There are three connection points for the integration of physical and logical security: the smart card; the back-end database; and the security event reporting and analysis system.
The choice of smart card will be dependent on a number of factors; however, a key factor will be the number of applications and mechanisms that can be stored on or used with the card. The card may be used for building access [magnetic strip swipe or proximity detection as well as a picture of the user] and for IT system access [applications or certificate storage on the card]. Therefore, choosing which smart card to use will be an important step in the project.
The back-end database is a directory service -- a system that holds the authoritative listing of all users and others the organization knows about. This directory is a primary identity management (IdM) database for the organization and is linked to the control systems used for the physical security systems. Depending on how the systems are implemented, the physical security systems may make a copy of the directory or link to it directly. Any changes to workforce entries are made in the directory and then propagated to the various physical security systems.
Back-end directory databases tend to exist in the logical security world rather than in the physical security world. While physical security systems may include their own local databases for badge or card management, they tend not to be the type of system necessary for IdM throughout an organization. While some vendors have built in the software hooks to transfer information between their systems and the back-end directory database, the standards for this connection between the physical security system and the back-end directory database do not yet exist, so this tends to become an integration project for the organization.
Once the systems have been linked to allow access, the information that is provided by the various access control systems in the form of log entries and event indications can also be brought together. Log entries and events can be integrated into a single repository for later analysis or further linked into a security event management system. While this portion of the integration of physical and logical access systems may not be part of the initial integration effort, much of the regulatory benefit can be found through the amalgamation of the log and event information.
Use a strategic approach
Organizations that are considering changes to their physical and logical access control systems should examine the potential benefits of an integration project. Increased user management efficiency, regulatory benefits and risk management improvements are all possible results. These benefits must be examined through a strategic approach so that the organization can see where all of the benefits will occur.
At the same time, the organization must understand the costs of the integration and balance these costs against the expected benefits. Many large organizations will find that the significant benefits outweigh the costs, but each organization must conduct its own cost-benefit analysis. The following areas should be examined for potential benefits:
- User management
- Regulatory compliance
- Perimeter security enhancements
- Event management
- Incident investigation
- Risk management
Such potential benefits should be balanced against the following costs:
About the author
Eric Maiwald is an analyst for Burton Group's new Security and Risk Management Strategies service.