Convergence comes alive

The industry is abuzz with new ways to integrate physical and logical access control
Wednesday, November 1, 2006

Perhaps no word is more overused in the current security marketplace than "convergence." It means many things to many people, but, on a very basic level, it means the coming together of the physical and the logical, thanks to an IP network. How that's accomplished is another discussion.
When you talk about networking physical and logical access, for instance, there are two basic schools of thought. On one hand are the manufacturers and products that simply allow one network to talk to another. You have one network that supports the readers and doors and who's allowed in, and you have another network that controls everyone's email and access to the company servers. They exist in separate spheres and are given a middle ground on which they can converse. When someone swipes into a door, the physical network tells the logical network it's OK to allow him onto his desktop computer.
In this way, physical security and IT maintain control over their respective fiefdoms, yet obtain benefits from a new level of collaboration.
On the other hand are the manufacturers and products that create one network to control both systems; in effect, making them one system. The same set of privileges and passwords that allow access to the front door also allow access to the desktop. When a person's privileges are revoked, there's no chance her card still works because there is only one set of privileges to delete.
In this scenario, the IT director (or the chief information officer, or whatever title might be bestowed) controls all access, with no distinction between physical access and logical access.
Peter Boriskin, director of product management for access control at Tyco Fire & Security, is plenty familiar with both approaches. For scenario one, his C-Cure 8000 physical access control system from Software House has been on the market for some time and was the first to partner with Imprivata, a logical authentication house that has created a network appliance that allows for "location-based" authentication.
The C-Cure 8000 "retains the geographic information," said Boriskin, "and based on that, the logical system can validate or invalidate in-bound connections. When you log on, the network authentication piece validates that you are, in fact, in your office. Conversely, if you're in your office and somebody's trying to VPN in to your computer, it's probably not you. Physical information validates the logical, and vice versa."
"The way we see it," said Gregg Laroche, director of product management at Imprivata, "we had to tread lightly in our design for this technology. We know that historically the physical and IT staffs are different. Even though we do see those converging, and we see control shifting over to the IT side, we had to be careful that as we were providing this converged policy ... we did that without actually changing the way the network and facility is managed."
"They're two separate silos managed by two types of people," emphasized Imprivata chief executive officer Omar Hussain, "and trying to force them to merge is never a good political solution. We don't require you to change any of the existing infrastructure." Imprivata's solution also works with systems created by S2 (See "S2 works with EasyLobby, Imprivata," on page 50) and Lenel, and is working to incorporate other physical access systems.
CryptoLex, a three-year-old company with roots in network security, has taken a similar approach with its Mobio solution, a biometric device supported by software that "allows users to bypass the usability hassles and integration inconveniences that are found in traditional authentication schemes," said the company's founder and chief executive officer, Clovis Najm. "It's about converging," he said. "There's an intelligent panel that's rooted into the architecture of physical security," and the Mobio device uses Zigbee to communicate between a central server authenticating network users and the panels, relying revolving code based on a fingerprint.
The central idea in this case is to eliminate the many number of access devices that might be needed by employees in a large enterprise. "It's customer driven," Najm said. "They've just got too many access devices and that's what it comes down to: They're tired of managing so many devices and passwords. What we rely heavily on is our software server architecture. We use cryptography to do that. You need to have the software and the applications talking to each other to reduce the amount of access devices they have."
Still, wondered, Dan Glisky, chief executive officer of IT-friendly physical integrator Compsat, "How do we start to marry these databases together, to start to generate data in new ways that can bring business value? Those are the things that nobody has the right answer to today."
Hold tight, Dan. Three announcements at the recent ASIS International show in San Diego address this very question. First, there is the ASSA ABLOY/Cisco collaboration (See story on page 1), which will bring ASSA ABLOY's Hi-O products to the marketplace by early 2007, and fully converge "smart doors" with the IT network.
With Cisco Access Control Manager, said Mark Farino, general manager of Cisco's Converged Secure Infrastructure Business Unit, "when a person comes up to the door, and presents a badge to the reader, those credentials will now be authenticated on the same AAA server as the one that authenticates people logging on to the network. We eliminate the transmission side, with a single server for all authentication. It's a higher level of security because we can now go into that server and go in and link access to the network based on where they are permitted to reside in the facility."
The central difference, he said, is that "what we've seen in the past are devices with an Ethernet interface, but it was still communicating with a dedicated access control system that is separate and distinct from the IT network. This is not just an Ethernet connection at the reader, but a single environment, and from that convergence we'll be able to create a whole new set of policies."
Similarly, Boriskin's Software House announced at ASIS the C-Cure 9000, a completely updated software package that allows for "a completely new set of possibilities," he said. It's based on SPML, a web-based protocol like HTML, said Boriskin, "but is for the provisioning of privileges, what services should this person be allowed to have?" Now, the servers can be separate or the same, but either way one set of protocols is organizing all privileges on both the IT and physical side. The open architecture approach operates like an SDK, a software patch, "so we have the capability to tie into all of these systems," Boriskin said. It's an approach developed through Tyco's participation in the Open Security Exchange, which focuses on eliminating proprietary approaches to solutions.
"It's a move toward rules-based access control," he said. "We're trying to break down the distinction between physical and IT access control because it's an artificial one."
Sig-Tec is another authentication house that made its entry into the physical space at ASIS. Like Cisco, "we've taken a different approach," said chief technology officer Robert Hoghaug. "We have a single database. You don't have to keep a physical and logical database in sync ... We treat the physical as another device, as opposed to another environment." He credited engineering director Don Croft for simply extending the logical access product to include physical devices.
The company's initial offering works with HID's VertX products and iClass cards, along with GE's Casi-Rusco products, but other physical devices will be incorporated soon, Hoghaug said. Essentially, the Sig-Tec software takes the traditional Microsoft interface and makes it so that when you create a user account for the network, the IT director "can go in and assign access to the doors, based on groups, policies, right down the user," just as the IT director can for folders on the server or individual computers.
All three of the above solutions are likely to transfer at least some physical access control responsibilities and powers to the IT director, but, noted Hoghaug, "if you entrust an IT guy to give you access to your sensitive data and information, why should he not have the power to allow access to the physical facility?"
That's a question, thanks to recent advances, that companies will answer frequently in the coming year. How physical security integrators help manage that conversation, and become integral to that conversation, will affect success in the converging access control marketplace.