Integrating physical and logical security can bring many benefits to the enterprise, but a successful union isn't easy.
Typically, physical and logical security--also known as IT security--are separate operations in most enterprises. In fact, IT and physical security teams have tended to mix like oil and water. But marrying physical with logical security can reap considerable benefits.
Convergence enhances efficiency because user access to physical and IT resources is streamlined, reducing help desk calls. Employees can enjoy the ease of having a single device that gives them access to both the office building and the network. Better access management translates to improved security--and enhanced compliance with various regulatory requirements--because users only access the resources they are authorized to, and no more.
The U.S. government is sold on the benefits of physical and logical (PL) convergence. Its Personal Identity Verifi-cation (PIV) program, the result of Homeland Security Presidential Directive 12 (HSPD-12) (see "HSPD-12 Com-pliance Not Easy"), aims to put smart cards in the hands of all federal employees and contractors. These cards will be used for physical and logical access.
However, any marriage takes work, and PL convergence is no exception. Just getting the two security teams together can be tricky. Then there's the complexity of combining heterogeneous systems, upgrading a patchwork of physical access systems, deploying smart cards and installing workstation software. We'll look at the challenges associated with PL convergence. What Are We Talking About, Exactly?
Physical and logical convergence sounds good to many IT security professionals, but there is some confusion about what it really is. PL convergence is about a single user authenticator and a single set of management processes for physical and IT identities and resources. The milestones for convergence--in typical order of maturity--are common authenticator, user lifecycle management, security information management and contextual authorization.
PL convergence usually utilizes a common user credential for authentication. The most common authenticator is the smart card. The PL smart card has two interfaces. The first is a contactless interface used for physical access. When using the contactless part of the smart card, the user places the smart card near a door reader. If authentication is successful, the physical access system unlocks the door. The authentication and subsequent access is called "badging."
The other interface for the smart card is the contact interface, which is used for PC access. Most PL smart cards have separate storage mechanisms for the contact and contactless interfaces. A recent introduction to PL smart card technology is the dual interface smart card; the contactless and contact interfaces share the same storage, which provides greater functionality.
The second class of authenticator is biometric. Compared to smart cards, biometric devices, typically fingerprint readers, are rarely used for physical access although some very high security environments may use them. Fingerprint biometrics is commonly used to authenticate to the contact interface of smart cards for IT access.
|HSPD-12 Compliance Not Easy
Federal agencies face tough decisions with the mandate.
By Marcia Savage
Federal agencies are grappling with Homeland Security Presidential Directive 12 (HSPD-12) and the resulting Personal Identity Verification (PIV) program, which aims to equip all federal employees and contractors with smart cards for physical and IT access.
Agencies are weighing whether to develop policies and infrastructure, including software and vetting stations, or subscribe to those services, says Chris Broderick, CEO of CoreStreet, an infrastructure provider for smart credential programs.
"Technology is part of it, but there's also a lot of process and policy involved," he says, citing employee vetting as one of the tough policy decisions.
Chris Campbell, senior analyst at INPUT, a market-research firm covering the government sector, says vendor interoperability issues and cost are posing HSPD-12 compliance challenges. Agencies turning to the General Services Administration (GSA) for help likely will be in the best position for meeting the compliance deadline in October 2008, he says. In April, GSA awarded an HSPD-12 contract to EDS to provide a nationwide IT infrastructure for issuing identity credentials. The contract will cover about 42 participating government agencies, boards and commissions.
User Lifecycle Management
Organizations must personalize smart cards to make them usable. Personalization processes include identity badging (graphically printing the user's photo on the face of the smart card), certificate procurement (enrolling an X.509 certificate on behalf of the user and storing the certificate and associated private key on the smart card), and binding the smart card to the physical access system.
Yet there's a well-known axiom in the PL world: the greater the level of personalization, the more management complexity. As a result, most PL convergence deployments require a smart card management system (CMS). The CMS does the heavy lifting of smart card personalization. CMS vendors include ActivIdentity, Bell ID, Intercede, and EMC's RSA security division. In addition, the integration maturity between CMSes and identity management provisioning systems has greatly improved over the past 12 months. Identity management vendors include CA, Hewlett-Packard, IBM and Sun Microsystems. Of the CMS vendors, the ActivIdentity CMS has the best integration with provisioning systems.
PL user lifecycle management improves efficiency and boosts security and compliance--benefits that are more pronounced when the CMS is integrated with the provisioning system. New hires get access to both physical and logical resources in a timely manner. When an employee leaves the company, his access is quickly terminated across physical and logical resources. By quickly shutting off access after termination and providing a framework that supports minimum necessary access, PL user lifecycle management enhances compliance efforts. Nearly all regulatory requirements--from HIPAA and SOX to the Pay-ment Card Industry Data Security Standard--require strong access control policies.
Security Information Management
Security information management (SIM) systems are becoming a staple in the enterprise. They consolidate and correlate user activity to provide a holistic view of user activity across the network for compliance and forensic purposes. While the integration of IT security audit events into SIM systems is relatively straightforward, incorporation of security events from physical access systems is a mixed bag depending on maturity of the physical access system. For the most part, however, integration is possible and valuable for flagging potential security breaches.
For example, the SIM can correlate security events from a UNIX system with the physical access system and detect when a user has left the physical premises but tries to log in to the UNIX system console within the data center. Similarly, the SIM can correlate events from Microsoft Windows and the physical access system to spot when a user has physically entered the Los Angeles campus but authenticated to Active Directory via a workstation in Chicago.
SIM vendors include ArcSight, CA, IBM, Novell and EMC's RSA. Some SIM products are directly aimed at providing physical security event correlation. For example, 3VR's suite of products works by recording events to a digital video recorder (DVR) and indexing the events--which makes them searchable--from the local console or another SIM product.
Let's take the previous example to the next "logical" step: Is it possible to stop the user from authenticating via the workstation in Chicago when we know that he "badged" into the Los Angeles office? That's the goal of PL contextual authorization. For example, Imprivata's OneSign product is capable of denying access to Active Directory and other IT platforms based upon whether the user has badged into the building.
What's Against This Union?
One major impediment to the success of PL convergence is the typical separation of the two departments responsible for physical and IT security. It's not an easy fix, as physical and IT security teams have separate reporting structures and haven't culturally mixed well. Essentially, there's been a distinct division between the security guards and the geeks.
In addition to organizational challenges, there are physical problems to overcome.
Due to acquisitions and other factors, most large organizations have a patchwork of physical access systems at varying stages of maturity. For instance, an organization with thousands of locations may have physical access technology from centuries-old lock-and-key systems to swipe-style (think credit card) to contactless systems. There are two dimensions to this patchwork problem. First, some of these physical systems lack the required interface to connect to IT systems, which precludes them from participating in PL convergence. Second, the multiplicity of different physical access systems generally prevents the use of a single authenticator for users who move between locations.
Another issue for most organizations is that they are not equipped to support egress badging, in which users badge out when they leave the building. Without egress badging, the organization has difficulty correlating events across physical and IT systems because of the uncertainty of the user's location.
Then there are the IT challenges. An organization must deploy smart card "middleware" to all workstations; the middleware allows the operating system and applications (like Web browsers, VPN clients and email clients) to communicate with the smart card. Depending on the required functionality and operating system, the smart card middleware may replace the workstation's interactive logon component, commonly referred to as the GINA for Windows operating systems. Since the release of Windows 2000, Microsoft has done a good job of enhancing its operating system to make smart card deployments easier. Windows Vista is no exception, but typically organizations still must deploy middleware to make the smart card available to the operating system. Smart card support for other workstation operating systems besides Windows 2000 and Vista varies significantly.
An additional challenge is correlating the user's network and physical locations. With the advent of wireless access points, proxy servers, VPNs and network address translation features found in most firewalls, it's difficult to determine the network location of the user, which is important for the SIM and contextual authorization components.
Despite the obstacles, many organizations are pursuing PL convergence and its promises of improved efficiency and security. There are several steps enterprises can take to overcome the challenges, including investing in a smart card management system and planning for emergency access (see "8 Convergence Tips").
Nonetheless, the road to convergence can be a bumpy one, and enterprises should have a well-defined business case and execution plan to ensure a successful union.
|8 Convergence Tips
Take these steps for a successful marriage of physical and IT security.
By Mark Diodati
|8 Convergence Tips (continued)
Take these steps for a successful marriage of physical and IT security.
By Mark Diodati