The Case for Physical and Logical Security Integration

Executives

Executive Summary

Integrating Physical and Logical security makes economic and strategic sense.  Security was once only spoken of in regards to physical assets such as buildings, machines and inventory. Today’s networked business depends as much on network infrastructure, information, intellectual property, integrity and business processes to survive and grow.

 

Technology is now commonly available to provide users with a simple tool to both identify themselves and to prove the validity of that identity. This tool can be used for access to buildings and access to infrastructure and computer networks. This can be integrated, depending on the needs, into disparate business applications, each with their own validation requirements, although managed centrally for the user. This consolidation of Physical and Logical security helps users comply with best business practices while not creating an unsustainable burden for them.

 

Integrated security enables rapid management control and reconfiguration for businesses that need to implement and maintain contingency planning scenarios. As well, the technology provides for higher levels of control over infrastructure use and resource allocation, and helps to ensure that all access to company data throughout the enterprise ends when credentials or access is canceled.

 

There are a variety of strategies for implementation of an Integrated Physical and Logical Security system, including options to include systems that maintain their independent control of user parameters. Capable systems, such as those offered by IMRON Corporation and their technology partners, provide the efficiencies and capabilities that are the foundations of today’s drive for immediate implementation of integrated Physical and Logical Security Systems.

 

The Evolution of Physical and Logical Security

It is a natural law, it seems, and possibly one of physical or philosophical entropy that draws others to take your stuff – creating the need for Security.  From the dawn of time, from the first stick borne by a mighty cave dweller, we have searched for the perfect balance of security and simplicity to keep our prized possessions safe from others. For many years Security has been defined by the physical aspects of separation, with fences, doors, locks, safes and guards, to keep real property and possessions safe. In more recent times the universe of things needing protection has expanded to include reputation, image, innovation, technology and a diverse world of Information.

 

As technology has developed, companies have invested resources, both in personnel and equipment, to support the growth in physical security needs (fences, cameras, alarm systems, access control and guards) and the separate but converging growth of information technology, protecting data with both passwords and physical ID devices.

 

In the beginning, business information was primarily on paper and securing it meant locks for file cabinets, shredders and checking briefcases on the way out of a building.  Today the web of business information extends far beyond the physical boundaries of any office building and the profession of Security now includes development of methods and techniques to secure businesses’ key resource, its people, technology and information. The systems to support, monitor and coordinate these key business resources have now become one, compelling efficient organizations to consolidate the functions and capabilities of both physical and logical security. This is the natural evolution of Integrated Systems for Security of Business Assets (both Physical and Logical).

 

Why Integrate?

Why do companies care to blend these often different worlds? Lower cost, driven by realizable efficiency of implementation and the less measurable, but often more important, perception that increased simplicity for users will help to ensure compliance and thus improve the overall performance of the Total Security Solution.

Complexity Creates Costs and Reduces Compliance

Without integration companies face a significantly more complicated and costly system of managing employees use of physical keys or access cards to gain entry to a workplace and a separate set of logical passwords and keys for access to software systems and networks that drive the business. Every new system implementation brings with it a new demand for often separate management of passwords and control.

 

The mere task of issuing and maintaining passwords and physical access devices can be daunting, but more important is the impact of complex systems on how users, in the drive for simplicity, defeat the effectiveness of the measures through password replication (using their same, easily ascertained, password for a variety of secure and non secure sites) and disclosure (writing down passwords and keeping them in a desk drawer).

 

Security is only worthwhile if it is easy, and foolproof, for users to comply. Older systems, even those that depend on a card or key to gain access to computers, face the same problems where users leave their card at their desks, in that same drawer with the passwords, so that they are sure to have it when they arrive at work the next day. This problem is sometimes reduced by requiring the card for building access (another reason for integrating physical and logical access systems).

 

Today’s information thieves have evolved and a sophisticated and varied password scheme is a necessary tool in securing networks, a scheme that can best be managed though the use of a system that integrates physical and logical security components.

 

Adapting to Emerging Technologies

Technologies to simplify identity and access to information are emerging. The basic rule here is a) what you have and b) what you know. Thus having a card and a PIN number can uniquely and safely identify a user. Add biometrics and you add a third component, c) who you are. Non-integrated systems require a unique set of these tools for each system (remember Janitor Joe and his ring of keys?).

 

New technologies allow disparate systems to share a single tool, each with their own unique parameters, still allowing the user to have a single PIN to unlock the data in the card and exchange it with the compliant system. This is essentially a secure electronic ‘wallet’ carried by the user and whose data is only accessible by the systems to which the user has been approved and to which they desire access. These individual secure ‘envelopes’ are stored in the ‘wallet’ and each separate system, based on presence of the card, the PIN provided by the user, and the existence of a unique sealed envelope on the card, is able to provide the approved level of information to pass the security and identity challenge.

 

In the quest for even more advanced security, biometric templates can be securely stored on the card, away from any network storage or privacy concerns, and then used as a part of the PIN verification process, providing a third level of assurance of the identity of the user.

 

Implementation Strategies

As departments evolve in different organizations, control of access to information also evolves. Technology has developed to support this variety of implementation needs.  In the most simple of applications, a single card is issued by a single source with all the information and control needed for all business applications, both physical and logical All computer systems and applications use information stored on the card to make identity and information decisions.  The user needs to have the card, the PIN, and sometimes a biometric confirmation before identity is confirmed.

 

Some applications desire that the card be issued and managed in one place, with the distinct applications adding their own data to the card and managing that data separately. This too is easily accommodated. Some older applications need only to know that the user identity is confirmed and then depend on a separately managed authority level within that separate system (as opposed to storing that authority solely on the card, or discerning the authority from a separate identifier on the card of the user’s generic identity, such as Manager or Clerk). Any of these can usually be accommodated.

 

The driving factors to any implementation are cost-efficiency, defined by both price and compliance. The most important ‘value’ part of this calculation is of course compliance and this depends solely on balancing the ease of complete use and the extent to which the user can not circumvent the system. Whether used with a single point of control (aka Synchronized Issuance), or with multi-system control (aka Two Step or Multi-Step Issuance) ensuring compliance through a PIN confirmed integration between Physical and Logical Security is the preferred implementation.

 

Making the Case

Businesses fear investing in technology that will soon change and be expensive to manage or replace. The key to selecting an integrated solution is flexibility to grow and adapt to new needs. This includes the evolution of this ‘single passcard’ concept as new systems are developed that draw on the information in the user’s secure card to provide additional features and capabilities. The underlying benefit to combining physical and logical security is the efficiency of unification of all aspects of user identity validation for every aspect of the business.

 

To depend solely on passwords for software access control yields too much control over information security to the hands of the user. Recent survey articles have reaffirmed that users prefer simpler passwords that remain static and do not change. When forced to change, or use longer or complex passwords, the user’s tendency is to keep them written down thus defeating the desired result. An integrated physical and logical solution maps the varying infrastructure passwords to a single point of control for the user which increase ease of compliance.

 

A more compelling argument is the difficulty that companies have in managing employee movement and departure from the organization. Studies have shown that system authorization is not cancelled quickly in more than 30% of employee leavers.  For whatever reason, whether it is the lack of attention, urgency or any number of problems, an integrated solution provides a simple and immediate end to both building and infrastructure access.

 

Summary

  • Integrating Physical and Logical security makes economic and strategic sense.
  • User compliance drives additional infrastructure and facility security.
  • Users are canceled from all aspects of authority from a single action
  • Large changes (recovery scenarios) can be managed from one place

 

IMRON Corporation and its Technology Partners can provide you with the solution you need to implement this important strategic solution.