All organizations need to protect their corporate assets – whether it’s preventing the theft of office equipment, providing a safe environment for employees and their belongings, or keeping hackers, and industrial saboteurs from wreaking havoc with networks, applications, and databases. Yet, because physical and logical security have traditionally been handled by separate organizations and technologies, few companies could envision the benefits from their convergence.
As a practical definition here, “converged security” refers to the integration of physical access systems and related technologies (such as magnetic cards and readers) with identity management and user authentication technologies (such as enterprise single sign-on, tokens, and proximity cards). This integration enables an organization to establish and manage a single, consolidated repository for all authentication credentials, and to have a centralized means of setting access privileges for both physical and logical resources.
Bridging the Great Divide The Convergence of Physical and Logical SecurityAugust 2006Untitled DocumentBridging the Great DivideBRIDGING THE GREAT DIVIDEThe Convergence of Physical and Logical SecurityWhat do a padlock key and an application password have in common? In one sense, almost nothing. After all, one is a 4,000-year-old hardware device and the other is a modern-day software-based technology tool. But they serve an identical purpose: they both allow only authorized access one to physical assets and one to logical assets.Despite their common purpose, physical access and logical access technologies exist in parallel worlds. Physical access technologies, such as building security systems and employee access cards, are controlled by the cor-porate security department. Application passwords and rewalls are the domain of the IT department. Each group s respective networks, technology paths, and user interfaces are completely separate.That situation is beginning to change. Physical and logical security technologies are beginning to converge, creating new opportunities for organizations to: " Strengthen and gain greater control over total security; " Add a practical and affordable second authentication factor; " Better enforce both physical and logical security policies; " Better coordinate security resources in critical and emergency situations; and " Achieve compliance with regulations, such as the U.S. Homeland Security Presidential Directive -12 (HSPD-12) This paper addresses how converged physical and logical security works, the bene ts it provides, and what it will mean for organizations of all kinds.Why convergence? All organizations need to protect their corporate assets whether it s preventing the theft of of ce equip-ment, providing a safe environment for employees and their belongings, or keeping hackers, and industrial saboteurs from wreaking havoc with networks, applications, and databases. Yet, because physical and logical security have traditionally been handled by separate organizations and technologies, few companies could envision the bene ts from their convergence. As a practical de nition here, converged security refers to the integration of physical access systems and related technologies (such as magnetic cards and readers) with identity management and user authentication technologies (such as enterprise single sign-on, tokens, and proximity cards). This integration enables an or-ganization to establish and manage a single, consolidated repository for all authentication credentials, and to have a centralized means of setting access privileges for both physical and logical resources.1Copyright 2006 Imprivata, Inc.Copyright 2006 Imprivata, Inc.Untitled DocumentBridging the Great DivideThis identity-based convergence makes it possible for organizations to have: " One identity-based system for managing all physical and logical access; " A uni ed network policy for both network and remote access that leverages card status and location information from physical access systems; " Exchange of events and alarms from the physical access system to the logical access system; " An identity-based reporting system for use in forensic investigations; and " A streamlined work ow for creating, deleting and modifying user identities from both systems simultaneously. The bene ts of these capabilities include: Stronger, more integrated security. When logical and physical access security components work together, organizations can use them to complement and reinforce one another. For example, a policy could be established that would allow a user logical access to applications only if that user had rst swiped his or her employee badge that day when entering a facility or restricted area. Greater control over all security. Convergence allows organizations to manage all forms of security under a single umbrella for maximum control. Affordable, two-factor authentication. Having more than one means of authenticating users is an excellent way to strengthen IT security. Experts recommend multi-factor authentication (e.g. complex passwords and a second form of identi cation) as the best protection against unauthorized application access. Convergence would enable the magnetic striped badge to be used as the second authentication factor, sparing organizations the cost of additional smart cards, tokens, or biometric scanning systems. Coordinated responses to problem or emergency situations. Physical and logical security should work in concert with each other. For example, when employees resign or are terminated, there is often a lag time of days or even weeks between when their physical access rights and logical access rights are terminated. This situation creates security gaps in which disgruntled former employees may continue logging onto the network remotely to steal or destroy con dential data. Convergence prevents this problem by allowing organizations to instantly lock-out logical access privileges the moment a user is terminated from the physical access system.Regulatory compliance. In 2004, the U.S. Executive Of ce of the White House issued HSPD-12, which mandates a common identi cation standard for U.S. federal employees and contractors. Other governments and industry regulatory organizations are requiring similar standards. Converged physical and logical access technologies provide the two-factor authentication that ensures compliance with these regulations. A solution to tailgating. Tailgating is a common security problem in which a person without an ID badge gains access to a facility by following closely behind another person who has just swiped his or her badge. With convergence, logical access security can be set up to alert corporate security whenever employees who have not swiped their badges attempt to log onto PCs, thereby providing a means to better enforce badge-swipe compliance.2Copyright 2006 Imprivata, Inc.Untitled DocumentBridging the Great DivideAll of these bene ts plus the better protection, cost savings, risk reduction, and increased compliance associated with them make converged physical and logical security a worthwhile goal for any security- minded organization. Industry analysts agree. As Eric Maiwald, Senior Analyst at The Burton Group, stated in his January 2005 report titled Physical and Logical Security, The integration of physical and logical access control systems may provide signi cant bene ts to the organization in terms of reduced costs, improved user provisioning and improved security. The formerly separate worlds of physical and logical access security A skeptic might well ask, If there are so many bene ts to convergence, why hasn t it already happened? To answer that question, one must understand how physical and logical security technologies evolved. The world of physical access security technologiesSince the need for physical access security predates the corporate use of information technology, corporate security departments developed as organizations focused exclusively on protecting physical assets through locks, surveillance, and alarm systems. Most corporate security departments are staffed by people with back-grounds in crime prevention and law enforcement, not information technology. As new physical access security technologies have come to market from electronic building security systems to closed-circuit television (CCTV) to access cards and readers corporate security of cials have largely implemented them on their own, without requiring much involvement of their IT organizations. For many of them, the integration of physical and logical security technologies was neither an option nor a priority. The world of logical access security technologiesLogical access security has been part of information technology almost since its inception and has always remained under the aegis of the IT organization. In the early days of corporate computing when multiple users shared access to a single main computer via directly-connected terminals passwords provided a simple, yet relatively effective form of protection, especially when the terminals could only be used from inside a secured building. As computing power has become more distributed and computer networks evolved from smaller, private entities to vast, shared resources on the public Internet, the need for logical access security has grown. Today, users can connect to corporate IT resources far away from corporate facilities via the Web and Virtual Private Networks (VPN). At the same time, IT departments have had to contend with the constantly-escalating risks posed by hackers, industrial spies, cyber-thieves, and saboteurs, and disgruntled employees. With all of these concerns to deal with, most IT executives were likely happy to leave the responsibility for physical access security systems to their corporate security department peers. This situation is changing, however, as physical and logical security concerns mount and persistent issues such as inadequate security policy and enforcement continue. Today, more and more organizations are asking Why can t our physical and logical security systems work together to share data and strengthen each other? 3Copyright 2006 Imprivata, Inc.Untitled DocumentBridging the Great DivideNow is the time for convergenceFor years, physical access security systems acted as the rst line of defense against unauthorized logical access. After all, if a person could not gain entry to a corporate building, that person could not gain unauthorized access to corporate applications and data. That changed with the advent of remote access. Remote access via VPNs, the Web, and wireless networking has opened up IT resources that can no longer be protected by physical access systems alone. Various vendors have tried to solve the problem using conventional approaches. These include: Multifunction cards for both physical and logical access. These cards use a magnetic stripe, barcode or Radio Frequency Identi cation (RFID) to identify users as they enter corporate facilities and when they use a computer. These approaches provide a cost-effective solution, but the level of physical and logical integration is very low. For example, they offer no event reporting and no ability to control or streamline user privileges. Moreover, multifunction cards do not prevent the use of a card by an unauthorized person should that card be lost or stolen. Identity management solutions. These solutions offer full provisioning for new users, streamlining the creation of Active Directory or directory accounts and required user applications, as well as physical access privileges. However, user provisioning systems are extremely costly, dif cult, and time-consuming to implement, often taking several years. They require the wholesale rebuilding of an organization s physical and logical security systems, including designing the requisite work ow and the consolidation of identities across all physical and logical systems. In addition, an identity management solution only becomes operational once all these tasks have been completed successfully; there is no way to implement one or bene t from it in an incremental fashion. As a result, identity management solutions are largely applicable for only the Fortune 1000 corporations that have the required budget and staf ng resources to undertake multi-year projects.Consolidated reporting systems. In lieu of tight integration between physical and logical access systems, this approach gathers logs from application, network, and physical access systems and generates consolidated reports by users. Implementing a consolidated reporting system can be time-consuming and dif cult, because it requires the creation of an adapter for virtually every component of logical access security: every application, every directory, and every network access system, and in many cases, resolving ambiguities in user identities. A consolidated reporting system also needs to be able to understand all the different data formats for these technologies. However, the biggest drawback to consolidated reporting systems is that they do not offer a comprehensive converged solution. They only support forensic reporting, which while certainly a key capability can only provide a timeline of what has already happened. They do not allow policy control nor do they streamline provisioning, and they do nothing to prevent security violations from happening in the rst place. 4Copyright 2006 Imprivata, Inc.Untitled DocumentBridging the Great DivideRequirements of a converged solutionWhile all of these approaches can provide some degree of additional protection, they do not satisfy all the requirements of a truly converged solution. To ful ll the growing demand among companies of all sizes for a fully-integrated answer, a converged solution must: " Approach security from a holistic view; " Offer ne-grained, zone-based logical access coupled to a user s badge status and location; " Leverage existing security investments; " Enforce both physical and logical security policies; " Have monitoring and reporting capabilities in order to demonstrate compliance with acts such as Health Insurance Portability and Accountability (HIPAA), Gramm-Leach-Bliley (GLB), Sarbanes-Oxley (SOX), and HSPD-12; " Be cost-effective for companies of all types and sizes; " Be easy to deploy; and " Deliver a measurable return on investment. The notion of converging physical and logical access security is not a new one. It has actually been around for some time, but historically, implementation has been a problem. Because physical and logical security systems have had little in common technologically, integrating them was a costly and complex proposition. The lack of interaction between the physical security experts and information technology providers has also hindered convergence.However, an opportunity now exists for the worlds of physical and logical access security to come together at last. Here s why: The widespread adoption of IP. Over the past decade, Internet Protocol (IP) has become the defacto standard for corporate IT networking. Having a common protocol reduces wiring requirements, deployment time, cost, and enables convenient management and administration via Web browsers. These advantages have led more physical security device providers to make their products IP-compatible. Today, many physical access devices are IP-capable, including cameras, card readers, and access controllers. An increased effort by physical access security vendors to create convergence-friendly solutions. More vendors are responding to customer demand and seeing the value in supporting convergence. Many of them are now promoting standardized APIs for integration or exposing interfaces that can be accessed by IT-based solutions.Greater awareness of what identity management can do for security. As shown above, converged solutions that are built around identity offer more comprehensive security protection and related bene ts. The recognition by auditors that corporate resources cannot be secured by door locks and rewalls alone. As auditing for regulatory compliance becomes more widespread, more auditors are seeing the gaps in corporate security and alerting their clients to take action5Copyright 2006 Imprivata, Inc.Untitled DocumentBridging the Great DivideEmerging standards. Standards such as Open Security Exchange and PhysBits are being de ned to enable easier physical and logical access security integration. More cost-effective card token solutions. Recently, vendors have introduced a new generation of more affordable smart cards, such as Mifare DESFire and HIDs iClass. Based on a contactless smart card chip, these widely-adopted cards offer a far more secure token than the traditional 125KHz Prox technology used with most access control systems, making them suitable for use in IT security. The impact of Enterprise Single Sign-On (ESSO). As more organizations deploy ESSO, which allows users to login from anywhere, to all applications, via a single, complex password, it is driving demand for strong user authentication and more comprehensive security policies for network and remote access. New gateway technologies. A new generation of gateway technologies is targeting and xing common convergence problems. These gateway products bridge the gap between the physical and logical systems to provide a secure means of exchanging identity information and real-time events. As a result of all of these factors, converged physical and logical access security systems will no longer be too costly or complex to deploy.How a converged security solution might workThe illustration above shows one way of implementing a converged physical and logical access security solu-tion that can consolidate identities, set policies, monitor and track events, manage access rights to software applications, and generate consolidated reports. 6Identity management ?Directories?Provisioning Systems?Authentication ServersAccess Control" Cards/Readers" Alarms/events" ProvisioningNetwork and Remote AccessPhysical Access-On"""""""""""""Copyright 2006 Imprivata, Inc.Untitled DocumentBridging the Great DivideThe convergence gateway (center) consolidates identities from the physical access system (lower right) and ties them into the true user identities obtained from directories and authentication servers used for network and remote access (upper right). The gateway maintains the relationship between the user s true network identity and the aliases by which the user may be known by other systems. The convergence gateway is also able to set access policies to control both the VPN (near left) and network authentication through each of the authentication modes available to end users (far left). With the physical and logical access security mechanisms linked, identity management centralized, and policies in place, the converged solution is then able to monitor and track events generated by the physical access security system and the directories and provisioning systems. In this example, software applications have been ESSO-enabled (middle box at right), allowing the converged solution to manage access rights to those applications, as well. Finally, because the converged solution is able to read and translate all relevant le formats from both physical and logical access systems, it is capable of creating consolidated reports.Convergence scenariosOnce an organization has implemented a converged physical and logical access security solution, it can be used in a variety of ways to support a range of policies. The following are some typical scenarios: Network access policyWith a converged solution, organizations will be able to set policies with a variety of conditions, such as: " A user is granted both network and remote access only with a valid ID badge. " A user is granted network access only if he or she has logged in within a speci ed time after entering the facility. " A user is granted network access only upon entry through a speci c door or zone. Event managementA converged solution will be able to assist an organization in responding promptly to a variety of security events by alerting the proper people. For example: " It will be able to notify a facility administrator if a network account is being accessed when the user is not present in the facility. " It will be able to notify an IT administrator if a remote account is being accessed while the user in question is in the building. " It will be able notify an IT administrator when a terminated user attempts to gain network or remote access.Access reportsOrganizations will be able to track each user s network and remote access history and compare them against facility entry records. This would be useful for providing a complete timeline that establishes a history of how and when a user entered a building, logged onto a network, and if ESSO is enabled, what applications were accessed. This comprehensive audit trail is extremely useful for investigating breaches or leakages.7Copyright 2006 Imprivata, Inc.Untitled DocumentBridging the Great DivideThis is also a key compliance tool for auditors. It is extremely dif cult to recreate such a timeline today because access logs are locked within the different physical and logical access security applications: the log that tracks people who enter a facility is locked within the physical access system; the network access log is kept in the network directory; and each software application keeps its own record of each time a user accesses it. However, a converged solution enables forensic timelines by supporting integrated event and report generation. The convergence gateway collects such information from all components, enabling it to recreate the entire sequence of events: how the user got into the building; how the user got onto the network; what authentication mode was used; what the network logon name was; how long the user stayed on the network. If ESSO-enabled, the converged solution can also track which applications the user accessed, either via the network or remote access.Beyond the gapWhat will it mean to corporate security when the worlds of padlocks and passwords nally converge? A number of converged physical and logical access security systems are expected to come to market within the next year. As they do, those organizations that deploy them will be among the rst to bene t from the en-hanced capabilities they offer. These bene ts include: Improved user management " Streamlined procedures for adding/removing users from physical and logical security systems " Improved consistency of user demographics across all systems Greater return-on-investment from existing infrastructure " More value extracted from badges and proximity cards that organizations have already deployed " Full leverage of the existing infrastructure of readers and doors controlled by physical access control systemsEnhanced perimeter security " Incorporation of user location, time of badge-in, and badge status within network/remote access policy " Veri cation of badge status prior to granting network/remote access " Better enforcement of physical access policies against tailgating Regulatory compliance " Support for HIPAA, GLBA, SOX, HSPD-12, and more Improved risk management " Consolidated logging of entry and access records by true user identity " Real-time response to network alarms " More accurate emergency roster lists8Copyright 2006 Imprivata, Inc.Untitled DocumentBridging the Great DivideA bridge to a more secure future With the momentum building behind the development of converged physical and logical access security systems, it is not too soon for companies to begin thinking about how their organizations could bene t from the enhanced security and compliance these solutions will deliver. In particular, companies may want to begin formulating their convergence solution plans in order to ensure a sensible, affordable, smooth, and incremental implementation. One way to begin is by asking some basic questions, such as: " How should existing security policies be revised to take advantage of the capabilities of converged solutions? " Should the planned converged solution take a comprehensive approach that includes ESSO-enabling applications for stronger application security and easier password management? " Should all facilities deploy converged security, or only those buildings or areas within buildings that present the highest security risks? " Should the solution encompass all employees, or only those at certain levels, within certain departments, and/or within certain facilities? " What components of the converged solution should be implemented rst, and which can wait until a later date?By discussing these and other questions with representatives from both the corporate security and IT departments and achieving consensus, organizations of all sizes and types can take the rst, positive steps toward cost-effective physical and logical access security convergence and a more secure future.9Copyright 2006 Imprivata, Inc.Untitled Document10 Maguire Road Building 2 Lexington, MA 02421 v 781 674 2700 f 781 674 27601.877.ONESIGNInprivata Europe Forsyth House 77 Clarendon Road Watford Herts, WD17 1LEUnited Kingdom v +44 1923 813511 f +44 1923 813501 www.imprivata.com