Two new analyst reports on the growing popularity of physical and logical security convergence reinforce the adage...
that if a bad guy has unrestricted physical access to your computer, it's not your computer anymore. They also underscore the risks associated with a haphazard approach for enterprises joining both types of protection.
"If physical access to a computer system can be achieved, gaining logical access to the information on that computer system is guaranteed," warned Eric Maiwald, an analyst for Burton Group's new Security and Risk Management Strategies service and author of a report released Monday. "An attacker can use either electronic or physical means to gain access to information so the two disciplines must work together to help the organization manage risk."
His example: Data center systems are protected by firewalls on the network, antivirus software on the servers, intrusion detection, etc. The room is also physically secured from unauthorized access as well as being protected with fire suppression, climate control and power systems.
Historically, providing physical protection of computer systems has been the extent of the integration of physical and logical security. Completely separate reporting structures and a lack of overlapping knowledge for physical and IT security staff in many companies will take some effort to overcome.
Convergence market to leap forward
In a report released by Forrester Research last week, analyst Steve Hunt said companies can cut costs by converging IT security with corporate or physical security functions. Hunt suggests consolidating credentials for IT and physical access onto a single card, which may save money and improve security. "Connect the processes for granting and revoking building and IT access," he said. "Linking the processes for managing employees' IT access rights with those for managing their building access will get people productive quicker and will improve security by ensuring that all necessary revocations take place when appropriate."
Forrester estimates that private and public sector security spending in Europe and North America will double to more than $1.1 billion in 2005 from $506 million in 2004, due in part to border, law enforcement and homeland security projects. "Locks, cameras and entry systems will be upgraded to work with the same computing systems that control computer and network sign-on, identity management and security incident management," Hunt said.
Some integration benefits may not be obvious
The integration of physical and logical access control systems also provides a host of benefits to the organization in terms of incident investigation, perimeter security and strengthening overall security.
- User support: The introduction of a common access token can reduce the costs of password resets, which are estimated to be between $200 and $300 per user per year, according to the Burton Group report.
- Perimeter security: By correlating log entries and event information from the physical and logical systems, the organization can be notified of computer access attempts from users who have not physically entered the facility.
- Incident investigation: Such integration of log and event information may help determine what happened. An integrated system may be able to present all of the relevant information to investigators via a single console and reporting system.
- Risk management: Integrated log and event information can be examined to identify potential threats within the organization by measuring against a baseline of "normal" user activity.
Regulations may also play a part
Integration of security systems can also help meet regulation requirements by showing improvements in processes and procedures.
With regard to the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, information in both forms [physical and electronic] must be protected by appropriate access control mechanisms, and these mechanisms must be audited.
"A well-defined, integrated process for granting access to information in either physical or logical form may show that the organization understands and is compliant with the various regulations," Maiwald said in the Burton Group report.
Cost-cutting measures will likely fuel the push to integrate
Forrester's Steve Hunt says convergence projects mean money. "End user organizations can save money by streamlining historically disparate security projects, while vendors can capitalize on new spending," Hunt said. "The convergence market will grow rapidly during the next five years as enterprise risk management points more companies to greater security efficiencies and effectiveness."
An organization that wishes to integrate logical and physical access control systems must be aware of the risks involved in the project, Maiwald cautioned. Such projects are large, require significant resources to complete, and touch every user and physical location in the organization. It will encompass several vendors and many internal systems, and so requires strong project management.
He cites the need for a strong, high-level executive project supporter. "Any project that impacts how users access facilities and computer systems will have far-reaching impact on the organization," Maiwald said. "The costs and time frames involved make executive support that much more important."