Taking a look at the United States’ largest integration project can shed light on potential issues in smaller-scale implementations.
Manufacturers estimate that between 5000 and 10 000 access control systems have been sold that can support integration with IT systems for card access system provisioning (granting and revoking user access privileges). The same manufacturers report that hundreds of customers have expressed interest specifically in that kind of integration. Yet only a dozen or so systems have actually been integrated to any significant degree, and those deal mostly with revocation of access privileges upon termination of employment.
There are significant security and cost benefits to be obtained from the integration of physical security and IT security user management (see 'Integrating Physical and IT Security Management' in the October (part 1) and November (part 2) issues of Hi-Tech Security Solutions). So why have more systems not been integrated? An examination of the largest single integration project attempted may provide an answer.
The common access card
The largest single programme intended to integrate the management of physical and information systems access is the Common Access Card (CAC) programme of the US Department of Defense (DoD). On 10 November 1999, the Deputy Secretary of Defense issued a memorandum directing the integration of efforts to improve information assurance and reduce fraud associated with the then-current Armed Forces ID card. In response to this memorandum, the DoD began the CAC programme.
Employees of the DoD at that time had anywhere between two and seven identification and building access cards, depending on how many sites they needed to access over the course of their work day. Most DoD staff would wear these cards on a chain around their neck. One objective of the CAC was to winnow the multiple ID cards - which were estimated to be as many as 30 million - down to one per employee. That is about four million cards. Similarly, contractors and vendors who need access to multiple facilities would require only one card. There are significant cost savings to be gained by issuing and managing four million cards instead of 30 million, both in terms of card holder personnel costs (time spent waiting for cards to be issued and renewed) and card costs, as well as security personnel costs involved in the issuance and management of cards.
The overall coordination and management of the CAC project fell to the Access Card Office, a new group in the Defense Manpower Data Center (DMDC), which is part of the Personnel and Readiness division of the DoD.
The objective of the Common Access Card programme was to provide more than a strong ID system. In addition to functioning as a common ID card, the Common Access Card needed to provide physical access to facilities and logical access to unclassified information systems, and it had to use smartcard capabilities to secure electronic transactions. The ultimate objective was to support the re-engineering of business processes to accomplish improved military readiness; improved quality of life; streamlined, paperless business processes; and cost savings. Initially, the cards contained identification and security information. As the appropriate applications were developed, the plan was that they would also hold information about service members, such as medical and dental data and finance allotments. These capabilities streamline the now drawn-out process of verifying service members' readiness for deployment.
"Under the old process," explained Mary Dixon, director of the Access Card Office, "a person would have to go to a gymnasium once or twice a year with all their records and go to several different stations. It would take most of the day to go through that process. Now, deployment readiness can be verified in minutes if everything is up to date, and in an hour if something requires updating or the person needs additional processing, such as receiving and recording a shot."
In some cases, she said, personnel are required to show up as much as four hours before a deployment flight. They sit and wait while their information is processed for the manifest. With smartcards, the wait can be cut by at least half. "So that is more time that is given back to the soldier, sailor, airman, marine - or it is given back to the commanders to use for training," Dixon said.
At the start of the project, the DMDC team assessed the state of physical and logical security technology and realised that then-available solutions would not accomplish their objective, because the CAC programme would have to work across multiple systems provided by multiple vendors. Thus the CAC initiative resulted in the development of the Government Smart Card Interoperability Specification by the National Institute of Standards and Technology (NIST) of the US Department of Commerce. This specification provided a common base for the smartcard implementations of the vendors involved in the programme.
An evasive goal
The CAC programme has accomplished technological and organisational feats that have no equivalent in the private sector. In spite of technology hiccups that delayed the project at various points, by May 2004 four million smartcards had been issued, and cards were being issued at the rate of about 8000 per day.
However, even in this successful programme, integration of the smartcard functionality with physical access control systems took a while to get off the ground, partly for technology reasons and partly for organisational reasons.
Culture clash
Joel C. Willemssen is Director of Information Resources Management within the United States General Accounting Office's Accounting and Information Management Division. In testimony to the House of Representatives on September of 2003, Willemssen said, "The ability of smartcard systems to address both physical and logical (information systems) security means that unprecedented levels of cooperation may be required among internal organisations that often had not previously collaborated, especially physical security organisations and information technology organisations. Nearly all federal officials we interviewed noted that existing security practices and procedures varied significantly across organisational entities within their agencies and that changing each of these well-established processes and attempting to integrate them across the agency was a formidable challenge."
Willemssen continued, "Defence officials stated that it has been difficult to take advantage of the multi-application capabilities of (the DoD's) Common Access Card for these very reasons. As it is being rolled out, the card is primarily being used for logical access - for helping to authenticate cardholders accessing systems and networks and for digitally signing electronic transactions using PKI. Officials have only recently begun to consider ways to use the Common Access Card across the department to better control physical access over military facilities. Few defence facilities are currently using the card for this purpose. Defence officials said it had been difficult to persuade personnel responsible for the physical security of military facilities to establish new processes for smartcards and biometrics and to make significant changes to existing badge systems."
IT personnel in the private sector report this same sort of experience when they attempt to involve physical security personnel in integration with information systems. In most cases, the meeting presentations are technology-based, not strategy-based, and are not presented from the perspective of a non-technologist. Technology will not motivate the physical security folks the way that sound strategy - and an executive statement or mandate that supports it - can. This stifles physical security participation instead of nurturing it.
To help support the use of the Common Access Card for physical access, the US Office of Personnel Management (the federal government's human resources agency) recently began an initiative to get agency HR folks and physical security folks talking to each other about how this should work.
Change comes first
Willemssen's statements highlight a lesson that transcends security projects and applies to any type of technology project: do not use technology to cause change; use technology to support change.
Joel Rakow is partner in Tatum Partners, the largest professional services provider of financial and information technology leadership in the United States. He stated the above lesson another way: "Do not expect technology to fix a broken process. You have to fix the process first, and then you can utilise the technology successfully."
In accordance with that advice, Rakow recently projects in two client organisations whose objectives were to integrate physical and information system security at the management level.
"Typically, IT security managers employ a technology-focused approach, often without conducting formal vulnerability and risk assessments," Rakow said. "When they do conduct assessments, they are targeted at technological risk and focused on tactical issues relating to the information systems technology. Security has to relate to business strategy and business practices, what assets are important to critical business operations, and what the security risks are for those assets. When you have identified the critical information assets within the context of business operations, you can develop a security strategy for them that naturally would include both physical security and IT security elements.
"This is the level at which physical security and IT security are first integrated, at the strategy level. From there you can determine to what extent, if any, integrating physical security systems and information systems will support your strategy."
The cornerstone of security
Control over who has access to what assets at what time is a crucial part of security. In order to integrate access across the physical and IT security realms, a unified strategy for managing user identities must first be in place.
Product literature and magazine articles can create confusion about what identity management means. Vendors use the phrase to mean any number of things, from single sign-on applications to certificate authentication. Yet such technologies are really add-ons to identity management. Rakow explained, "The three key ingredients to identity management are authentication, authorisation and auditability. An important security aspect to identity management is identity federation, which means that no single entity operates the entire identity management system."
Identity information in many organisations is spread across multiple repositories: personnel (HR), payroll (Accounting), visitors (Security or Facilities Management), information systems access (IT), e-mail (IT), employee physical access (Security) and janitorial personnel (Facilities Management). You may be John Smith in one repository, JL Smith in another, and John L. Smith in another. The naming conventions may not be consistent even within a single repository.
Mike Butler, chief of Smart Card Programs in the DoD's Access Card Office, said, "If you try to address identity management just from an IT perspective, it is a lot of money. It you take solely an HR or physical security perspective, you have the same thing. But if you get all three participating in the solution and developing an overarching strategy, overall it can be cost effective."
Planning the deployment of an identity management solution and reconciling disparate repositories of identity information are usually the largest steps in preparing for the integration of physical and IT access management. It is important to remember that identity management is not just a security issue; it is an enterprise management issue. Although security may be a driver for implementing identity management, its strategy will include operational elements from all of the business units and will often extend outside the organisation to include those with whom the organisation does business. Identity management lets companies reduce user management costs, increase security, ensure privacy, comply with federal regulations and facilitate communication.
The role of IT service providers
Identity management has been a part of physical access control systems since before the advent of the personal computer. But the type of identity management system that we now hear about is new in the past few years. It became necessary in the IT community when enterprise computing became a reality. In one sense, you could say that electronic security systems integrators have been in the identity management business for more than two decades, but using a proprietary, closed-protocol approach. Today's identity management systems must talk to a multitude of information systems, and open protocols are being developed to support the interoperability that identity management federation requires.
Recognising the importance of identity management for an enterprise, Lenel Systems developed OnGuard OpenIT, which is designed to integrate its OnGuard Total Security Knowledge Management Solution suite with any Lightweight Directory Access Protocol (LDAP) directory structure. OnGuard OpenIT integrates off the shelf with leading LDAP directory servers including Microsoft Active Directory (AD), Novell NDS eDirectory and iPlanet Directory Server (Netscape).
While security systems integrators are moving to integrate with enterprise identity management systems, some IT service providers are stepping up to provide solutions in both the IT security and physical security domains. Siemens Information and Communications Network Inc. (ICN), a contributing member of the Open Security Exchange, has a number of such projects ongoing, according to Jeffrey Demers, a business development manager for ICN.
Demers said, "We are able to assist the customer with the entire process that encompasses the deployment of an identity management system, including integration with physical access control systems. You do not start from scratch. You have to take into account the existing business systems as well future objectives. It is not just a matter of product selection. As an experienced IT service provider, we understand the importance of management support, and we know when and how steering committees and working groups are needed and their function in the project. We are used to working with human resources to identify the various roles that are involved across the organisation, and how the system to be implemented must support their related job functions. This is very organisation-specific. A lot has to be done before you can get to the point of product selection. There is often more than one path open, and you have to understand, identify and clearly communicate the cost impacts and the organisational impacts of each path. Our team works as an integrated part of the customer's team."
Demers explained further, "By the time we are ready to implement the chosen solution, we have a well established working relationship with the customer and have a very exact and complete understanding of what they want to accomplish. We are not just implementing a system; we are accomplishing the customer's objectives." For an IT service provider like ICN, incorporating physical access control becomes simply another aspect of a much larger overall project.
UBS is a premier global financial services firm offering wealth management, asset management and investment banking services to individual, corporate and institutional investors. Katherine Issel is an associate director for the Global Industrial Group of UBS Investment Bank. Issel has been closely watching security and IT convergence issues for the past year due to the emerging opportunities for companies involved in one or both domains.
"I think that system integrators who have experience in the IT space are going to play a very central role in the convergence or integration of physical and IT security," she said. "Today, we are dealing with enterprise systems that play an important part in organisational management, but they have very discrete functionality. An access control system - whether for physical or logical access - benefits from integration with an enterprise identity management system ... I think that integrators who are adept at incorporating key systems into enterprise business operations will be naturally well-positioned for the inevitable convergence between physical and IT security."
Lessons learned
Organisations have been buying integration-capable systems, but there is little physical and IT security integration at this time. The following are some lessons that can help us change that picture, reduce costs and close the security gaps.
* The integration of physical and IT security starts with strategy at the management level.
* Executive management and security management must drive the change by implementing the strategies; the technology folks cannot drive the change.
* Implementing integrated security management (physical and information systems) starts with identity management. Typically Corporate Security or the CSO, consulting with the CIO or CISO, HR and Legal, would develop the strategy.
* A leader who is not a technologist, or who can take the non-technologist viewpoint, must communicate the security vision and strategy within the organisation, and must bring about the participation of the non-technical people who are to be key participants in the programme. The bulk of the work is actually non-technical.
Change to the organisation's security strategy, policies and procedures, and their successful adoption by the organisation's personnel takes time. The larger the organisation, the more time it takes - but the greater the benefits.
Ray Bernard is board-certified as a Physical Security Professional (PSP) by ASIS International. Ray is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides high-security consulting services for public and private facilities. This article is based upon material in his upcoming book, Shifting Sands: The Convergence of Physical Security and IT. For more information about Ray Bernard and RBCS go to www.go-rbcs.com
© Technews Publishing (Pty) Ltd. | All Rights Reserved.