Traditionally, physical and IT security departments have been kept separate, but as risks continue to increase, federal regulations have made security of both types a top priority for the federal sector. Now, as federal agencies achieve success with mitigating both IT and physical security risks, commercial organizations are beginning to mirror this convergence initiative.

Converging the efforts of physical and logical security departments allows an organization to lessen security risks while also saving time and money. Once integrated, these two departments collaborate to ensure physical access to buildings is linked closely with logical access to computers and network resources. Similarly, actions to revoke an employee's physical access can be used to trigger automated network deprovisioning on the logical side–ensuring both departments are consistently on the same page regarding enterprise security.

To reap the full benefits of a converged security system, enterprises should start with a solid identity management solution that is integrated with a physical access-control platform, allowing physical and logical security initiatives to be integrated. The identity solution manages all user identities to protect information resources and business systems from unauthorized access, while the access-control platform manages all physical access control, alarm monitoring and badging systems. With this integration, enterprises obtain an identity-enabled infrastructure to automate the management of roles and secure access to information and facilities.

Once this foundation is laid, automated user provisioning is critical to control user access across disparate systems while also gaining a holistic view of access occurrences. Convergence allows an organization to create a single unified security policy across the entire organization, removing the security silos of the past. Convergence also reduces cost and increases productivity by simplifying the process of manually managing identity information across several systems. User data can be automatically synchronized across multiple facilities and systems, allowing security personnel to maintain a single point of management for all users, update role changes and terminate user access. The end result is tighter security controls across all organizational systems.

The Homeland Security Presidential Directive–12 (HSPD-12) is a federal regulation mandating that all federal agencies implement a personal identification verification system. This act caused the federal government to embark on the largest convergence project in history.

With a deadline of October 2008, HSPD-12 has motivated government agencies to be proactive in converging physical and logical initiatives. This regulation will not only allow government agencies to increase their security standing, but will also save time and money. Fundamentally, by having the same ultimate goal to protect assets, both the physical and logical security departments encounter overlaps as they perform their respective jobs.

From the commercial perspective, insider threats continue to plague organizations, as many do not effectively monitor what each employee can access in terms of the physical building and the network. By converging security initiatives, each employee is provisioned to only access authorized enterprise assets, eliminating the risk insiders–whether malicious or ignorant–can pose.

As the mobile workforce increases, remote workers inevitably bring new security issues to light. With identity management, organizations use roles and access rights to block remote users from inappropriate systems when outside the firewall.

Securing remote access is also crucial when deprovisioning terminated employees. If an employee is denied building access on his last day of work but can still access the network remotely for days or even weeks later, there is a window for disaster. By controlling who can enter a specific room or computer application, the potential for damaging security breaches is decreased considerably.

Convergence is also important as organizations grow, experience increased personnel growth, or enter into mergers and acquisitions. In these transitions, thousands of users may need to be provisioned to access the correct resources in a timely manner. Without this integration, enterprises have to manually provision and deprovision user access to all enterprise assets–costing organizations time and money, and leaving gaps in enterprise security.

Considering the various facets of security threats (e.g., terrorism, identity theft, data breaches, insider threats) one side of the security spectrum can no longer protect an organization on its own. With a converged security model, efforts are combined to ensure organizations achieve a comprehensive view of all methods of access across the entire organization, ensuring only the right people gain access to the enterprise, from the front door to the keyboard.

DEPLOYMENT TIPS

The case has been made for making the move to converge physical and logical security initiatives, but where exactly does one begin? The following list suggests tips and tricks to consult before integrating these two efforts.

Do ensure the solution includes an identity-management component that is integrated into an access-control platform. With this foundation, access to both physical and logical assets is linked back to the user identity–confirming only authorized users gain access.

Don't strive to merge the two departments entirely. Forcing these disciplines into one security bucket can cause chaos. Each department should maintain its role in the organization; however, structured collaboration is the key to success.

Do make automatic provisioning/deprovisioning a priority. This feature is critical, as it relieves organizations of the tedious, manual task of provisioning. It also increases employee productivity, protects against insider threats and immediately denies access to all former employees.

Don't let fear or unfamiliarity hold the organization back. Research various solutions, best practices and approaches to determine what specific technology is the best fit.

For more information on Novell (click here)

For more information on Honeywell (click here)

Ivan Hurtt is a product marketing manager for Novell's identity and access-management products, Waltham, Mass. Peter Fehl is the senior marketing manager at Honeywell Security, Morris Township, N.J.