Bridging the gap between security and IT

At the recent Securing New Ground conference in New York, there was much discussion on the topic of convergence between physical security and IT. Several comments were made during the conference that provided ample food for thought.

The "C" Word

I noted that everyone was so sensitive to overusing the word convergence that they almost always apologized for using it and would often substitute "the C-word" in lieu of actually saying it. The second thing I noticed was that while everyone was talking about convergence -- and clearly this is still the hottest buzzword in the industry -- there was virtually no consensus on what convergence actually means.

Some stated that convergence between physical security and IT was simply the use of networks and IP for communication between physical security devices. Others contended that convergence had more to do with the integration of physical access control and logical access control. For example, if you don't badge into the building, you can't sign onto your computer.

While opinions vary, the fact is that roles are changing as more and more physical security devices are being designed to make use of the networks that IT professionals are responsible for maintaining. And as physical security practitioners and the IT community are increasingly thrust into the others' domains, the relationship between them has been somewhat strained. In some instances that relationship has deteriorated to such a point where it would be fair to call it adversarial.

Asking More of the IT Professional?

Much of the IT community has been reluctant to work with physical security integrators or practitioners due to their lack of understanding of how networks operate. IT professionals have also been reluctant to take on the additional responsibility of physical security because the historic role of the IT manager has been to keep the network safe from undesirable influences, both from inside and outside, while ensuring the integrity of the data necessary for their company's core business practices. While most physical security devices are now designed to make use of the IT network, many of these devices have a dramatic, and not always positive, impact on the overall performance of the network for which the IT managers are then held accountable. Some IT professionals would argue that they are already overworked and underappreciated-why saddle them with even more responsibility?

Security: From Reluctance to Cooperation

Similarly, security practitioners have been reluctant to share network space with the IT group. A common practice of security integrators is to build private or even "standalone" networks for physical security in an effort to have total control over the reliability of the communication and functionality of the physical security equipment. Security practitioners express concern that network downtime for maintenance or upgrades would leave them vulnerable and unable to fulfill their duties.

Despite their reluctance, security integrators are finding that they must become more knowledgeable about the IT space and work with the IT groups in order to remain competitive in the marketplace. Many structured cabling and data contractors are now bundling physical security as an additional offering in direct competition with the security contractor.

As these trends continue, we are now starting to see the physical security and IT communities truly starting to work together as they become better educated about their counterpart's respective roles, responsibilities, and methodology.

Convergence Defined

I would define convergence between physical security and IT as two distinct groups working together for the protection of the assets their organization needs to be productive and efficient. With e-commerce dominating the global economy, it is easy to see how information is the asset that IT professionals are asked to protect. What everyone is now starting to understand is that the physical security professional has the same goals as IT.

Access control systems for the security professional are designed to control who goes where and when, and then to provide either the monitoring of live events or the historical data of these events in the form of a report. Access control for the IT professional means almost the same thing as for the security professional: authentication, authorization and audit. The "who" is IT's authentication, the "where and when" is part of their authorization, and the "monitoring and report" is their audit.

Going Beyond Simple Protection

Through convergence of physical security and IT, many organizations are finding innovative ways to go beyond just protecting. Electronic physical security devices gather and share information in order to provide benefits for the end user. Generally speaking, these devices are used to prevent disruption of core business practices. However, by leveraging integration, they can now augment and improve their business practices. Here are a few examples:

• Conventional security uses physical access control system information for safety (mustering) and security (keeping unauthorized people out). Recently, we have seen companies making use of this information in ways that can improve efficiency, reduce overhead, or even generate new sources of revenue.

In the health club industry, an access control system traditionally is used to provide secure 24-hour access to the facility for its employees and members. Now that access control systems can interface with point-of-sale systems and even websites, they can be utilized for marketing feedback and generating new revenue in this unique market area. Imagine a health club website with a one-day free trial offer. A potential new customer enters all the information the health club requests and then is sent a "one-time use" PIN that can used at any of the club's locations. Upon using the PIN, an automated message is sent to the club manager notifying them of a new guest. For marketing purposes, the health club would now know when the prospect signed up, how long it took before they used the free trial, what time of day they used the facility, and which facility they used. All this information can then be leveraged for a targeted marketing effort directed at that new prospect.

• Video systems are traditionally designed to observe who did what, where, and when, and then provide this information to the appropriate entity. I say "entity" rather than person because just like the previous example, CCTV systems are already being used for more than conventional security.

Let's consider a video camera behind the counter in a hotel lobby. For conventional security, the camera is a deterrent to robbery and theft, and provides protection from lawsuits. Now, through analytics, this same camera can also count the number of people standing in line and, through proper integration, reroute incoming phone calls when people are waiting for help at the counter. This way the desk clerk can focus on serving the customers waiting in front of him rather than answering the phone. This increases efficiency and improves the satisfaction of the customers waiting in line.

• Another example of how access control systems are bridging the gap between physical security and IT is found in the way manufacturers are addressing IT concerns. Most modern access control products are now manufactured with a built-in Ethernet port and communicate via native TCP/IP, while older systems require a serial to the Ethernet converter. While most access control panels now use Ethernet for communications, the IT professional's concern is how these devices appear on the network and what additional resources they will have to manage-IP addresses, routes, VPN tunnels, bandwidth requirements, and inbound ports-and how these devices will impact network performance as well as other network devices. Another IT concern is the server and software associated with management of the access control panels and associated devices, since this computer/server's operating system and virus protection must be updated along with the other business-related computers.

In an effort to alleviate these concerns, you are already seeing access control manufacturers offer control panels with an embedded Web server and an on-board operating system. This removes the need for dedicated computers or software and allows the access control system to be managed from anywhere on that network. Some manufacturers have taken this to the next level by developing DHCP-enabled control panels or Power over Ethernet "edge" devices to communicate with a Web-hosted application on outbound ports only, alleviating the need to manage IP addresses or inbound ports, which most IT professionals see as the greatest risk. These new network-friendly access control panels and edge devices can often share information with other business systems-such as HR applications and email servers-to provide real-time updates for logical and physical access privileges, time and attendance, or any number of notifications such as forced or propped doors and automated activity reports. That's access control bridging the security/IT gap.

What Real Convergence Will Look Like

Real convergence means that the security professional knows and understands network infrastructure and communications and is equipped to work with and for the IT professional. It also means the IT professional embraces the use and integration of physical security equipment and systems as important and necessary business tools. As such, the IT professional must work together with the security professional to select equipment that works best on their shared network. For the consultant this means that the design and engineering of network infrastructure must support the additional resource burden required by sharing connectivity, and carefully selecting products that don't create new security risks for either the security or IT professional.

At Securing New Ground, each speaker was asked to conclude his or her presentation with predictions of how the security industry will change. While it is obvious that with each passing day physical security and IT are being forced closer together, the only prediction I can confidently make is that we will soon have another industry buzzword to replace "convergence" in the same way convergence replaced the "integration" buzzword. I can also safely predict that whatever this new buzzword is, there will be a similar period of confusion and disagreement over what the newest buzzword really means.

About the author: Rueben Orr is director of business development for Brivo Systems.