Logical, physical security integration challenges

Integrating physical and IT security can reap considerable benefits for an organization, including enhanced efficiency and compliance plus improved security. But convergence isn't easy. Challenges include bringing the physical and IT security teams together, combining heterogenous systems, and upgrading a patchwork of physical access systems.

Integrating physical and logical security can bring many benefits to the enterprise, but a successful union isn't easy.

Typically, physical and logical security--also known as IT security--are separate operations in most enterprises. In fact, IT and physical security teams have tended to mix like oil and water. But marrying physical with logical security can reap considerable benefits.

Convergence enhances efficiency because user access to physical and IT resources is streamlined, reducing help desk calls. Employees can enjoy the ease of having a single device that gives them access to both the office building and the network. Better access management translates to improved security--and enhanced compliance with various regulatory requirements--because users only access the resources they are authorized to, and no more.

The U.S. government is sold on the benefits of physical and logical (PL) convergence. Its Personal Identity Verifi-cation (PIV) program, the result of Homeland Security Presidential Directive 12 (HSPD-12) (see "HSPD-12 Com-pliance Not Easy"), aims to put smart cards in the hands of all federal employees and contractors. These cards will be used for physical and logical access.

However, any marriage takes work, and PL convergence is no exception. Just getting the two security teams together can be tricky. Then there's the complexity of combining heterogeneous systems, upgrading a patchwork of physical access systems, deploying smart cards and installing workstation software. We'll look at the challenges associated with PL convergence. What Are We Talking About, Exactly?

Physical and logical convergence sounds good to many IT security professionals, but there is some confusion about what it really is. PL convergence is about a single user authenticator and a single set of management processes for physical and IT identities and resources. The milestones for convergence--in typical order of maturity--are common authenticator, user lifecycle management, security information management and contextual authorization.

Common Authenticator

PL convergence usually utilizes a common user credential for authentication. The most common authenticator is the smart card. The PL smart card has two interfaces. The first is a contactless interface used for physical access. When using the contactless part of the smart card, the user places the smart card near a door reader. If authentication is successful, the physical access system unlocks the door. The authentication and subsequent access is called "badging."

The other interface for the smart card is the contact interface, which is used for PC access. Most PL smart cards have separate storage mechanisms for the contact and contactless interfaces. A recent introduction to PL smart card technology is the dual interface smart card; the contactless and contact interfaces share the same storage, which provides greater functionality.

The second class of authenticator is biometric. Compared to smart cards, biometric devices, typically fingerprint readers, are rarely used for physical access although some very high security environments may use them. Fingerprint biometrics is commonly used to authenticate to the contact interface of smart cards for IT access.

HSPD-12 Compliance Not Easy

Federal agencies face tough decisions with the mandate. By Marcia Savage

Federal agencies are grappling with Homeland Security Presidential Directive 12 (HSPD-12) and the resulting Personal Identity Verification (PIV) program, which aims to equip all federal employees and contractors with smart cards for physical and IT access. Agencies are weighing whether to develop policies and infrastructure, including software and vetting stations, or subscribe to those services, says Chris Broderick, CEO of CoreStreet, an infrastructure provider for smart credential programs. "Technology is part of it, but there's also a lot of process and policy involved," he says, citing employee vetting as one of the tough policy decisions. 

Chris Campbell, senior analyst at INPUT, a market-research firm covering the government sector, says vendor interoperability issues and cost are posing HSPD-12 compliance challenges. Agencies turning to the General Services Administration (GSA) for help likely will be in the best position for meeting the compliance deadline in October 2008, he says. In April, GSA awarded an HSPD-12 contract to EDS to provide a nationwide IT infrastructure for issuing identity credentials. The contract will cover about 42 participating government agencies, boards and commissions.

User Lifecycle Management

Organizations must personalize smart cards to make them usable. Personalization processes include identity badging (graphically printing the user's photo on the face of the smart card), certificate procurement (enrolling an X.509 certificate on behalf of the user and storing the certificate and associated private key on the smart card), and binding the smart card to the physical access system.

Yet there's a well-known axiom in the PL world: the greater the level of personalization, the more management complexity. As a result, most PL convergence deployments require a smart card management system (CMS). The CMS does the heavy lifting of smart card personalization. CMS vendors include ActivIdentity, Bell ID, Intercede, and EMC's RSA security division. In addition, the integration maturity between CMSes and identity management provisioning systems has greatly improved over the past 12 months. Identity management vendors include CA, Hewlett-Packard, IBM and Sun Microsystems. Of the CMS vendors, the ActivIdentity CMS has the best integration with provisioning systems.

PL user lifecycle management improves efficiency and boosts security and compliance--benefits that are more pronounced when the CMS is integrated with the provisioning system. New hires get access to both physical and logical resources in a timely manner. When an employee leaves the company, his access is quickly terminated across physical and logical resources. By quickly shutting off access after termination and providing a framework that supports minimum necessary access, PL user lifecycle management enhances compliance efforts. Nearly all regulatory requirements--from HIPAA and SOX to the Pay-ment Card Industry Data Security Standard--require strong access control policies.

Security Information Management

Security information management (SIM) systems are becoming a staple in the enterprise. They consolidate and correlate user activity to provide a holistic view of user activity across the network for compliance and forensic purposes. While the integration of IT security audit events into SIM systems is relatively straightforward, incorporation of security events from physical access systems is a mixed bag depending on maturity of the physical access system. For the most part, however, integration is possible and valuable for flagging potential security breaches.

For example, the SIM can correlate security events from a UNIX system with the physical access system and detect when a user has left the physical premises but tries to log in to the UNIX system console within the data center. Similarly, the SIM can correlate events from Microsoft Windows and the physical access system to spot when a user has physically entered the Los Angeles campus but authenticated to Active Directory via a workstation in Chicago.

SIM vendors include ArcSight, CA, IBM, Novell and EMC's RSA. Some SIM products are directly aimed at providing physical security event correlation. For example, 3VR's suite of products works by recording events to a digital video recorder (DVR) and indexing the events--which makes them searchable--from the local console or another SIM product.

Contextual Authorization

Let's take the previous example to the next "logical" step: Is it possible to stop the user from authenticating via the workstation in Chicago when we know that he "badged" into the Los Angeles office? That's the goal of PL contextual authorization. For example, Imprivata's OneSign product is capable of denying access to Active Directory and other IT platforms based upon whether the user has badged into the building.

What's Against This Union?

One major impediment to the success of PL convergence is the typical separation of the two departments responsible for physical and IT security. It's not an easy fix, as physical and IT security teams have separate reporting structures and haven't culturally mixed well. Essentially, there's been a distinct division between the security guards and the geeks.

In addition to organizational challenges, there are physical problems to overcome.

Due to acquisitions and other factors, most large organizations have a patchwork of physical access systems at varying stages of maturity. For instance, an organization with thousands of locations may have physical access technology from centuries-old lock-and-key systems to swipe-style (think credit card) to contactless systems. There are two dimensions to this patchwork problem. First, some of these physical systems lack the required interface to connect to IT systems, which precludes them from participating in PL convergence. Second, the multiplicity of different physical access systems generally prevents the use of a single authenticator for users who move between locations.

Another issue for most organizations is that they are not equipped to support egress badging, in which users badge out when they leave the building. Without egress badging, the organization has difficulty correlating events across physical and IT systems because of the uncertainty of the user's location.

Then there are the IT challenges. An organization must deploy smart card "middleware" to all workstations; the middleware allows the operating system and applications (like Web browsers, VPN clients and email clients) to communicate with the smart card. Depending on the required functionality and operating system, the smart card middleware may replace the workstation's interactive logon component, commonly referred to as the GINA for Windows operating systems. Since the release of Windows 2000, Microsoft has done a good job of enhancing its operating system to make smart card deployments easier. Windows Vista is no exception, but typically organizations still must deploy middleware to make the smart card available to the operating system. Smart card support for other workstation operating systems besides Windows 2000 and Vista varies significantly.

An additional challenge is correlating the user's network and physical locations. With the advent of wireless access points, proxy servers, VPNs and network address translation features found in most firewalls, it's difficult to determine the network location of the user, which is important for the SIM and contextual authorization components.

Despite the obstacles, many organizations are pursuing PL convergence and its promises of improved efficiency and security. There are several steps enterprises can take to overcome the challenges, including investing in a smart card management system and planning for emergency access (see "8 Convergence Tips").

Nonetheless, the road to convergence can be a bumpy one, and enterprises should have a well-defined business case and execution plan to ensure a successful union.

8 Convergence Tips

Take these steps for a successful marriage of physical and IT security. By Mark Diodati

  1. Look before you leap Due to the complexity of integrating heterogeneous systems, reorganizing the organization's physical and IT security teams, upgrading physical access systems and reissuing credentials, PL convergence is an ongoing process and can take at least several years to complete. Survey the organizational environment, inventory your systems, and evaluate the benefits of convergence with a healthy sense of skepticism before you consider this effort.
  2. Aim for a single authenticator system Many of the benefits of PL convergence result from providing a single authenticator, which enhances usability and reduces management complexity. Before beginning a convergence project, consider reducing the number of authenticators and physical access systems. This reduction may require the replacement of older physical access technologies, including those components at each door. However, multi-technology door readers and smart cards can ease the transition to a single technology.
  3. Invest in a smart card management system (CMS) A smart card management system is all but a requirement, unless you want to place significant burden on your users and administrators. Smart card personalization can be achieved without a CMS, but the process is manually intensive--for example, asking users to manually enroll for an X.509 certificate.
  4. Bring the team together Many companies with successful PL convergence deployments have shifted the responsibility for physical and IT security to a single organization, which ensures that the two security teams cooperate and work toward the same goal. Oftentimes, these integrated organizations report to a common leader such as the CSO.
  5. Integrate with identity management systems Identity management systems can provide enhanced usability, timely and efficient control of the user identity lifecycle across heterogeneous applications, and ease compliance. Most of the goals of PL convergence relate to identity management, so it makes sense for organizations to integrate the convergence effort into the larger identity management fabric. Provisioning systems can help automate the identity lifecycle: new hires, departmental changes, terminations. Without integrating the CMS and provisioning systems, the organization opts to maintain two distinct islands of identity, each with a separate set of management processes.
  6. Enterprise SSO (eSSO) systems eSSO systems reduce the number of user logons by replaying usernames and passwords into those applications that require them. Users authenticate once, and are transparently logged on to applications as they click on them. The use of smart cards at the workstation requires the deployment of middleware, so why not make the user's life a little easier by deploying an eSSO client at the same time? One common identity management trend--regardless of any PL convergence goals--is the coupling of stronger authentication systems like smart cards with eSSO systems because itmitigates the "keys to the kingdom" problem.
  7. Plan emergency access Employees will lose their smart cards or leave them at home and get locked out of buildings and IT systems. Emergency access procedures ensure that users can continue to work without their smart card. Some tricks of the trade include self-service kiosks in the building entrance where employees can authenticate and get a temporary smart card, and the use of IT software management tools to temporarily allow the user to authenticate with a password instead of a smart card. While not technically an emergency scenario, access may be a concern for organizations with a large population of employees who travel without laptops and need access at a public kiosk, which won't likely allow use of a smart card. Hybrid devices that possess both smart card and one-time password (OTP) components can help in this scenario, because the OTP does not require workstation software.
  8. Use egress badging Egress badging is an important tool to help determine when an employee has left the facilities. However, its implementation requires reconfiguration of the building entrance, and also that the user badge out when leaving the building, which can cause traffic jams at the door on a Friday. All is not lost, however, if egress badging cannot be implemented. Some PL convergence systems support a "best guess" algorithm to determine if a user is still in the building. For example, if it's 3 a.m., the system will assume the user is not in the building.

Dig Deeper on Single-sign on (SSO) and federated identity