The convergence of logical and physical security is a natural step in the scheme of progressive thinking among foremost technologists. It’s also the direction in which corporations are moving. The reason is simple—convergence is the most efficient and expedient way to perform a variety of tasks related to the security of a company’s physical and logical elements.
In years past, information technology (IT) and physical security co-existed within a company as separate departments with entirely different missions. The former tradition-ally seeks to protect a corporation’s network, individual personal computers (PCs) and the copper/fiber communication infrastructure that carries data from one end of the building to the other. The latter seeks to secure the physical elements of the corporation, such as structures, parking lots and more.
“Today’s corporate security infrastructure is a patchwork. Most organizations main-tain multiple, separate physical and IT security systems with no integration among them. This situation has become a growing liability as security concerns and the need to address privacy and regulatory compliance issues grow. At the same time, it prevents organiza-tions from realizing an array of cost, control and responsiveness benefits,” according to “Physical/IT Security Convergence: What It Means, Why It’s Needed, and How to Get There,” published by the Open Security Exchange (OSE) of Washington, D.C.
In recent years, corporations have sought to join both IT and physical security, placing them under the control of a single department. This has acted to integrate the two functions, allowing for more comprehensive security protection than IT or physical security could have achieved alone.
The first step in gaining insight into the convergence trend is defining what it is. According to Alliance for Enterprising Security Risk Management (AESRM), convergence is “the identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interde-pendencies.”
In even simpler terms, convergence is the common ground where physical security intersects IT. It’s the crosshairs where stand-alone security applications, such as closed-circuit television (CCTV) and access control, connect with Internet protocol (IP)/IT-based products and systems.
A good example of convergence can be seen in a recent effort to integrate a variety of IT and security systems throughout the city of Vancouver, British Colombia. Probably the most notable first step was the convergence of the city’s extensive CCTV system, using 3.5 terabytes of IT’s data storage space.
“Effectively,” said Dave Tyson, chief security officer for the city of Vancouver, “we have brought together our physical and IT se-curity and integrated them into a formal, collaborative, strategic approach.”
The result of convergence in Vancouver is a fully integrated head-end where management is better able to manage organizational resources than at any time in the past. Vancouver’s integrated security approach also saves the city time and money because they are able to consolidate security and IT personnel. This has made for a more lean and capable corporate security organization than would have been possible with IT and security personnel acting apart.
Similarities in IT and physical security
IT departments are typically responsible for network security, which includes access at the desktop. Access control technologies have emerged that are designed to ensure the identity of the person logging onto a single PC. Many of these same access control technologies also are used by physical security practitioners to secure the physical structure in an effort to ensure only authorized individuals enter in the first place.
PC security often is entrusted to card and keyfob readers, fingerprint and iris scanners, hand geometry, voice recognition and others. Some of these same access technologies also are employed at entry points outside and within the facility, as well as in parking lots and out buildings.
There are numerous similarities between IT and physical security missions. The type of access device is only one of them. Another important similarity linking the two is the fact that each one is tasked with identifying and tracking the same users. Because of the simi-larities between IT and physical security, corporations are routinely integrating the two by placing them under the control of a single department head.
“According to a survey of 8,200 IT and security executives in 63 countries conducted in March and April of 2005 by Price-waterhouseCoopers and CIO magazine, 53 percent of organizations have some level of integration between their physical and IT security divisions. That’s up from just 29 percent in 2003,” said Thomas Hoffman, author of “Security Convergence,” published in a recent edition of Computer World magazine.
Access and logical security
The ordinary mechanical lock had its beginnings in ancient Rome, and physical security was born. The art of securing a complex has advanced to the point that we commonly use electronic means to automatically discern one user from another—authorized users from those who are not.
These systems commonly regulate the flow of foot traffic into—and sometimes out of—a modern building. In a convergent environment, our concern for security doesn’t stop at the perimeter door. It extends deep into the facility. Examples include interior doors to computer rooms, telecom closets and desktop computers.
In a fully integrated facility where physical and IT security are handled by a single department or those who work closely to-gether, the same database that decides who enters also can determine who is and who is not permitted to log onto a specific com-puter.
The use of a single database for both functions is one of the benefits that makes this type of integration attractive to corporate ex-ecutives. It also saves money because company personnel have to input users into a single database while allowing it to determine access at the perimeter door, interior door and desktop.
Not only does this save time and physical infrastructure, but it streamlines enrollment and operations. It also lends itself to a more secure environment.
As you can well imagine, nowhere is this as important as when an employee is let go. It is customary practice for human resources (HR) to contact IT to remove access to a terminated employee’s desktop PC, even before that employee is told about the situation.
In this case, when IT rescinds access to the former employee’s PC, the physical access control system follows suit, removing him from the system’s list of valid users. The same holds true if HR nullifies the soon-to-be-let-go employee’s door access control card. Because both functions share the same database, this single action will prevent the employee from accessing his or her desktop PC.
Not only does this save time and physical space, it ensures the employee is unable to gain access to either area.
Alarm system connectivity
In a traditional security system, there are two or more layers of protection. For example, in a typical business environment, an alarm system is made up of switch contacts on all perimeter doors and sometimes windows. This is the structure’s first line of defense.
The second line of defense typically consists of internal sensors that detect the presence of people. Examples include ordinary passive infrared and microwave motion detectors. Glass break sensors also are available and designed to detect the sound of break-ing glass.
Also included in a conventional alarm system are a keypad to control the system, and necessary sounding devices used to notify the user of a problem, such as an inside and/or outside siren speaker.
It also can include the means whereby alarm signals are sent to a central monitoring station where operators call the police or fire department for help on behalf of the owner of the monitored facility.
In an integrated system where convergence is achieved, perimeter and interior sensors as well as card readers and door strikes connect to the same head-end. This usually is accomplished using the facility’s LAN or even a WAN.
In this kind of integrated, convergent environment, as soon as a valid access card is presented to a card reader at the door, the same head-end that unlocks the door will know whether the cardholder is authorized. If not, it will notify the central station that an unauthorized intruder entered the facility without a valid access card.
IP-based video surveillance
Convergence is especially important to many stakeholders in the area of CCTV. This is because in an integrated, convergent setting, video images are retained on the corporate LAN or WAN where management is able to retrieve and view at will from their desktop PC.
Traditionally in an analog video system, installers run RG59/U or RG6/U coaxial cable from a camera to the head-end. Because coaxial cable is actually unbalanced and because it is prone to interference, distance restrictions must be observed. For example, an optimum transmission distance of 800 to 1,000 feet is common when using RG59/U. When using RG6/U, video images can safely be transported for a distance of 1,300 to 1,500 feet.
By contrast, IT technicians use unshielded twisted-pair (UTP) cable, along with network hubs that act as repeaters to boost the sig-nal, thus transmitting video signals anywhere within a facility. And, by adding a WAN or Internet connection, transmission distance is virtually limitless.
Probably the most compelling reason to add CCTV to the mix, when converging logical and physical security into a single operat-ing platform, relates to management’s ability to view both recorded and live video from any terminal on the network. Not only that, but the coordination of events that take place within such a facility with recorded video enables IT/security to connect people with things that occur.
A good example of this is when an access control log indi-
cates an otherwise authorized user tried to gain access to a forbidden door or a valid door at a forbidden time when such a user claims that his or her card was lost or stolen. Without a visual record of who actually tried to access the facility, there would be no way for management to confirm the employee’s allegation.
Having a video record of strategic entry points in a tool crib or computer room within the facility also allows management to view internal theft incidents. A video record makes it easier to get a conviction when IT/security has a video clip with collaborative evidence showing a particular employee entered the protected area prior to the event. EC
COLOMBO is a 32-year veteran in the security and life-safety markets. He is currently director with firenetonline.com and a nationally recognized trade journalist located in East Canton, Ohio.