A New Day for Business Security

Converging IT and physical security at the impetus of tighter controls, more compliance

"This is a real trend; there is a sense of inevitability about it, but it is slower than everyone thinks," Turner said. "The private sector has some breathing space. But they need to watch the government."

The next two years will be important in bringing together the security disciplines, Turner said. Companies such as networking giant Cisco Systems, along with software makers Microsoft, Novell, Sun and Oracle will play a key role, he said. They will partner with the likes of HID Global and Honeywell, makers of physical access systems, he said.

"I can hear the elephants dancing, and I know there are a lot of discussions going on," Turner said. "But we were anticipating more partnership announcements between companies this first quarter than we've actually seen."

Katie Moussouris, a hacker for hire at Symantec, often tests the security of businesses, and that doesn't just include IT security. "We're requested by customers to do physical penetration tests," she said. In other words, she's hired to try to enter a building and get past the guards. "Those requests don't come from the physical security folks, they come from the IT department," she said.

With IT folks now involved in physical security, Moussouris expects her job to become tougher. "They will see a lot more places to harden than just the people who are in charge of physical security," she said. For example, weak spots, such as phone closets that have been turned into network hubs, will also be secured, she said.

Ultimately, the executive in charge of information security at an organization could also become responsible for the security guards, who today typically are part of a facilities group that may report to a different executive. That's because IT departments and chief information security officers are used to managing projects, Turner said.

"IT security has already made a progression from the data center glass house to desktops and mobile computing, where things have to be managed in a ubiquitous geographic context," he said. "They are better prepared to reach out and manage additional responsibility."

While technology is an enabler, it is also an obstacle to integration. Traditional security systems--the locks and cameras--are just now going digital.

"Not all physical access products are digitalized in a way that allows them to be integrated and managed through a network," Turner said. "They have to make a transition from an analog technology base to a digital base." Part of that is building secure systems, so they won't be a weak link in a security chain, he said.

Even if physical security systems have moved into the digital realm, they often aren't compatible with tools used to manage users on networks, such as those sold by Oracle.

"Interoperability is a key challenge," White said. Oracle has built connectors that allow its identity and access manager products to work with some physical security systems, but it had to custom-build those, he said. "The standards are ill-defined," he said, adding that nobody in the industry has yet stepped forward to establish any standards.

Also, controlling all aspects of security from a single system could provide a single point of failure. If the one system goes down or is breached, that could create a serious problem or compromise. The easy answer to that concern is strong security and using redundant systems, said Eric Maiwald, a Burton Group analyst.

"That concern may be more of a red herring than anything else," he said. "You're not going to leave that system somewhere it can be broken into." Also, there should be tight controls on who can grant access and clearances to people, he said. "You're not just talking about outsiders; you're also talking about insiders."