• Project Analyst
• National IT Manager
• Wintel Systems Specialist
• System Administrator -- Active...
• NETWORK PROJECT MANAGER

Shift toward unified security emerges

David Margulius, Information Age

12/10/2004 12:35:53

When Delaware State University took a hard look at its campus-wide security systems in the late 1990s, it didn't like what it saw. The school's 1800 students used multiple passwords for various campus IT systems. They carried a mish-mash of identity and access cards for the library, residence halls, bookstore and cafeteria. According to CIO and Assistant Provost Dr Charles Fletcher Jr, "We were experiencing difficulty with keys and significant theft."

School officials set out to unite the university's multiple physical and IT security systems with a single, campus-wide access card, which could be centrally administered and monitored. So in 2002, working with Siemens, Delaware State launched the DSU Smart Card, incorporating a picture ID, barcode, magnetic stripe, RF (radio frequency) antenna and microprocessor to manage student access to the campus's diverse physical and IT infrastructure.

Fletcher claims theft is down almost 20 per cent and says the unified system makes it easy to trip alarms and immediately cut off access to buildings or networks.

Welcome to the world of converged enterprise security. By linking physical access systems to IT security systems, organisations are laying the groundwork to ensure that the two systems work in concert, controlling access and fending off attacks, while providing greater efficiency in user provisioning and authentication.

Vendors such as Siemens and Computer Associates already offer systems that monitor and correlate data from both physical and IT security sources. Although adoption in the enterprise is still in the early stages, it's growing steadily behind the scenes, particularly at large financial services companies and in government, health-care, communications, and intellectual-property-intensive industries.

Not only will the resulting converged systems make legitimate access easier, they will also dramatically raise the level of security intelligence by correlating physical and virtual data in real time to detect threats. These systems may sound an alarm when your machine is in use but you're not physically in the building. They may lock you out if you try to enter two buildings 150km apart in under an hour. They may automatically delete data on mobile devices that stray outside of a certain perimeter and are thereby deemed stolen. And they will be sure to log suspicious behavior for future analysis and potential prosecution.

"Previously this was just a dream," says Erik Layton, senior investigator at Pinkerton's worldwide IT practice group. "If you can integrate the identification of potential anomalous behavior, you're going to have a much more integrated approach to responding to risk, (resulting in) an exponential increase in enterprises' ability to thwart attack," he says.

Authentication: The enterprise-wide credential

A key building block of the converged security vision -- and one of its biggest benefits -- is the ability to give employees a single enterprise-wide credential they can use for both online and physical access. Having one credential would provide convenience to users and would make it easier to centrally provision and administer user identities and authentication.

"The No. 1 reason for interest in merging physical and IT security systems is provisioning," says Eric Maurice, director of eTrust Security Management at Computer Associates International. In most enterprises, these disparate systems don't talk to each other, he adds.

Such an enterprise-wide credential can take the form of a smart card or a combination of a smart card plus biometrics, explains Sun's Director of Java Card Business Peter Cattaneo. "I can now write a Java smart card applet, which can talk to my door or log in over the network. When you show up at a door, it just opens and your session is ready on the computer."

But the devil is in the details because of an immature but quickly evolving set of authentication technologies and the difficulty of getting large organisations to develop unified processes to make sure a person is who their credential says they are.

Enterprises must make trade-offs, for example, between strong multifactor authentication and usability. Biometric authentication methods such as fingerprint analysis are growing in popularity but have several issues (see Biometrics Move Into the Mix). Smart cards, which can combine legacy methods such as a magnetic stripe with stronger authentication on a microchip, are still costly, largely unstandardised, and can be stolen if left lying around. Other technologies such as RFID (RF identification) and GPS (Global Positioning System) are just emerging as potential players in the authentication process.

"It's nice that people have so many different choices of so many different technologies to experiment with right now," says Novell Security Czar Ed Reed. But he also points to inherent challenges when large enterprises deploy dual-purpose smart cards that enable both online identity authentication and physical access.

"There's a disconnect if you have to take your smart card out and put it in a card reader, and you then have to get up and go to the bathroom," Reed notes. "If you don't have to have the card to go to the bathroom, you're susceptible to leaving the card at the workstation, and now you've just blown the whole purpose. It's got to be more like your keys -- you don't leave the office without your keys because you can't drive away if you don't. Coming up with solutions to those types of issues is where the rubber meets the road with these integration efforts."

Organisational roles are another issue. Can enterprises make their centralised or federated credential management, role-based provisioning, and de-provisioning operable? "The technology isn't the biggest part of the problem," says Richard Hunter, research director at Gartner. "It's setting up the mechanism to gather the data -- and (having) the personnel to manage the systems and the databases."

And finally, making integration investments pay off requires wholesale adoption, explains John McKeon, a business development executive at IBM Global Services. "The ROI is typically not just in physical access or network access. (It involves) incorporating biometrics as a strong authentication technology across a number of systems or smart cards -- not just with security apps, but with other business apps, such as payment, loyalty, vending, cafeteria, employee benefits, and parking" he says.

Monitoring and correlation

After an enterprise-wide credential is in place, the heart of the converged security vision will be the ability to correlate and analyse physical and IT security data in real time and to take action based on that data to prevent unauthorised events and attacks.

Pinkerton's Erik Layton, who also runs online security, tells of a recent incident at a large company where a coordinated approach could have averted millions of dollars of losses.

"We had a case where an organisation was attacked by an external distributed denial of service attack," Layton recalls. "Simultaneous with the DDoS attack, there was a physical theft of intellectual property within the organisation -- multiple millions of dollars worth of customer information and critical plans for future development. The net result of the investigation was that the success of the theft was in large measure because the IT security staff's eye was taken off the ball by trying to prevent the DDoS attack."

Layton believes that if the right rules had been in place across a converged IT and physical security system, the organisation could have thwarted the property theft by shutting down physical access to certain critical systems when the external servers came under attack. "Where these types of monitoring systems will have the most impact is handling internal risk," he asserts.

Mark Cherry, product development manager at Honeywell International, agrees. "Access control will typically help a customer keep people segregated from areas, based on their work roles."

Before an organisation can implement a system to monitor and respond to the actions of its employees, it must develop an acceptable set of policies to be scripted into a rules engine governing data collection, activity-pattern analysis, anomaly detection, and archiving. As with most security systems, converged systems will do only what the corporate policy rule book tells them to do. The issue of how to respond to incidents, for example, is always tricky. A converged system might execute certain automatic responses to an apparent combined physical and cyber threat, such as recording a video clip for later review.

But Glenn McGonnigle, CEO of VistaScape, a video surveillance software company, says that most incidents still require a policy-driven escalation process involving human beings.

"Several years ago, we had systems that could respond to an attack by dropping a connection or shutting off a firewall," McGonnigle says. "But customers weren't ready for that. They didn't want those systems to take that action without oversight."

Connecting the physical systems

All the benefits of converged security -- more convenient authentication, more efficient provisioning, and better threat detection -- assume that an enterprise's physical access systems are IP-enabled and can share data across a network, which is not always the case. Devices such as locks, badge readers, and surveillance cameras have traditionally run on proprietary legacy networks and protocols and are hardly ever upgraded. This has begun to change as enterprises look to economise by sharing digital infrastructures.

"The industry is going more and more to open protocols because customers want to be able to share data at enterprise levels across the organisation," Honeywell's Cherry says. Although physical access systems increasingly use common protocols such as an LDAP or SQL database back end, their administrative software dashboards, called panels, are still largely proprietary and don't easily interconnect with other systems.

"The biggest challenge really is the lack of standards. The panel manufacturers are not working together," says CA's Maurice, who is also executive director of Open Security Exchange (OSE), an industry group formed to develop common APIs for physical-systems functions, including user provisioning and privilege management. OSE is working with the Security Industry Association, which is launching a Data Modeling for Access Control workgroup to address similar issues. "I think we are a year away at least from getting such a standard," Maurice says.

Another challenge is that when a physical access system has been IP-enabled, it becomes more vulnerable. "These systems become vulnerable to identity spoofing and session hijacking," Maurice notes. "A bad guy can remotely monitor your location by using your own camera, and you will not know." And in one recent case, he adds, an upgraded physical-access system running Microsoft's SQL database on the back end became infected with SQL Slammer, partially shutting down the system and preventing administrators from adding or de-provisioning users.

Bridging the cultural divide

A final piece of the converged security puzzle involves getting IT and physical security personnel -- who often have different perspectives, priorities, and reporting relationships -- to work well together. "The guy tasked with catching a hacker has a different skill set than the guy tasked with catching a guy climbing a fence," VistaScape's McGonnigle notes.

"The primary function of IT security is to make sure the system works, keeping the system up and running," CA's Maurice says. "Whereas the physical security guys say we need to maintain the chain of evidence, we can't use this computer any more. On the one hand, you have people who deal with cheaters and thieves and physical danger, and on the other hand, you have young propeller heads."

This power struggle has not played out yet. "Neither side wants to give up ownership and management of identity," Novell's Reed says. "There are politics involved, having to do with who's authoritative and whom the various (departments) of the organisation trust to feed them update information."

But VistaScape's McGonnigle thinks both sides are gaining the other's respect as they increasingly share the same infrastructure and become more reliant on each other. Honeywell's Cherry agrees, noting that IT staff must rely on security personnel to safeguard their own physical infrastructure. "Somebody going in and throwing a wireless LAN device into a wiring closet is a security manager's worst nightmare."

Whether and how soon the vision of converged physical and online security systems will become reality at most large enterprises remains to be seen. But today, key building blocks are falling into place, advancing the vision, from smart cards and correlation software to IP-enabled access systems and surveillance devices.

As DSU's Fletcher notes, however, one thing is unlikely to change in a converged security world. "There's no perfect system." IT managers should set their expectations accordingly. He also emphasises the importance of having trained, competent staff on both sides of the house involved in a converged security project from start to finish. "You don't want to outsource this," he insists. "You need people who are committed to your corporate plan. They must have some skin in the game."

SIDEBAR

Biometrics move into the mix

As physical and IT security converges, biometric devices, which measure human characteristics such as fingerprints or retinas, have so far failed to win a role as stand-alone authentication credentials due to their perceived vulnerabilities. They are, however, gaining traction as a supplement to smart cards and passwords, which thieves can steal or falsify to gain unauthorised access to physical facilities and IT systems.

Biometrics offer advantages over smart cards in terms of convenience, says Novell Security Czar Ed Reed. "It's easier to reach up and grab a fingerprint pad than to remove a smart card from a badge and slide it through a reader," he explains, noting that companies are increasingly using biometric authentication to supplement smart cards in sensitive network environments.

But individual biometric techniques such as palm, iris, and fingerprint scans have their weaknesses, not least of which is the relative ease of spoofing. "You can make a gelatin mould of a fingerprint and use it to fool a fingerprint reader under certain circumstances," explains Richard Hunter, research director at Gartner.

"None of this stuff is private. It's not a secret," agrees Sun Director of Java Card Business Peter Cattaneo. He notes that the simplest way to beat biometric authentication is to "get a digital copy (of the biometric) and inject it into the network behind the sensor".

Gartner's Hunter says another issue with biometrics is they may only work well under controlled conditions. Facial geometry scans, for example, can be done at a distance but only at certain angles of approach and lighting levels. Hunter also points out that for most biometric systems to work, a person's data must already be accurately entered into the database.

"That question shows up in almost any authentication scheme: Can you be sure the authentication is issued based on accurate data?" Hunter explains.

Hunter expects biometrics to lag behind smart cards for enterprise authentication, except in high-security facilities, until a couple of high-profile government biometrics projects -- such as the recently announced $US10 billion US-Visit border security program -- provide proof of concept and scalability.

Biometrics are expected to eventually live up to their long-awaited promise as the third pillar of the ultimate identity test: "something you have, something you know, something you are." Ultimately, biometrics will be one of the most powerful and secure authentication credentials, experts say, but only in conjunction with other methods. "It won't be enough to just say: 'Here's my fingerprint. Let me in,' " Novell's Reed says.

SIDEBAR

Merged security prompts privacy fears

In George Orwell's classic novel, 1984, surveillance devices constantly monitor the citizens of Oceana, and Big Brother controls their movements. Orwell may have missed his target by about 20 years, but parts of his ominous vision are imminently more possible now that physical and IT security systems are merging.

Consider the network-connected door lock, which grants employees entry based on their identity or behaviour according to policies that reside in a rules engine. That same door lock in theory could keep a person locked inside -- say, until the end of his or her shift. Or consider biometric sensors and surveillance cameras, which can track your every move inside a building and develop a composite picture of your behaviour, including your online activity.

Extreme? Maybe, but many questions remain as to how converged systems and the data they generate will be used. Few companies are willing to speak publicly about deployments of converged physical and IT security systems, says Eric Maurice, director of eTrust security management at Computer Associates. "They're concerned about the perception the system will create with their own employees -- the fear that this kind of tool will be used to monitor everybody in real time."

Mark Cherry, global product development manager of Honeywell's Enterprise Building Integrator product, says privacy issues are a moving target linked to public sentiment and legislation. "You're always dealing with the civil liberties aspects of this," he says, noting that companies in some Scandinavian countries must by law expunge data on employees' access activities within 30 days.

In the United States, privacy advocates backed off some of their demands in the wake of Sept. 11. "But as time passes, the more relaxed people will become (about security measures). We're already seeing it," Cherry adds. He notes that some businesses, such as pharmaceutical and health care companies, are required by regulators to collect information about employee activities. But at many companies, monitoring is not viewed as crucial. "If you're in a warehouse pushing out paper, you probably don't need to track everywhere John has been," he says.

Other approaches to protecting employee privacy include keeping biometric data on a smart card as a private key rather than in a central database and carefully limiting access to certain data.

At Delaware State University, for example, in addition to having strong, publicly posted privacy policies, the IT department does not have access to data about students' physical movements around campus, explains Dr Charles Fletcher Jr, the university's CIO. "We try to keep that separate," he explains. "That makes good auditing policy."