As the unending string of data breaches and laptop thefts in recent months has shown, today's threat landscape comprises far more than DDoS attacks, viruses and worms. To protect against the broad array of internal and external threats, more companies are considering security programs that forge closer ties between the physical and logical security realms.
In today's enterprise security market, mainstay physical security products like door access-control systems and closed-circuit cameras often rely on TCP/IP. "These systems aren't dedicated pieces of hardware running proprietary OSes anymore," said Forrester Research analyst Jonathan Penn. "They are built atop Windows or Linux."
This more holistic view of security requires cooperation between two security teams that have often been not just separate but sometimes at odds.
"Each can have a stereotype of the other, and that adds to the challenge of getting the two groups to collaborate," Penn said. Today's breed of logical security folk are frequently grad-school trained, specializing in fields like systems management. Physical security officers many times have law enforcement backgrounds and work with more isolated systems.
It's not always about getting the two sides on the same page, either. Much of the security systems in Las Vegas, for example, have not been switched over to IP, said Brian Contos, CSO at ArcSight. "[Security officers] have to consider the risks of moving their entire operations onto IP. It is not as cut and dry as videotapes and hard wires," he added.
The availability of high-quality products to address this convergence is also a major hurdle.
"There is a need, but the technology vendors have not been fast enough in meeting that need," said Hunt, adding, "Even if there's an excellent technology, it still has to be approved by a systems integrator, and then go through the sales cycle."
An initiative that demonstrates how physical and logical security are converging is HSPD-12, a Homeland Security Presidential Directive requiring a single identity management card for federal government employees. "Some agencies are further ahead than others," said Tom Greco, vice president of enabling infrastructures for Cybertrust, a management services provider that produces HSPD-compliant identity cards.
The directive frees government employees from carrying multiple identity credentials. "HSPD-12, as a concept, is a great idea," said Hunt, "The trouble is there's no one helping to answer fundamental questions: What technology should I acquire? How do I deploy it? Who's going to pay for it? [But,] it's the first standard that's got some legs under it."
"As the deployment of these cards picks up, we'll start to see the enablement of applications," said Greco, suggesting a potential for growth. "Network logical access of this card will be leveraged by the physical."
Looking forward, experts say that addressing evolving threats to enterprise systems without an integrated security program seems inadequate, if not impossible. Physical and logical security teams have little choice but to work together, and there will be setbacks before integrated offerings become commonplace.