The security guard and the information technology (IT) security specialist have a lot in common – and smart businesses are recognizing that fact.
Honeywell Inc. and Novell Inc. announced in late April that Honeywell would integrate Novell’s Identity Manager for IT systems with Honeywell’s SmartPlus Identity Manager, a system designed for physical access control, alarm monitoring and badging systems.
The move was driven partly by the demands of the U.S. government’s FIPS 201 plan for smart cards to control federal employees’ and contractors’ access to facilities, says Beth Thomas, senior product manager for convergence at Honeywell.
But it is also meant to address commercial customers’ growing interest in tying their IT security systems more closely to those that control access to physical premises.
That sort of integration is a good idea, according to Dave Tyson, senior security analyst with the City of Vancouver and author of Security Convergence: Managing Enterprise Security Risk, a book soon to be published by Butterworth-Heinemann in Burlington, Mass.
“You’re talking to a convert [to] that concept,” Tyson says. “I think it’s the future. I think you cannot approach risk management of an organization unless you’re adequately addressing all of the risks.”
Integrating IT and physical security systems “streamlines the access control model,” says Ross Chevalier, chief technology officer at Toronto-based Novell Canada Inc. “It really simplifies the whole concept of ‘off or on’.”
When a new employee joins the company, an integrated security regime should mean that person immediately gets all the privileges he or she needs – access to the building, to networks and computer systems, and to applications and data, as appropriate.
And perhaps more important, Chevalier adds, integrated security means that when someone leaves the organization, all privileges are revoked right away.
Sometimes too, integrating security operations can help catch problems that aren’t apparent when isolated groups deal with premises and IT security.
Correlating IT and premises security data can reveal patterns, says Richard Branston, general manager of the security practice at IBM Canada Ltd. in Markham, Ont.
Abnormal patterns of access to both physical facilities and information systems by the same employee might set off alarms, he suggests. Or two things that seem innocent on their own might add up to evidence of a problem.
For instance, Branston cites a potential scenario where an employee’s access card has been used to enter a facility in Toronto, but at the same time that person’s network user ID is being used to connect to corporate computer systems from the Philippines. One of those uses is probably illegitimate.
And the two groups can help each other. The City of Vancouver, for instance, has given security guards the job of checking that laptops in its offices are locked up and passwords aren’t left out in the open.
“You can have a million-dollar firewall,” Tyson observes, “but if the receptionist leaves her password taped to the monitor, it’s worth absolutely nothing.”
Tyson also argues that security strategy and spending can be planned more effectively when one group is responsible, rather than senior management having to weigh requests from two isolated groups.
“The real benefit is that the teams that are managing overall security are working much more closely together,” Chevalier says.
Combining physical and IT access control systems can help organizations reduce staff or rely less on outside contractors, Tyson adds, in some cases reducing operating costs by close to 50 per cent – savings that can run into the millions of dollars in large enterprises.
Of course bringing together IT and physical security does raise some questions, and the big one is who is in charge.
Tyson doesn’t believe subordinating one existing group to the other – making the IT security group report to the building security group or vice versa – will work. “The proper way to do this,” he says, “is for the senior security person in the organization to have proper understanding of both disciplines.”
There also needs to be more communication between IT and premises security staff, and they need more knowledge of each other’s work, Tyson adds.
That is coming. The Computer Information Systems Security Professional (CISSP) designation now has a significant component dealing with physical security, and similar standards for premises security staff are incorporating more elements of IT security, he notes.