signaled the impending threat, but taken in concert, between physical and logical systems, he may have been stopped.
“It’s really connecting the dots,” Kamal says. “You must analyze risk across all those siloes to get the most comprehensive view of risk.”
Back in Honolulu, Bruce is no stranger to centralization. For example, Hawaii doesn’t have a statewide Department of Motor Vehicles. Vehicle registration is handled by each county government – Bruce and his team are responsible for securing the process – and the system interfaces with DMVs from around the country and in Canada and Mexico. In addition, Bruce has overseen the collapse of Honolulu’s 14 phone systems into the state’s largest VoIP system.
In 2005, Bruce embarked on a $300,000/year project – largely covered by federal funds – to make Honolulu’s security fully converged. Specifically, that meant centralizing video surveillance and access control across Honolulu’s numerous buildings and facilities, which includes six highly sensitive wastewater treatment plants.
“[Now] we have 9,000 ID badges issued to [all] city and county employees,” he says. “We are logging you electronically and visually that you have gone in and out of facilities. Now we get alerts when cameras break or doors are left ajar.”Any pushback that employee unions gave on the camera systems – which previously were managed by individual departments – were assuaged when Bruce explained how the new protocol will better protect the safety of workers. “The key to the unions that helped them understand is that it’s not just about monitoring the employee, it’s about protecting the employee,” Bruce says. “We’ve had incidents of when employees were harassed by the public because there was no security in place.”
With door access and video surveillance increasingly IP enabled – IMS Research estimates that some 22 billion devices overall will be internet connected by 2020 – it’s really just a matter of time before most companies consider convergence, say experts. But before any organization can realize the potential gains – like cost savings and efficiency – it must sort out the power struggles and turf wars likely to result between the physical and IT departments. “We’ve seen situations where we’ve brought our solution, and the first time the physical and IT people talked to each other was at our meeting,” Kamal says.
Contos says this is a real concern, considering workers from both divisions come from different backgrounds and have different salary expectations. The issue further complicates itself when talking about organizations that outsource their physical security, in arrangements such as leased offices.
“We have the technology to pull this off,” Contos says. “We can integrate all your virtual stuff, as well as physical access cards and video analytics. That part’s been solved. But the technology is only one piece. The second part is the process around how it’s to be managed.”
C-level buy-in, a governance framework and robust training are good places to start, experts say. “The stereotype is that guards with guns and system administrators are different people,” Diodati says. “But if you want to be successful with a convergence initiative, you need to have executive support that makes those two organizations play together.”
At San Francisco International Airport, one of the busiest in the nation, security is the name of the game, says Jonathan Kaplan (right), the director of information security. As a result, he hasn’t encountered too much resistance when merging the two disciplines. Both are treated as equally critical to the airport’s overall mission. For example, the airport is in the process of transitioning 1,500 analog, closed-circuit security cameras, which are trained on access doors, security checkpoints and roadways, to run over IP.
Kaplan admits that there will “always be tension as complexity evolves,” but in his experiences he believes members of both sides of the aisle get the merits of convergence.
“It’s easy to think about the physical aspect, because when you travel, that’s what you think about,” he says. “But all of those systems have to work together. A door protects a physical asset. A password also protects an asset. We have to be safe and secure at all times we’re operating. So either we find a solution, or we shut down.” •
Converge or not? Pros and cons
- Offers a single, centralized point for operation, administration and provisioning.
- Provides a more efficient model, which leads to cost and time savings.
- Allows for quick removal of physical/logical access if an employee is fired.
- Physical and IT systems can be reviewed in tandem in the event of a breach.
- A single point of failure could cause a major business impact.
- The introduction of a virus can prevent both network and physical access.
- “Turf wars” may result when merging physical and IT security teams.
- Initial costs to integrate and educate both disciplines may run very high.