Debate rages over converging physical and IT security

Proponents of physical, IT security convergence cite cost, management benefits

IT departments are no strangers to turf wars, but the one shaping up between those overseeing computer networks and those in charge of physical security could really get ugly.

Unlike past tussles between say, voice and data communications teams, the contest between IT security and those involved in everything from fire alarms to video surveillance to door-lock access controls tends to involve people who might never have had any reason to cross each other's paths. 

Converging physical and logical security: A good idea or not?

"It typically takes a C-level executive to force these organizations to work together," says Tom Flynn, director of marketing in North America for smart-card maker Gemalto. "The fact is there are different entities in a corporation for physical and logical security… We see turf wars happening."

Merging physical and logical security is seen by advocates as a cost-saving step and a natural evolution for facilities maintenance and guard operations, where door-access equipment and video cameras are increasingly IP-enabled, and a smart card-based badge could be used by employees to access both buildings and computers. But resistance to convergence runs deep among traditional physical security managers, who are wary of IT departments taking control. And even IT security experts voice concerns that it's risky, with some strongly opposed to the idea of physical security operations, such as video surveillance streams, riding on the same IP corporate network as the rest of the business.

Pros and cons of merging physical security and IT security

"You don't want the stuff on the same network as your business data," says Tom Cross, X-Force advanced research manager at IBM, arguing that physical security controls for building access and video surveillance shouldn't be mingled into networks for desktops that can become infected by malware and other types of attacks. Physical security systems can be migrated onto IP networks "but it has to be isolated from your general business network as much as possible," he says.

Another IBMer sees physical and logical security convergence another way.

"Physical security has been about closed systems, but with the move to IP-based systems and connecting campuses there's the need to have the IT and security department involved," says Steve Russo, director of security and privacy technology at IBM's global technology services group. He says there can be advantages in integrating physical security with logical and transactional systems to give management a better picture of what's occurring, especially in retailing. And although network capacity is a concern, it's possible to share an IP network for logical and physical security, he suggests.

"Is there a risk associated with combining it? Absolutely," Russo  acknowledges. But he adds: "The logical-security people are looking at threats to the environment. And where we see the interesting spark is that they can take information about physical events and turn it into operational use."

But there's often a cultural rift existing between the physical security department for facilities management, with their isolated closed networks, and the IT department with its systems administrators and security specialists trying to keep scores of Internet-accessing computers and applications running safely.

"The question is, who has overall control?" asks Carl Lindgren, surveillance technology manager at the Sycuan gaming commission, which oversees the Sycuan Casino in El Cajon, Calif.  The casino is considering changes in how it manages video surveillance.

The casino uses analog surveillance cameras on a closed network, but the time is drawing nigh when a migration to some other form of more high-definition digital video system will need to be made. Whether that will be based on an IP-enabled video camera or perhaps one using what is a new standard called HDcctv for closed-circuit is not yet determined. But the quality of the network is among the main factors to consider, Lindgren says.

Lindgren says he wonders about what happens if the IT department takes down a switch, and what the implication is of the IT department accessing the cameras. There's reluctance to even share network closet space with systems supported by the IT department, he says.

"The desire to provide a single point of visibility and control is a longstanding one," says Todd Rockoff, executive director of the HDcctv Alliance, the industry group shepherding the protocol standards for high-definition video-surveillance systems as an alternative to IP-based video. "But there is the argument that security networks should be separate from the general IP network for several reasons. The information is proprietary and really should be closed circuit and partitioned off from the world."

Rockoff adds that if physical security systems do go onto IP networks, they should be kept separate if only because of the bandwidth consideration. "HDcctv signals over coax are 1.5 gigabits per second," he says. "One camera needs 1.5 gigabits per second." Compression algorithms may reduce bandwidth needs but they also take out detail, he notes.

These differences in viewpoint are often heard in the physical-logical security convergence debates. But one of the most ardent advocates for convergence might be Ray O'Hara, executive vice president of international operations, consulting and investigations at Andrews International, which is in the traditional physical security business of "guns, gates and guards," as he puts it.

"The traditional security person and the cybersecurity side are both hands-on and doing things for the betterment of the organization," says O'Hara, who recently became president of the board of directors of ASIS International, an organization for security professionals.

But today the physical-security technologies are evolving to the point where "the traditional people need help from the IT people," O'Hara says. There is often discord and mistrust between the physical and logical security divisions. But that needs to be overcome by possibly combining reporting structures so they can more easily collaborate or by setting up a "risk council" to have regular discussions with business managers, he suggests.

Cisco is one company that has attempted to converge physical and logical security, and has learned it can be a tough slog.convergence pilot project with about 400 global government solutions group employees at its Research Triangle Park, North Carolina, location that involved its Lenel door-lock and access system for physical access through badge readers. Cisco opted to issue new Gemalto-based smart cards with X.509 digital certificates to employees as badges that would give them door access and be used for smart card-based computer access as well.

After considerable planning, about a year ago Cisco started a

It was an exercise to bring together the different physical security and IT camps, and the security-and-safety group found it to be in some aspects a headache because they still had to support a separate card for Cisco employees not part of the project, according to Alan Egge, Cisco manager of IT there.

Smart-card holders have had their troubles, too, such as forgetting to carry the cards from their computers to other parts of the building. Egge became an early adopter of a proximity reader for his badge so that if he walked within 8 feet of his computer, it would know "Alan is here."

In Cisco's mixed operating system environment there's been the need for lots of custom programming, and it hasn't been easy to mesh separate physical and logical protocols to make it all work. "A lot of integration work has to go on," Egge says, adding, "Not all the technology is there yet.

Egge thinks the next step at Cisco will be to drill down more into identity management. "We need the advanced capabilities of identity management, so we can accurately provision," he says. Cisco is looking at using Oracle's suite for that in the next stage of the project.

Many looking at the convergence of physical and logical security say the protocol issue is something that has to be confronted.

According to Gemalto's Tom Flynn, contactless smart cards often use the HID protocol in the United States while in Europe a protocol called Mifare, developed by Phillips, is more often found. In U.S. government agencies, dual-use smart-card badges required to have FIPS 201 compliance may use chips that support both legacy door-readers and computer access with a public-key infrastructure digital credential. In Gemalto's view, the work that Microsoft has done with Windows 7, .Net technology for the chip and Forefront Identity Manager is helping make smart-card issuance more turnkey.

IBM's Russo says other protocol issues point to the need for standardized compression techniques and transport in physical-security equipment, as well as standard XML-based definitions so that important meta-data can be shared. "Physical security is transitional right now," Russo says, pointing to both the Physical Security Interoperability Alliance and OASIS as organizations trying to further interoperability standards that would add convergence and make it worthwhile.

But to date, Flynn says he is only aware of a handful of large enterprises in the oil-and-gas industry, such as Chevron and Exxon, and pharmaceutical giants such as Pfizer, that have adopted converged smart cards for physical and logical security.

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022