The security industry is abuzz with talk of convergence: the melding of physical security with IT security. Security threats now come in many forms; the intruder at the door and the intruder sailing in over the Internet must both be kept out. Many security experts and IT leaders are finding that the pairing of physical security with IT security makes for a more formidable defense system. But what are the factors pushing this paradigm shift, and how can organizations gain from it?
Various Theories on Convergence
Theories abound about what is driving the move toward converging physical and IT security. Some trace its origins to the 9-11 tragedy, which made security a top priority.
Others say convergence is growing out of the development of new technologies, like the smart card. Embedded with an integrated circuit chip, this card provides not only memory capacity, but computational capability as well. Its ability to hold more and varied types of information makes its use for access control attractive to both IT and physical security. A 2004 report by the SANS Institute shows that the cards are gaining in use, particularly among large organizations. The report notes that smart card use is expected to grow from 14 million cards in 2002 to 36 million cards in 2006, a compound annual growth rate of 27 percent.
Another idea of a convergence driver centers on statutory requirements in certain industries, such as government, financial services and healthcare. The requirements are spelled out in regulations such as HIPAA (the Health Insurance Portability and Accountability Act of 1996) and Sarbanes-Oxley or PIPEDA (Personal Information Protection and Electronic Documents Act). These requirements mandate a certain level of data protection and privacy, and since data and privacy can be affected by a breach of physical or IT security, organizational leaders are finding it necessary to consider both avenues.
How Far Along Are We?
All the talk about convergence is definitely driving the introduction of new security products that allow easier network integration and enable more efficient sharing of data. Manufacturers recognize that nearly all facilities now incorporate extensive IT infrastructures, and in response have begun to release more products that use Internet protocol (IP) to communicate between devices. These products can operate on the same networks that companies use to run their business.
Opinions on the adoption of this technology are extremely varied. Some industry insiders say IP-based security products are just now beginning to be specified by customers and still represent only a small fraction of their business. Others say the need to network security systems into various aspects of a company's existing IT infrastructure is a heavily requested item. Growing interest in security-IT convergence also puts more emphasis on using open standards in product design. An open system can incorporate any component that is designed according to industry standards. This is important because it enables interoperability and integration with other systems.
The convergence movement, in fact, has prompted a group of security companies to form the Open Security Exchange, a group that plans to define best practices and promote vendor-neutral specifications for integrating security devices and services onto a company's IT network.
How Organizations Gain from Convergence
Higher levels of security, easier sharing of information and greater management efficiency are just a few of the reasons convergence is becoming an attractive option for many companies. One of the biggest boons to convergence has been the availability of DVR systems. The systems bring new capabilities not feasible with analog VCR monitoring, among them new management uses, remote video monitoring and networking capabilities.
Larger, multi-site corporations find digital video especially appealing because it allows for remote, centralized monitoring. With an Internet browser or application software installed on a computer or laptop, security officers can log into the access system via a secure IP address to view reports or live or recorded digital video from anywhere in the world.
This opens up many possibilities for cost and time saving. For example, software upgrades become fast and easy when the software sits on a server, rather than on individual computers. It also allows for more cost-effective staffing, with security monitoring centralized in one location, and it eliminates travel time to investigate security breaches, which can now be viewed via the Internet. A potential downside of digital video is possible delays in viewing due to inadequate transmission speeds or narrow bandwidths.
Another factor that makes IT and physical security convergence attractive is the ability to share information in ways not previously possible. For instance, consider the organization that links the Human Resources function to security via the corporate network. When an employee is terminated, security automatically receives a data transmission from HR that immediately deactivates the employee's building access card. Using a networked security system, this access removal can also be applied to multiple office locations. This eliminates numerous clerical functions, saves time and enhances security because the card deactivation occurs instantly throughout the organization.
The same holds true for adding new employees. A multi-national organization using a networked security system can immediately provide a new employee access to some or all of its locales.
Other examples of ways converged security can provide benefits include:
Authenticating identification at large company events. Since the access cards are networked and usable throughout an organization, the cards can provide higher levels of security by enabling ID authentication of employees at large company events, such as annual meetings or seminars. This could be particularly important for companies with locations in several countries, whose employees rarely see each other face to face.
Protecting the printing of proprietary company documents. Some organizations with networked security use a second layer of security for the printing of sensitive company documents. After the employee issues a print command to the computer, the document will not print unless the employee's access card is inserted into the printer and shows the appropriate security clearance. More efficiently managing access to secure areas. An employee is promoted to a job in a tightly secured computer area and now needs access to a new area that was previously off limits. With a networked system, the change can be accomplished in a few computer key strokes, which tell the door reader to accept the employee's access card. Previously, security staff would have needed to reprogram the door reader or issue the employee a new access card.
Where to Begin
A skilled security systems integrator can be invaluable in supplying both the technical knowledge and security expertise to make a convergence project successful. In selecting an integrator, look for one with plenty of high-tech talent on their team and also a history of handling IT and physical security convergence projects. Ask about their staff's experience as well. An integrator who knows how to speak the IT language will likely have staff with certified experience in networking, databases and operating systems.
Brad Wilson, CPP, is a 25-year veteran of the security industry. He is an officer and former president of SecurityNet, a 16-member organization of independent systems integrators offering clients across North America a single, responsible source for meeting all of their electronic security needs. He is also president of RFI Communications & Security Systems, based in San Jose, CA.