For enterprise and government markets, networking companies are opting to converge and fine-tune access control applications
By Marisa Torrieri, Contributing Editor
Depending on your frame of reference, the term “access” conjures thoughts of very different applications. Traditional building security or access control professionals think of physical access. The IT community thinks of logical access to computers, networks, and systems. But it’s actually the convergence of logical and physical access that presents the biggest opportunities and challenges to both enterprises and industry.
Convergence has been ‘the’ buzzword in security for several years now but it is rapidly moving from the chalkboard to the implementation list for cross-sector organizations. According to Forrester Research, spending on merging physical and logical access control in both the public and private sectors will increase to more than $7 billion in 2008.
This projected growth is driven in large part by HSPD-12 (Homeland Security Presidential Directive 12), the presidential mandate that requires all federal agencies to start issuing new identification cards based on the FIPS 201 standard.
But it is not just the federal government that is spending on convergence. Corporations, health care, higher education, and other levels of government are also keeping companies that specialize in one or more aspects of converged security busy.
The evolution of convergence
Before one can understand the emerging challenges and market opportunities for converged access control systems, one must first understand the differences between logical and physical security. Physical access control, traditionally managed by security personnel, refers to the granting and restricting of access to buildings, facilities and borders. Logical access control refers to the granting and restricting of access to electronic environments.
Logical access involves securing intellectual property, data, communications, and information processes, adds Peter Beardmore, product marketing manager for RSA Security. The authentication point may occur at the machine, network, domain or application-level, and authentication is based on the users’ credentials.
Convergence is a common phrase given to the practice of combining or streamlining physical and logical credentialing and access control. The result is more secure, efficient and manageable systems that protect against identity spoofing (and can potentially identify or prevent security breaches).
With projects like HSPD-12, a centralized credentialing process in an environment of multiple credentials introduces challenges for technology managers, Mr. Beardmore says. Men and women in these roles must ensure that federal agencies’ systems are interoperable with mandated technology as well as other existing systems.
“When we talk about convergence of physical and logical security, we could be speaking from a few different perspectives,” says Mr. Beardmore. “It could be a single device that authenticates me to the front door [and then lets me] log onto my computer. I use a smart card with the traditionally contactless physical credential and a digital certificate that authenticates me to a variety of electronic resources inside the building.”
Much of RSA’s customer base uses Secure-ID one-time password tokens to access virtual private networks or remote applications such as web-based e-mail. Some of its banking customers such as E-Trade use tokens for authenticating customers into web banking and trading.
Card management systems facilitate enrollment of the user, request credentials, issue the smart device (e.g. a smart card or other chip-enabled token), then manage those credentials through their lifecycle, Mr. Beardmore says.
Growing market sophistication suggests convergence has become more than just talk
Another provider of solutions for converged systems, ActivIdentity, says its corporate customers are exploring ways to upgrade to more sophisticated converged physical and logical access systems.
“There are now identity management systems like ones from Sun and Oracle that are looking at managing the whole process of provisioning a new employee, whether it’s physical access or the different applications they need to have access to,” says Ed MacBeth, vice president of marketing and business development for ActivIdentity.
As convergence matures beyond the early, basic concepts of single access point, token, or credential the more robust challenges emerge. How do we provision the credential in a coherent, streamlined process? How do we update privileges and manage the lifecycle of the applications on that credential? How do we revoke certain privileges or an entire credential?
These issues point to the real challenges surrounding convergence – the “care and feeding” of the host of enterprise-wide systems that exist within an organization.
ActivIdentity is currently on board to provide the logical access component to EDS as part of the General Services Administration’s shared-service provider program for the FIPS 201 initiative.
Now that FIPS 201 is coming, “these access cards are no longer proprietary cards,” says Mr. MacBeth. “Rather than being provided by the physical security provider or reseller, those cards will be issued by either government agencies that are running their own system or by the GSA managed service (office) that EDS is running. So now, having a card that is based on a single, smart card chip design that can be used for physical and logical access means there is going to be a change in the readers that are on the doors everywhere. They’ll be switched out to read the ISO 14443 (contactless) interface.”
In other words, this change to standardized contactless technology for physical security takes the ID card out of the control of the traditional security manager and supplier opening the floodgates for converged systems.
“What tends to happen when we engage in new opportunities,” says Mr. Beardmore, “is we’re asked to take a look at an incumbent system to assess interoperability. In some cases, proprietary applications are in place and this may or may not be feasible. But even when it’s not, it illustrates that a comprehensive credentialing and credential management strategy is needed.”
Moving from concept to reality brings growing pains
As convergence becomes more than just a buzzword in government agencies, institutions, and corporations around the globe, its real challenges are coming to light.
Industry and organizations are making progress on the initial battle over who controls, owns, or issues the credential. While this debate between physical security and IT departments is not finished, many organizations have come to a truce recognizing that both groups can get what they need from a properly managed program.
Now the hard work begins … developing the cross-departmental data sharing, update, access, and authentication that must occur constantly and in real time for true convergence to be achieved.
Progress continues as leading vendors and issuing organizations prove that convergence is more than a buzzword, it is real.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.