Opportunities for Convergence in Physical and IT Security
By Dan Isaaman, Technical Director, Smartcard Focus
Most organizations are currently striving to increase the security of their buildings and IT infrastructure. Both are important – there is no point making PC logon secure if someone can walk in and take a laptop without physical barriers in place, and there is no point securing a building's perimeter or a server room if someone can log in remotely and download data without suitable authority.
Traditionally these two aspects of security have been managed and implemented by different departments, supported by different supply chains. Facilities managers have specified and selected door access systems from a range of established suppliers, ranging from small local locksmiths to large system installers providing complete turnkey solutions. Similarly, IT managers can purchase a wide range of products and services from their traditional suppliers as well as IT security specialists to enable them to build up a comprehensive and secure infrastructure that protects against a multitude of threats and provides the business with the tools needed to operate in the modern environment.
Problems with this approach can mean that security policies within many organizations are not 'joined up' – for example, the processes for dealing with an employee when joining or leaving the organization are often complex and confused, and can leave major security 'holes' in terms of physical or logical access. Costs can also be unnecessarily increased due to duplication of systems and consumables, especially if more than one identity card or 'token' are deployed for different purposes.
Physical differences between traditional door access systems and IT systems can also cause unnecessary installation difficulties and costs. Most door access systems require cupboard space for installing multi-door controller boards and associated power supplies, while wiring from cupboards to doors involves bundles of many different cable types over long distances. Modern commercial building design and refurbishments now favor 'flood wiring' with Cat5 Ethernet cabling to serve all IT requirements, and with the introduction of Power-over-Ethernet this has already spread to include other security products such as IP-based CCTV surveillance products which can sit happily on the IT network without the need for additional power supplies or cabling.
With the introduction of a raft of new products over the past 12-18 months, the physical security market is catching up with these developments, and there are now a number of exciting opportunities for organizations to deploy systems that combine physical and logical security in a number of ways that can both improve overall security and also save money.
One network for all
The first opportunity is to use the IT network to connect, and power, intelligent IP-based door access controllers. Rather than cupboard-based controllers catering for multiple doors, the latest market innovations provide low-cost intelligence at each door, connected via a single PoE-equipped Ethernet cable, with minimal additional wiring to local readers and door locking hardware. This approach leverages the investment companies are making in building and managing reliable and widely-available IP networks across their buildings estates, and can result in significantly lower outlay per door through reduced hardware, installation and maintenance costs.
One card for all
Combined technology smartcards are now appearing that can be used for multiple applications including door access and IT security. Whereas dual-interface smartcards have a role to play in this area, it is actually cards that combine two different technologies – one contact and the other contactless – that appear to have the better chance of finding practical applications in the short term. For example, a card providing full standards-based PKI smartcard functionality can be obtained that also includes separate proximity and RFID contactless chips designed to work with almost any existing door access system. This enables the roll-out of improved IT security using a single card, without having to modify any existing physical access installations.
One database for all
The ultimate aim for an organization should be to manage all of its employees' security access rights within a single database. This has historically been quite difficult to achieve with traditional suppliers, since the systems used for managing door access rights have been generally designed to operate separately, rather than to fully integrate into those used by IT for managing network access. However, new solutions now provide direct integration between these two worlds, enabling a single user directory such as Active Directory to contain all the security policies and rights information for both door and PC access. The benefits of this approach include instantaneous changes throughout the organization, especially important when dealing with new or leaving employees, plus the capability to implement location-based access control (for instance preventing PC log-on unless an employee is physically in the building).
Products and solutions
Smartcard Focus provides a range of physical and logical access control solutions that can be used to build comprehensive security solutions for a wide range of organizations:
- Edge Solo – a low-cost stand-alone IP-based door access controller with built-in web management interface that can be quickly and easily deployed to control any door via the IP network. See our Edge Solo section for more details.
- Crescendo – a combined technology card that provides standards-based PKI smartcard security including Windows logon, email and document signing and encryption and a host of other applications, whilst also including separate Prox, iClass or MIFARE contactless chips to enable door access and other related applications. See our Crescendo section for more details.
- EdgeConnector – a new solution that combines the benefits of IP-based door access controllers with host server software that integrates multiple controllers into a Windows domain (or other LDAP environment). All access rights for users and doors are stored within the standard Active Directory user directory, while management software is provided to enable HR and Facilities Managers to control and monitor users, doors and card number information without needing administrative IT privileges. See the Edge Connector web site for more details.