Access Control: Join and Conquer

In the past few years, perhaps no security industry buzzword has been defined in articles and promotional materials as many times as ‚convergence‘. These definitions have most commonly referred to the integration of physical security and IT systems, with occasional elements of building control. These definitions, while helpful to end users, beg the ultimate question: ‚How do I make it work?‘ - By Jeremy Kimber, Commercial Operational Marketing Leader EMEA, Honeywell Security Group.

Convergence uses data generated by both physical security and IT systems to drive both business process efficiency and security, and its framework defines a migration path for organizational growth. There are some basic elements to consider before a solution can be considered truly converged.

Common Security Policy Management and Control
The IT infrastructure is the backbone of a converged solution, sharing knowledge of key business data across systems. The physical security system does not inherently know critical business data such as employee status, staff security clearances and training certifications. A computerized HR system, though, often has this knowledge. IP-enabled security systems therefore allow users to take advantage of fixed investments and improve return on investment (ROI).

Developing common protocols for managing access to company assets and data enables more efficient provisioning and management. An organization develops role-based policies that can manage badge issuance, enrollment and revocation processes by leveraging XML/SOAP interfaces for integration with identity management solutions. The key benefit is that building security personnel continue to use tools best suited to their jobs and HR personnel continue using HR tools.

Organizations should first identify the authoritative source (the system that has the ultimate say) for each person who has a building badge or an IT account. These sources (IT systems or people) of key data are used to determine whether a person has permissions to use a resource or access an area. From this arise some compliance or audit needs where the data exists on multiple systems and any business or security concerns that are unique or are especially important to an organization will become evident. Then it will be necessary to address the key business processes (onboarding, offboarding, change of position) and determine the responsibilities of different systems. The result will be a policy platform that supports customizable workflow creation tools to easily model processes and approvals.

Common User Provisioning
Convergence drives the business to contemplate the inter-relationship of physical security on IT security, and vice versa. How many organizations can definitely claim that terminated employees or contractors are immediately removed from their building access control systems? How many are confident that a former employee who tailgates into the building does not have active IT accounts? How many are confident current employees would recognize former employees and know that their employment has been terminated? Provision dynamics are evolving and driving user permissions in non-IT and external IT systems. Organizations must determine how many terminated employees or contractors still have active building badges and IT accounts. They must also be able to establish how many contractors who have not been on site for the last three months still have active building badges. It is advisable to perform studies to see if anyone questions tailgaters and to benchmark how long it takes for someone to be provisioned or de-provisioned. Educating employees on security risks will also help to close potential open doors.

Single Access Credential
Building security starts with a badge, often a prox or other ID card. IT security, meanwhile, starts with a user name and password. When organizations want to add more security to a card, they can add a PIN or a biometric. As IT systems look to increase security, however, the choices are not equivalent. Organizations can add an RSA token or biometric that authenticates the correct person, or a contract smart chip - embedded either in a card or in a USB dongle - that authenticates the correct person, and is also used for non-reputable digital signatures. Digital signatures are important in regulated environments to verify a person did approve or take action.

A single-card solution that includes a contact smart chip for IT and proximity technologies (contactless smart or 125 kHz prox) enables the organization to manage one resource for each employee, thereby minimizing both material and administrative costs. An optimized card issuance process allows building security to continue issuing badges, and the badge issuance process will be connected to IT systems for provisioning as a single process.

Two important steps to take are, firstly, that building security teams should discuss access credentials with their IT counterparts to identify opportunities to leverage cards across the organization. Secondly, the IT departments should review authentication and PKI requirements/needs.

Correlation of Events
By connecting systems, organizations can correlate seemingly disparate physical and IT security events. For example, it may not seem suspicious for an employee to download large amounts of data. However, system correlation might show the employee only downloads the data when he is in the room by himself.

Organizations must identify the thresholds of normal employee behavior by job classification - it may be necessary to audit current behaviors. Otherwise ‚normal‘ business events may cause security breaches (receipt of a resignation notice, termination for cause, unexpected change in work hours) and should be catered for. IT resources and/or locations with sensitive information (intellectual property, identity data) should be noted and a plan developed to lock down for normal security levels and for a heightened security level. Organizations must determine the return on risk for each sensitive item and develop security response plans accordingly. Then it is easier to identify normal usage for each sensitive resource and what would be considered abnormal (downloading all customer data or customer credit cards).

Convergence is the first step for any organization to connect its critical systems to provide a comprehensive and coherent security policy. By integrating systems to share information, an organization can see vulnerabilities in real-time and link IT security events with physical security responses. These abilities all drive real-time security policy management.

Finding the Threats
The next step will be proactive threat management, which enables correlation of real-time information with historical information. The system will ‚learn‘ how to manage the current environment and react in a real-time manner, increasing system value and improving ROI. The system, for instance, can classify behavior such as a certain employee trying to access random doors every few days or unusual behavior by a subset of employees who all had security clearances processed by a specific adjudicator. Using a converged system can reap substantial benefits and will provide additional benefits in the future as convergence continues to evolve. How organizations choose to implement these new toolkits is up to them and their specific security and compliance requirements.

The Author: Jeremy Kimber, Commercial Operational Marketing Leader EMEA, Honeywell Security Group