Efficiently managing the security credentials of your staff and contractors throughout the enterprise can be challenging, but as physical security and information security continue to form a synergistic and symbiotic relationship, technology integration can help solve this problem. An identity management platform ensures that only appropriate users have access to corporate resources, and by integrating into systems such as HR as an authoritative source, minimise the risk of stale user accounts as a result of staff changes. As identity management systems are role based, that is functional roles within the organisation have pre-defined levels of access, changes to staff positions result in changes to permissions. These systems have the ability to audit and track users accounts, and automatically revoke access. They provide a centralised point of control for security and audit processes, and are an effective means of evaluating regulatory compliance.
Another significant reason for merging physical and IT security systems is cost reduction. By providing users with the convenience of a single enterprise-wide credential for both physical and online access, organisations have the ability to centrally provision and administer user identities and authentication. Information is entered once into a source of trust such as the HR system, which through integration into the identity management solution, automates the activation of user privileges. These solutions typically utilise a form of single-sign-on technology that removes the need for users to remember multiple passwords. This reduces the number of calls to the help-desk for forgotten passwords, hence reducing the associated support costs.
Some areas that may be addressed in a consolidated security infrastructure can include:
Access control
A single system, utilising distributed architecture can be deployed, integrating multiple building systems into one “data management layer”. This allows for a common time and attendance and access control system to be used across all buildings, identifying who is at each building and their location, making sure that people are restricted to the areas to which they are authorised.
Digital CCTV can be integrated with building events, allowing for attempts at unauthorised access to be captured for forensic analysis. Advanced video processing systems can also be used for non-motion and object size detection to identify objects left in clearways, fire exits, etc. (bomb risk).
By using a common management application that allows the systems to communicate or share information, efficiency is dramatically improved, both in the way the data is managed, and how it is accessed. If these systems are built on a common backbone infrastructure, then there is a greater increase in asset utilisation. This creates consistency in the way the buildings are operated, and greater access to information, in turn reducing the overall operational costs.
Single credential
Providing a single smart card platform allows for efficient physical and logical access control across multiple sites. This allows for the protection of company data, enabling secure logon, data access and data transmission within sites, between sites and via remote access. Smart cards can be combined with a biometric platform for high security areas such as computer rooms and laboratories/research areas.
Asset control
Using a consolidated security infrastructure allows organisations to match people and assets (eg laptops) for security and asset management. Implementing a real time asset location system allows for assets to be classified and for access and/or removal of assets to be restricted to the nominated asset owners. Integration of these systems with digital CCTV allows for attempts at unlawful access or removal of assets to be captured.
Real time asset location can reduce the costs associated with lost or stolen assets, as well as assist in identifying the true utilisation of selected assets. Decisions can then be made based on factual data as to the level of inventory to be held and maintenance requirements, as well as being able to recall assets in line with any leasing arrangements.
Forensic analysis
Real-time behavioural analysis and forensics is achievable through the consolidation of physical and IT security audit data. By collecting and correlating security related data from across the enterprise and analysing it on a 24 x 7 basis, detailed forensic analysis can be performed in the event of a security breech. This enables organisations to quickly and automatically detect suspicious behaviours and establish accountability in case of a security incident. Deviations to common access paths can generate alerts and logical access can be matched to physical access for user authentication.
The convergence of physical security and information security is not without its challenges. Creating a culture in which physical security and IT personnel work well together can be difficult; these staff often have different perspectives, priorities and reporting relationships. This factor alone suggests that a culture of corporate security management needs to be driven from the highest levels within the organisation, ideally with visibility and representation at board level.
There needs to be a demonstrable return on investment (ROI) and an alignment with the overall business objectives; all initiatives should be part of a longer term strategy to decrease the level of security risk and exposure. This strategy needs to cascade down through the organisation to match business unit goals, and needs to have similar levels of priority as the business initiatives.
The process for successfully implementing a converged security infrastructure requires focus in a number of areas.
Organisational alignment
By obtaining a thorough understanding of the organisational tolerance to risk, the depth of security requirements can be ascertained. This needs to take into account the security requirements at a business unit level.
Roles and responsibilities for security need to be defined throughout the organisation with involvement from physical security personnel, IT, business units and vendors.
Process alignment
The security requirements of business processes and operations should be defined, with enterprise-wide security solutions being integrated into processes and applications. Process owners and users need to be made aware of the importance of security.
Strategies and architectures
Security strategies and architectures need to be clear and actionable, with a level of flexibility to address potential changes to the organisation or technology.
Technology integration
It is important to be involved in selecting the technology solutions to ensure that organisational requirements are met. It is wise to pilot selected technology to validate the solution. Once validated, the solution should be implemented in phases, allowing for the highest priority areas to be dealt with first, with ongoing testing of performance and functionality.
Roll-out
A roll-out strategy should be developed that allows for the solution to be deployed in phases. It is vital to ensure that all of the stakeholders are adequately trained in order to gain their continued buy-in. Once rolled out, ownership should be transferred to the appropriate business units or functions.
Maintenance
Ongoing maintenance of corporate security management requires adherence to the initial business policies and procedures. Regular audits should be performed to confirm that policies and rules are being abided by, and the solutions modified in line with changes to the business.
There are clear benefits to be derived from an active, strategic approach to corporate security management and the implementation of a converged security infrastructure. Organisations can take a holistic view towards risk management and compliance whilst reaping the rewards of systems that have lower costs of administration and support.
Organisations seeking to embark on such a strategy need to be clear on the outcomes expected, and ensure that buy-in is gained at all levels; these strategies need to be closely aligned with business objectives, and not be viewed as simply an IT security project. A phased approach should be taken and appropriate time allocated to the process. Key objectives should be set to measure the benefits of each stage as it is rolled out.
It is important to work with organisations capable of delivering comprehensive and best-of-breed security solutions. This provides the benefits of accountability, risk mitigation and knowledge transfer not typically available from a multi-vendor approach.
Finally, it is vital to implement auditing, monitoring and reporting processes to ensure on an ongoing basis that requirements are being met, and adjust the systems according to changes in the business or risk profile.