Picture this scenario: It's Monday morning and you're late for work. You enter your building behind three other employees while fishing around to find your access badge. Luckily, the person in front of you has his card, swipes it to get in and you manage to slip in with them to catch the next elevator up to your suite.
Tailgating happens all too often and with scenarios like these occurring during the morning rush, having an intruder slip in is all too easy. For small to mid-sized companies and businesses, unauthorized physical access in this manner is enough to cause a serious security threat.
While some companies may require a simple user name and password log-in procedure for the network, for the expert computer hacker, all it takes is penetrating the initial physical access barrier like in the scenario above and the rest is simple protocol to them-a game of chance that they will win by simply trying all the variables. For the larger enterprise corporations, the process gets more difficult as both physical and logical access control provide security on the outside and within. Yet while this type of solution may seem like the best bet for an end-user, in many cases, they do not have the knowledge of a converged physical and logical access control solution to know that option is available to them. It is up to the integrators to step in and educate the end-user on the integration of physical and logical access control. The opportunity exists and those integrators that see the benefits of offering their customers converged physical and logical access control solutions are the forward-thinkers who will change the meaning of access control.
Defining the roles
Before an integrator can offer their customer a converged access control solution, it is important to understand the application. Consider the example of a situation in which the protected premises initial physical access control point was penetrated. In most cases, physical access control implies allowing or denying an employee or contractor access into a facility or specific area of a facility. Examples of this can include using some sort of credential, or employee badge, to gain access into a building. Logical access control is more related to software tools which grant access to a secured network or database after one has moved past the physical access point.
"From the logical access point of view, it is becoming one of the biggest threats because of hackers that can access a logical network from anywhere in the world," explained Mohamed Benabdallah, director of Global Business Development and IT Alliances for Tyco Security Products, Boca Raton, Fla. "There is constantly an investigation of what is being done to protect the network, who is accessing the network, what, when, how and where they are accessing it from." Yet Benabdallah confirms that there is much more protection to be done both on the physical and logical access control sides. Where the confusion comes from however, is from the lack of understanding as to who plays what role in the entire installation process, both internally and externally.
"If there is confusion out there, which I believe there is, it's from both the physical security integrators and the IT integrators who have not taken the time to educate themselves on how these systems are defined and the features and benefits associated with converging them," explained Tony Varco, vice president, Security Division, Convergint Technologies, Schaumburg, Ill. "There is no slowing of the access control market. What's been slow to grow is the actual convergence of physical and logical access control."
Change in structure
Varco continued that there are other important factors at work that are slowing down the growth of physical and logical access control.
"Organizationally, the IT and security departments have been separate forever. They themselves are going through a convergence. There is an evolution of integrators blending and moving toward each other and learning each other's worlds and that just takes time. IT integrators are trying to better understand physical security and the applications that go into being a physical security integrator. The physical security integrator is trying to understand the network topologies that go into databases and networks. And there have been some companies that have been quick to adopt and understand the efficiencies and effectiveness of converging the security and IT departments but you also have others that have not adopted this and still maintain organizationally separate structures. The second point is training; IT integrators are still learning how to talk to customers about physical security benefits and features and at the same time, security integrators are still learning the language of IT. The best integrators of the future are going to have some sort of healthy balance between physical and logical security application knowledge and experience."
Casey Guagenti, integration sales director, ASG Security, Turnersville, N.J., agreed that there a number of stakeholders that come into play, a major challenge in providing an integrated physical and logical access control solution. "You have the security department wanting to run their group," Guagenti explained. "You have the IT department that wants to run their group. You have the chief financial officer that wants to save money. You have the chief executive officer who wants to drive the best value proposition for the whole organization. The key component is getting all the 'buy-in' so everyone understands that the purpose is to create more value for the organization. The key really is communication. It's getting to the key decision maker and causing that person to make a decision internally for their own company on how they want to participate."
But the challenges in integrating physical and logical access control don't end there. Budget comes into play as the logical access budgets and the physical access monies are owned by two separate divisions, according to Thomas Tang, sales manager, Solero Systems Inc., Torrance, Calif. "To deploy a converged solution you need to get the physical access manager and the IT control manager to work together to proportion monies for a combined smart card," Tang continued. "If the smart card is used physically to open a door into a building, and then that same card is used again to log onto your network, the question becomes who pays for the chip on the card and who pays for the body of the card? The card body and the chip are not manufactured by the same company. Is it security's budget or is it IT's budget?"
Tang further explained that there are no threats in synchronizing the physical security access control with the logical access control. "It's not compromising the security of one over the other. It's a budget issue."
Although end-users don't always understand the full requirements or capabilities of having a converged physical and logical access control system, the defining challenge continues to be both sides working together to implement an integrated solution for their customer and educating the end-user on what is available. Once they understand how it will add value and streamline processes and procedures, there will be more companies jumping on board and more specifications written-good news for systems integrators who have been listening all along.